The Accounts tab gives system administrators an interface for managing the users of the system. An administrator can search for a user and disable the entire account,or disable individual devices that have been connected and authenticated as a particular user. Administrators can also define the list of unmanaged users.
|Name||The user's name (coming from their Active Directory user object).|
|This is the email address that is associated with the PK Protect account for the user. The email addresses for users are entered when allowing and denying access to Smartkeys.|
|UPN Mode||If you have user accounts stored in multiple Active Directory forests, UPN Mode allows admins to allow users to login to PK Protect with User Principal Names. Users will need to authenticate with the proper credentials for each Active Directory user to access each of the correlated PK Protect Identities.|
|Allow||The allow flag is the status of the account for the user. If a user's account has been compromised, an administrator can kill access to the account and all the devices the account is logged in on from this field.|
Managed versus unmanaged users
PK Protect supports two types of users: Managed and Unmanaged. Unmanaged users can choose their own passphrase without reporting to PEM Administrator. From the PK Protect user's perspective, it does not matter much whether they are managed or not. For administrators, there is an important difference to point out.
An unmanaged user is also a "Zero Knowledge User" in the system. What this means is that PEM Administrator cannot access or unlock any of the Smartkeys this type of account generates. In addition, if an unmanaged user loses or forgets their password, PEM Administrator cannot recover this type of account, because it cannot decrypt any of the content (including the unmanaged user's encrypted password stored in PEM Administrator).
Setting up an unmanaged user on PEM Administrator
- To define a group or list of users who are eligible to become unmanaged users, an administrator needs to enter the Active Directory group, or user entry in the Domain group.
- Click Update in the Unmanaged Users/Groups field. Start typing the name of the Group or User. PEM Administrator will pull up matches to select. You can also use Advanced AD Search.
- Save the results.
Note: An unmanaged user still needs to exist in Active Directory.
Converting a managed account on the PK Protect client
- After a user is defined in the unmanaged user group, the user can change their password through the PK Protect client. This dialog is available when looking at the account information from the right click menu in the system tray. Click Change to start the process.
- This will create a separate "unmanaged" credential different from their credentials being used in Active Directory.
- After a user is unmanaged, the user will need to keep their own credentials secure. There is no recovery for a lost unmanaged credential.
Advanced Definitions of Users and Groups
Admins can use Boolean expressions to identify people and groups that expand beyond the limits of standard Active Directory Groups. You can select multiple users and groups, exclude some users with the NOT operator, and add other users
In this example, the LargeData Marketing group is the Group who can become Unmanaged, but the group excludes user email@example.com.
To generate this result:
- Click in the Users/Groups field to display your options. The icon changes to .
- Start typing the name of the User or Group. PEM Administrator will display a list you can select from.
- Click Add Row.
- In the left-most field, change to User.
- To exclude a user, change the second field to not equal.
- Start typing the user name and select the user you want to exclude from this assignment.
- At the top, change the Boolean operator. By default, the OR operator is selected. Change this to AND.
- Click outside the box to confirm the changes.