PK Endpoint Manager integrates with your Active Directory (AD) for identity and access management. All PK Protectuser credentials come from AD. The security groups a user belongs to can also dictate what PK Protectpolicies or rules apply. When an administrator creates a user account, PK Protectwill look for the user in a few different places.
AD User Email Address
First, PK Protectwill look for an email address defined for their AD User Object. PK Protectwill then create an identity for that AD user, using the AD password to authenticate the account on the client. In the above screenshot, the account would be created with the firstname.lastname@example.org address.
User Principal Name
If an email address for the new PK Protectuser is not in AD, PK Protectwill fallback to using the User Principal Name (UPN) defined for the user account. This creates what looks like an email address by combining the user logon name and the domain suffix for the domain the user belongs to. In the above screenshot, the account would be created with the pseudo-address dev@PK Protect.com, even though it is not an email address. It becomes the way to address the dev PK ProtectUser. Users connected to PK Endpoint Manager through UPN must belong to an Authorized Domain to have the same privileges as an AD user.
Across your PK Protect Ecosystem you might have any combination of user accounts with UPN or Emails being used.
When PK Endpoint Manager is set up and authenticated, the PK ProtectCloud delivers a list of Authorized Domains to PK Endpoint Manager. If a user's email address comes from an authorized domain, the account is confirmed for external sharing. This means that a user belonging to an authorized domain on a PK Endpoint Manager can create and use Smartkeys to share data with people outside the organization.
If a PK Protect administrator creates a user with an email address that can't be authenticated through the organization's Active Directory, and is NOT in a PK Protectauthorized domain, a Guest account will be created. Guest users cannot share encryption keys with the outside world.
The following example illustrates the differences between user accounts.
Guest Account Example Scenario
PK Endpoint Manager Authorized Domains List:
Email: Unavailable/not in AD
|Authorized Account - The UPN has pkware.com which is an authorized domain for the PK Endpoint Manager
|Guest Account - The Email address is defined and does not match one of the authorized domains for the PK Endpoint Manager
|Authorized Account - The Email address includes smartcrypt.com, which is an authorized domain for the PK Endpoint Manager, even though the UPN is not in the authorized list
Authorized Account vs. Guest Account
There are some differences between the types of accounts. In general, there are configuration options that can be used to narrow the gap to provide a similar user experience for Guest accounts.