This article explains how to control open Sign-Ups for an Organization.
Introduction
Every Organization has a Sign-Up Policy that governs whether or not end-users can make unsolicited requests to join. This is done when a user downloads the software and Creates a New Account, specifying your Organization as described in the article, Creating an Account.
Purpose for Sign-Ups
Sign-Ups are available to support the needs of smaller Organizations who wish to download and use software quickly, immediately, and independently. Large Organizations will rely on the use of User Registration that comes from importing .CSV policy definitions extracted from Active Directory and other corporate resources. Due to the way in which information remains isolated, and as a result of the underlying auditing and assurances provided by the system even when things do not go exactly as planned, Sign-Ups can provide a convenient way of supporting different dynamic needs without introducing unnecessary risk.
Default Sign-Up Policy
Sign-Up Policy by default disables external requests to join your Organization. This can be changed, and requests - which can be Dismissed - are never granted without Validation by a Privileged Organization User.
Seat Licenses are not pre-reserved for Sign-Ups that request Organization membership - the License is used only when the Account is Validated.
Validating New Accounts
Each time a New User carries out this procedure, Administrators and Delegates for the target Organization receive notification in the form of a Validation Request, which is the same as that created when creating new User Accounts from the Administer Users display, described in the article, Managing Organization Users.
To limit unsolicited requests to join your Organization, adjust and modify Sign-Up Policies from the Administer Users display.
Open References and Shared Data
When an Account is created either by Privileged Users or through Sign-Ups, a small amount of information is utilized to track configuration details. In all cases, new Accounts contain references to any configured target Organization, though no Organization-specific data is shared until a Privileged User performs Validation.
Sign-Up Policy Controls
Sign-Up Policies allow you to manage and minimize the amount of potential traffic resulting from public requests to join your Organization. This limits both the total number of public Sign-Ups an Organization will permit, and also limits the number of open, pending Sign-Ups that can be present at any one time.
The Administer Users panel includes a Sign Ups button, which when selected displays the Sign-Up Policy associated with the Organization:
This display includes the following:
Open - the number of pending Sign Up requests dispatched for approval
Sign Ups - the total number of Accounts created with the Sign Up process
Max Open - the maximum number of Open Sign Ups allowed at one time
Max Sign Ups - the maximum number of Accounts that can be created with Sign Ups
Choose Enable if you want to permit Open Sign-Ups, else deselect the checkbox and, after you choose OK, new Sign-Ups will not result in notification to Privileged Organization Users.
Use the Max Open and Max Sign Ups to permit new Users, but limit the number of allowed requests.
This approach helps ensure rogue actors cannot impose unnecessary notification or resource usage on your Organization and Privileged Users. Increment these values as you add more Users, ensuring that valid requests are dispatched, but minimizing the number of potential requests that get submitted from others.
Important Notes on Sharing Resources
Accounts never receive Organization-specific information until after they are Validated, and even then, SSProtect doesn't provide access to :Recover Archive content for Unprivileged Users. Administrators and Delegates, on the other hand, have the ability to gain access to :Recover Archives but only through privileged :xRecovery requests that require human authentication with an agreed-upon set of personnel often not associated with SSProtect use. For more information, refer to details in the :xRecovery Section.
No Automatic Data Sharing/ Synchronization
SSProtect is not a Sync Client, and doesn't copy data to/ from your host computing environment when you Login. It's important to remember that shared materials must be provided to sharing peers, independently: SSProtect-managed content is "shared" only in the way Access Control permissions are granted and through restricted, tightly-controlled Disaster Recovery services as noted above.
As a result, data that SSProtect manages works just like unmanaged content with respect to sharing: Content is transferred between trusted associates using email, file sharing applications and services, through access to in-house file servers, etc. All access to protected content - including the act of setting up and Validating an Account - remains protected.
In fact, SSProtect-managed content cannot be removed by any User (even a Privileged User) at any time, and usage auditing for each User remains available for Reporting at any and all times.
Additional Resources
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v10.7.1 of the :Foundation Client