This article explains how to manage your users and view their connection activity across your account.
Efficient user management is a fundamental part of an identity management framework. The Users page gives you full visibility of all users and their Clients from a centralized location. You can manually add and manage users and view information about how they are using the Client. The filters let you drill-down into usage activity.
Company ABC manages their Client Upgrade Policy (which defines how Clients in their account are upgraded to the latest version) using Automatic Silent Upgrades. Following the release of the latest Windows Client, the IT administrator wants to know how many users have upgraded to this version. On the SDP Users Activity tab, the IT administrator adds the latest version to the Client version filter. The users who have completed the Client upgrade are displayed.
The SDP Users Activity and Users Directory tabs display the users in your account and how they are connecting to the Cato Cloud.
You can view all the users in your account and their connection activity from the SDP Users Activity tab. You can sort and filter for each of the fields to quickly show the relevant data, for example: Connectivity status, Last PoP, Client version, and more. Users only appear after connecting.
The Devices column shows each device and operating system that is used by a user to connect to the Cato Cloud. The Client version column shows the version the Client is running. This section can be helpful for security auditing purposes.
If a user connects to the Cato Cloud with more than once device, a plus sign with the number of additional devices is displayed ( ). To view all the devices used by the user, click on this number.
You can also view additional device information, for example the Name and Identifier of the device.
To show additional device information:
-
From the navigation menu, click Access > Users.
-
Select a user from the list. The Access > User Monitoring page for the user is displayed.
-
From the navigation menu, click User Monitoring > Devices. The Devices page displaying all currently defined devices for the user.
The Member of Groups section shows you the groups that a user belongs to.
To view associated groups of users
-
From the navigation menu, click Access > Users.
-
Select a user from the list. The Access > User Monitoring page for the user is displayed.
-
Click User Configuration > Member of Groups. The General window opens. The Member of Groups window opens, showing groups that the user belongs to.
You can view and monitor user provisioning information from the Users Directory page. This page displays all the users in your account. You can sort and filter for each of the fields to quickly show the relevant data, for example: Status, Source (SCIM, LDAP, or Manual), Authentication (SSO or MFA), and more.
The Status column displays the account status of the user. The following table provides an explanation of each status.
The SDP License column identifies users that have a license assigned. You can filter the column to clearly display all users with or without a license. For more information on how to assign a license, see Assigning SDP Licenses to Users .
You can view individual User Monitoring and User Configuration from the SDP Users Activity page or the Users Directory page.
You can administer new and existing users in your account as part of your identity management framework.
You can manually add individual users to your account. After a user is created you can choose to send them an onboarding email to welcome them to remote access at Cato. For more information, see Adding Users to Your Cato Account.
You can reset the password for a user. After you reset the password, the user receives an email with a link to reset the password. The password reset link is valid for one hour after the email is sent. The new password must contain between 8 to 32 characters, at least one number, and a low case and upper letter.
Before you reset the password for users, make sure that they log out of the Client for all of their devices. Otherwise, the user can be locked out of the Client.
Once a password has been updated, users may have to wait up to 4 minutes before they can sign into the Client again. In Windows Clients on the Users page, users must be deleted and re-added before they can sign in with the new password.
Passwords must be between 8 - 32 characters and include at least:
-
One number
-
One lowercase character
-
One uppercase character
Note
Note: After you reset the password, users can no longer authenticate with the current password. They must create a new one in the User Portal.
To reset a user's password:
-
From the Navigation menu, click Access > Users.
-
Click the Users Directory tab.
-
Select the user.
-
From the Actions drop-down menu, select Reset Password.
-
In the Reset Password window, click Confirm.
The password is reset for the users and they receive an email with a link to create a new password.
After a new user is added to the Cato Management Application , you can choose to send them an activation e-mail. For more information, see Activating SDP Users for Cato Clients. If needed, the activation email can be resent.
If you no longer want a user to access your network, depending on how they were created, they can be permanently deleted or disabled. After being deleted users are no longer visible on the Users Directory page. Deleted users are still visible in policies and marked as deleted, for example, John Doe (Deleted). After being deleted, the user can no longer connect with the Cato Client or have a policy applied.
-
Manually created users can be manually deleted.
-
Users provisioned with SCIM can be deleted by deleting them from your IdP. After the next sync, they are automatically deleted in the Cato Management Application and can no longer connect with the Cato Client.
-
Users provisioned with LDAP can be deleted or removed, depending on your configuration. After you delete a user from your IdP:
-
If you configure users that no longer exist in your IdP to be disabled, after the next sync, you can manually delete the disabled user.
-
If you configure users that no longer exist in your IdP to be removed, after the next sync, they are automatically deleted.
After the next sync, they are automatically deleted in the Cato Management Application and can no longer connect with the Cato Client.
-
Note
You cannot undo the delete user action.
Ensure Always-On is disabled for the user before they are deleted.
This section explains how to manage users that are disabled or locked. You can also revoke a user's session.
If required, you can temporarily disable user accounts, or enable accounts that have been disabled.
A disabled user cannot connect to the Cato Cloud and is not counted as using a user license. However, they will still appear in its relevant references and entries in the Cato Management Application, such as security rules.
Following security best practices, after six consecutive authentication failures within a 5-minute window, Cato automatically locks users for 30 minutes (unless you unlock the user earlier).
These six consecutive failures are counted separately for password and MFA authentication failures (meaning the lock will be triggered only after six consecutive MFA or six consecutive password failures).
You can view where the failure occurred (when the user accessed the Cato User Portal or when authenticating via the Cato Client, and whether the failure was MFA or password related.
Note
Note: Unlocking a user doesn't reset the user's password.
For accounts that use LDAP to synchronize users between Active Directory (AD) and the Cato Cloud, this feature lets you enable all the users that are currently disabled. Sometimes, an admin discovers that many users were disabled by mistake in the AD and then synced to Cato Cloud. When you select this option in the Users window, all users that were disabled in the most recent sync are enabled.
To enable all the disabled users after an LDAP sync:
-
From the Navigation menu, click Access > Users.
-
Click the Users Directory tab.
-
Select the user.
-
From the Actions drop-down menu, select Re-enable LDAP Disabled Users.
-
In the Re-enable disabled LDAP users window, click Confirm.
The user that was disabled in the most recent LDAP sync is now enabled.
You can revoke the Cato MFA authentication token on a specific device for a user. After the MFA token is revoked the user must re-authenticate and enter a new MFA code in the Client.
To revoke the MFA token for a device:
-
From the navigation menu, click Access > Users.
-
Select a user from the list.
-
From the navigation menu, click User Monitoring > Devices.
The devices for that user are displayed.
-
At the end of the row for the device, click the More button .
-
Click Revoke Device.
-
In the pop-up window, click Revoke.
The MFA token for that device is no longer valid.
You can view user events that take place across your network. You can choose to view all user events together, or only user events from users connecting either remotely or behind a site. For more information about Events, see Analyzing Events in Your Network
-
To view events from a specific users, irrespective of where they connect from, filter on the User Email or User Display Name fields
-
To view events from users connecting remotely, filter on the Sources is Site or SDP User where the Value is SDP User
-
To view events from users connecting behind a site, filter on the Sources is Site or SDP User where the Value is Site
0 comments
Article is closed for comments.