Managing users

Before a user can access and use partner applications in your organization, a user account profile must be created in the Verify cloud directory.

Before you begin

  • You must have access to the Admin console. Both administrators and application owners can manage users. However, application owners are limited to creating, searching, and viewing users.
  • Log in to the IBM® Security Verify administration console.

About this task

The user that you create can be:
When you create a user, the user information is displayed in the Directory > Users & Groups > Users tab. The user's information such as name, email, and user name can be searched and retrieved in the following panels:
  • Directory > Users & Groups > Groups, when you add or edit a group.
  • Applications > Applications, when you add an owner in the General tab, and when you add entitlements in the Entitlements tab from applications settings Settings.
The following types of users are available in Verify:
Cloud directory users

Also known as managed users or users with cloud identities.

These users are managed in Verify. You create the user accounts in the Directory > Users & Groups > Users page. User data is stored in the IBM Security Verify cloud registry or cloud directory.

Federated users

Also known as users with external identities or federated identities.

These users are managed outside of Verify. You can integrate Verify with on-premises identity provider applications and use their identity source for user authentication and provisioning.

A federated user is automatically provisioned in the Verify cloud directory on the first time that the user logs in to Verify. You can also manually add a profile for the federated user in the cloud directory.

You cannot reset the password of a federated user or add federated users to any group other than the admin and application owners group. You cannot edit the user information you, but can change the enabled status of the user.

Users with federated identities do not need to provide their passwords to access each application they are entitled. The identity provider validates the user identity and passes only an authentication token to the service provider to establish a trusted communication.

Procedure

  1. Select Directory > Users & Groups
  2. Select the Users tab. The Users page displays both cloud directory users and federated users.
    The page lists the users, whether they are enabled, whether they have linked identities, when the user was created, and the date and time of the user's last login.
  3. Create a user.
    1. Select Add. The Add User dialog box is displayed.
    2. Specify the following information for the new user:
      Note: For federated users, only Identity Source and User Name are required. The other information is optional.
      Table 1. User information
      Information Descriptions
      Identity Source

      It lists the names of all the identity sources that are configured in Authentication > Idenitity providers. This field is only displayed if there is more than one configured identity source.

      This information is helpful when you grant application access entitlement to users. It distinguishes users that might have the same user name but are from different user repositories. For example, there is a user name johnsmith@company.com in the Cloud Directory, in IBMid, and in the ISVA appliance identity source, and only johnsmith@company.com from the ISVA appliance identity source must be entitled to access Application A.

      Status Slide to ON or Off to enable or disable the user.

      Indicates that the user account is active. A user with an active account can sign in to Verify and to any application that the user is entitled to access.

      The user account is initially enabled by default during creation. You can disable the account anytime for the following reasons or others:
      • Inactivity
      • Account was hacked or suspected of malicious activities
      • Non-compliance to Verify policies, or terms and conditions

      When an account is disabled, the user cannot sign in to Verify and to any configured application, regardless of the user's entitlements.

      When a user is disabled in Verify, if the user has accounts on applications that are configured with a provisioning policy, the associated accounts are also suspended. See Configuring target applications for provisioning. These accounts are restored after the user is re-enabled in Verify.

      Basic user profile
      Given Name

      Given name of the user.

      Middle name Middle name of the user.
      Surname

      Surname of the user.

      User Name

      Unique identifier for logging in to Verify. It can be the same as the email address of the user.

      Email

      Email address of the user where notifications are sent such as the user's new password after a reset request, or the one-time password.

      External ID A reference attribute for use with external repositories and directories. This attribute is sometimes set to the DN or the ObjectGUID of the user from the external registry.
      Preferred language The language of the user.
      User information
      Work e-mail The work email of the user.
      Mobile number

      Contact number of the user where notifications are sent. For example, the one-time password.

      Work number Contact number of the user at a work location or office where notifications are sent. This number can be either for a mobile phone or a land-line phone.
      Contact information
      Street address The address of the user.
      City The city where the user lives.
      State The state where the user lives.
      Zip code The postal code of the users address.
      Country The country where the user lives.
      Formatted address A single attribute that contains the full address of the user.
      Extended profile - employee information
      Employee # The employee number of the user.
      Job title The job title of the user.
      Department The department of the user.
      Manager The name of the user's manager. Because the manager must be an existing user in Verify, the field is a search field that you use to find and select the manager's name.
      Custom user attributes A list of attributes that are tenant-defined attributes that can be created in Verify. See Managing attributes.
      Email new account

      When enabled, the account information is sent to the registered email address of the new user.

      This option is only available when you add a user in the Cloud Directory identity source. You can control the initial state of this option in Directory > Users & Groups > Settings.

    3. Select Save.
      A password is generated and emailed to the user so the user can sign in to Verify.
  4. Update the details of a cloud directory user.
    Note: For federated users, you can enable or disable the user only. You cannot change the user information.
    1. Use the search function to find the user, if it is not displayed on the page.
    2. Hover over the user and select the User details icon when it appears.
    3. On the Profile tab of the User's page, select the Edit icon .
      The Edit User Information dialog box is displayed. See Updating user details.
    4. Edit the user information.
    5. Optional: Select whether to send an email notification to the user about the change to the profile information.
    6. Select Save.
    7. Optional: Reset the user password.
    8. Optional: Remove the user from a group.
    9. Optional: Remove a linked identity from the user.
  5. Delete a user.
    When you delete a user:
    • You can delete one or multiple users from the Users page.
    • The user is removed from any group where the user is a member.
    • The user can no longer use Verify to access a third-party application.
    • You can either use Delete in the Users page or Delete user in the User Profile page.
    1. Select one or more users from the Users page.
    2. Select Delete.
      You can also delete a single user from the User Profile page by selecting Delete user.
    3. Optional: Select whether to send an email notification to the user about the change to the profile information.
    4. Confirm that you want to permanently delete the selected user or users.
  6. Search and view the user information.
    1. Use the Search field for a filtered list of data.
    2. Select the row of the user whose information you want to view. The User Details pane is displayed.
      Table 2. User Details
      Information Descriptions
      User Name

      Unique identifier for logging in to Verify. It can be the same as the email address of the user.

      Given Name

      Given name of the user.

      Surname

      Surname of the user.

      Email

      Email address of the user where notifications are sent such as the user's new password after a reset request, or the one-time password.

      Mobile number

      Contact number of the user where notifications are sent. For example, the one-time password.

      Work number Contact number of the user at a work location or office where notifications are sent. This number can be either for a mobile phone or a land-line phone.
      Realm

      It is an identity source attribute that helps distinguish users from multiple identity providers that have the same username.

      For the following identity providers:
      • Cloud Directory, the realm value is cloudIdentityRealm.
      • IBMid, the realm value is www.ibm.com.
      • SAML Enterprise, the realm value can be any unique name that you assigned when you created the identity provider.
      • LDAP Pass-Through, the realm value can be any unique name that you assigned when you created the identity provider.
      • Apple, the realm value is www.apple.com.
      • Baidu, the realm value is www.baidu.com.
      • Facebook, the realm value is www.facebook.com.
      • Github, the realm value is www.github.com.
      • Google, the realm value is www.google.com.
      • LinkedIn, the realm value is www.linkedin.com.
      • QQ, the realm value is www.qq.com.
      • Renren, the realm value is www.renren.com.
      • Twitter, the realm value is www.twitter.com.
      • WeChat, the realm value is www.wechat.com.
      • Weibo, the realm value is www.wiebo.com.
      • ZenKey, the realm value is www.myzenkey.com.
      Last login When the user last logged in to Verify.
      Enabled

      Indicates that the user account is active. A user with an active account can sign in to Verify and to any application that the user is entitled to access.

      View full profile Links to the User Profile tab that has additional information and functions. See Updating user details.
      To turn off the filter and view all the users, clear the search field.
  7. View user activity
    1. Use the search function to find the user, if it is not displayed on the page.
    2. Hover over the user and select the User details icon when it appears.
    3. On the user's page, select the Activity tab.
      A table is displayed with the activity information for each event.
    4. Optional: You can filter the results.
    5. Optional: Select an event to see the event details.