Managing users

Before a user can access and use partner applications in your organization, a user account profile must be created in the Verify cloud directory.

Before you begin

You must have access to the Admin console. Both administrators and application owners can manage users. However, application owners are limited to creating, searching, and viewing users.
Log in to the IBM® Security Verify administration console as an Administrator.

About this task

You can perform the following tasks:

Create a user
Update a user
Delete a user
Search and view users
View user activity
.Assign a password policy to a user.

The user that you create can be:

Assigned as a member of a group. See Assigning group membership.
Assigned as an application owner, someone who manages which users or groups can access the application. See Assigning application owners.
Entitled to access an application. See Managing application entitlements (by administrator or application owner) or Managing application entitlements (by Application Owner).

When you create a user, the user information is displayed in the Directory > Users & Groups > Users tab. The user's information such as name, email, and user name can be searched and retrieved in the following panels:

Directory > Users & Groups > Groups, when you add or edit a group.
Applications > Applications, when you add an owner in the General tab, and when you add entitlements in the Entitlements tab from applications settings .

The following types of users are available in Verify:

Cloud directory users

Also known as managed users or users with cloud identities.

These users are managed in Verify. You create the user accounts in the Directory > Users & Groups > Users page. User data is stored in the IBM Security Verify cloud registry or cloud directory.

Federated users

Also known as users with external identities or federated identities.

These users are managed outside of Verify. You can integrate Verify with on-premises identity provider applications and use their identity source for user authentication and provisioning.

A federated user is automatically provisioned in the Verify cloud directory on the first time that the user logs in to Verify. You can also manually add a profile for the federated user in the cloud directory.

You cannot reset the password of a federated user or add federated users to any group other than the admin and application owners group. You cannot edit the user information you, but can change the enabled status of the user.

Users with federated identities do not need to provide their passwords to access each application they are entitled. The identity provider validates the user identity and passes only an authentication token to the service provider to establish a trusted communication.

Procedure

Select Directory > Users & Groups
Select the Users tab. The Users page displays both cloud directory users and federated users.
The page lists the users, whether they are enabled, whether they have linked identities, when the user was created, and the date and time of the user's last login.

Create a user.

Select Add. The Add User dialog box is displayed.

Specify the following information for the new user:

Note: For federated users, only Identity Source and Username are required. The other information is optional.

Table 1. User information
Information	Descriptions
Identity Provider	It lists the names of all the identity sources that are configured in Authentication > Idenitity providers. This field is only displayed if there is more than one configured identity source. This information is helpful when you grant application access entitlement to users. It distinguishes users that might have the same user name but are from different user repositories. For example, there is a user name `johnsmith@company.com` in the Cloud Directory, in IBMid, and in the ISVA appliance identity source, and only `johnsmith@company.com` from the ISVA appliance identity source must be entitled to access `Application A`.
Status	Slide to `ON` or `Off` to enable or disable the user. Indicates that the user account is active. A user with an active account can sign in to Verify and to any application that the user is entitled to access. The user account is initially enabled by default during creation. You can disable the account anytime for the following reasons or others: Inactivity Account was hacked or suspected of malicious activities Non-compliance to Verify policies, or terms and conditions When an account is disabled, the user cannot sign in to Verify and to any configured application, regardless of the user's entitlements. When a user is disabled in Verify, if the user has accounts on applications that are configured with a provisioning policy, the associated accounts are also suspended. See Configuring target applications for provisioning. These accounts are restored after the user is re-enabled in Verify.
Basic user profile
Given name	Given name of the user.
Middle name	Middle name of the user.
Surname	Surname of the user.
Username	Unique identifier for logging in to Verify. It can be the same as the email address of the user.
External ID	A reference attribute for use with external repositories and directories. This attribute is sometimes set to the `DN` or the `ObjectGUID` of the user from the external registry.
Preferred language	The language of the user.
User information
Preferred e-mail	Email address of the user where notifications are sent such as the user's new password after a reset request, or the one-time password.
Mobile number	Contact number of the user where notifications are sent. For example, the one-time password.
Work number	Contact number of the user at a work location or office where notifications are sent. This number can be either for a mobile phone or a land-line phone.
Contact information
Street address	The address of the user.
City	The city where the user lives.
State	The state where the user lives.
Zip code	The postal code of the users address.
Country	The country where the user lives.
Formatted address	A single attribute that contains the full address of the user.
Extended profile - employee information
Employee #	The employee number of the user.
Job title	The job title of the user.
Department	The department of the user.
Manager	The name of the user's manager. Because the manager must be an existing user in Verify, the field is a search field that you use to find and select the manager's name.
Custom user attributes	A list of attributes that are tenant-defined attributes that can be created in Verify. See Managing attributes.
Email new account	When enabled, the account information is sent to the registered email address of the new user. This option is only available when you add a user in the Cloud Directory identity source. You can control the initial state of this option in Directory > Users & Groups > Settings.

Select Save.
A password is generated and emailed to the user so the user can sign in to Verify.

Search and view the user information.

Use the Search field for a filtered list of data.
Type the name, or the beginning of a given or surname and click Enter. The search returns any names that start with the text that you specified. If your tenant has many users, click Advanced search to limit the search and improve performance. With advanced searching, you can specify the search criteria, select which identity providers you want to search and select what user attributes that you want to search by. When you click Search, your provider and attribute selections are displayed with the results of you search. Click Reset search to clear the results or click Advanced search to do another search.

Select the row of the user whose information you want to view. The User Details pane is displayed.

Table 2. User Details
Information	Descriptions
Username	Unique identifier for logging in to Verify. It can be the same as the email address of the user.
Given name	Given name of the user.
Surname	Surname of the user.
Email	Email address of the user where notifications are sent such as the user's new password after a reset request, or the one-time password.
Mobile number	Contact number of the user where notifications are sent. For example, the one-time password.
Work number	Contact number of the user at a work location or office where notifications are sent. This number can be either for a mobile phone or a land-line phone.
Realm	It is an identity provider attribute that helps distinguish users from multiple identity providers that have the same username. For the following identity providers: Cloud Directory, the realm value is `cloudIdentityRealm`. IBMid, the realm value is `www.ibm.com`. SAML Enterprise, the realm value can be any unique name that you assigned when you created the identity provider. OnPrem LDAP, the realm value can be any unique name that you assigned when you created the identity provider. Apple, the realm value is `www.apple.com`. Baidu, the realm value is `www.baidu.com`. Facebook, the realm value is `www.facebook.com`. GitHub, the realm value is `www.github.com`. Google, the realm value is `www.google.com`. LinkedIn, the realm value is `www.linkedin.com`. QQ, the realm value is `www.qq.com`. Renren, the realm value is `www.renren.com`. WeChat, the realm value is `www.wechat.com`. Weibo, the realm value is `www.wiebo.com`. X, the realm value is `www.twitter.com`. Yahoo, the realm value is `www.yahoo.com`.
Last login	When the user last logged in to Verify.
Enabled	Indicates that the user account is active. A user with an active account can sign in to Verify and to any application that the user is entitled to access.
View full profile	Links to the User Profile tab that has additional information and functions. See Updating user details.

To turn off the filter and view all the users, clear the search field.

Update the details of a cloud directory user.

Note: For federated users, you can enable or disable the user only. You cannot change the user information.
1. Use the search function to find the user, if it is not displayed on the page.
2. Hover over the user and select the icon when it appears.
3. On the Profile tab of the User's page, select the icon .
  The Edit User Information dialog box is displayed. See Updating user details.
4. Edit the user information.
5. Optional: Select whether to send an email notification to the user about the change to the profile information.
6. Select Save.
7. Optional: Reset the user password.
8. Optional: Remove the user from a group.
9. Optional: Remove a linked identity from the user.
Delete a user.
When you delete a user:
- You can delete one or multiple users from the Users page.
- The user is removed from any group where the user is a member.
- The user can no longer use Verify to access a third-party application.
- You can either use Delete in the Users page or Delete user in the User Profile page.
1. Select one or more users from the Users page.
2. Select Delete.
  You can also delete a single user from the User Profile page by selecting Delete user.
3. Optional: Select whether to send an email notification to the user about the change to the profile information.
4. Confirm that you want to permanently delete the selected user or users.
View user activity
1. Use the search function to find the user, if it is not displayed on the page.
2. Hover over the user and select the icon when it appears.
3. On the user's page, select the Activity tab.
  A table is displayed with the activity information for each event.
4. Optional: You can filter the results.
5. Optional: Select an event to see the event details.
See Viewing user activity.

What to do next

You can assign a password policy to the user. See Assigning password policies to users and groups.