Working with Users

This article explains how to manage your users and view their connection activity across your account.

Overview

Efficient user management is a fundamental part of an identity management framework. The Users page gives you full visibility of all users and their Clients from a centralized location. You can manually add and manage users and view information about how they are using the Client. The filters let you drill-down into usage activity.

Use Case

Company ABC manages their Client Upgrade Policy (which defines how Clients in their account are upgraded to the latest version) using Automatic Silent Upgrades. Following the release of the latest Windows Client, the IT administrator wants to know how many users have upgraded to this version. On the SDP Users Activity tab, the IT administrator adds the latest version to the Client version filter. The users who have completed the Client upgrade are displayed.

Getting Started with the Users Page

The SDP Users Activity and Users Directory tabs display the users in your account and how they are connecting to the Cato Cloud.

Viewing Users Activity

You can view all the users in your account and their connection activity from the SDP Users Activity tab. You can sort and filter for each of the fields to quickly show the relevant data, for example: Connectivity status, Last PoP, Client version, and more. Users only appear after connecting.

Viewing Device and Client Details

The Devices column shows each device and operating system that is used by a user to connect to the Cato Cloud. The Client version column shows the version the Client is running. This section can be helpful for security auditing purposes.

If a user connects to the Cato Cloud with more than once device, a plus sign with the number of additional devices is displayed (Plus_1.png ). To view all the devices used by the user, click on this number.

You can also view additional device information, for example the Name and Identifier of the device.

devices.png

To show additional device information:

  1. From the navigation menu, click Access > Users.

  2. Select a user from the list. The Access > User Monitoring page for the user is displayed.

  3. From the navigation menu, click User Monitoring > Devices. The Devices page displaying all currently defined devices for the user.

Viewing Associated Groups for Users

The Member of Groups section shows you the groups that a user belongs to.

MemberofGroups.png

To view associated groups of users

  1. From the navigation menu, click Access > Users.

  2. Select a user from the list. The Access > User Monitoring page for the user is displayed.

  3. Click User Configuration > Member of Groups. The General window opens. The Member of Groups window opens, showing groups that the user belongs to.

Understanding Users Directory

You can view and monitor user provisioning information from the Users Directory page. This page displays all the users in your account. You can sort and filter for each of the fields to quickly show the relevant data, for example: Status, Source (SCIM, LDAP, or Manual), Authentication (SSO or MFA), and more.

Users_Directory__1_.png
Filtering by User Status

The Status column displays the account status of the user. The following table provides an explanation of each status.

Status

Explanation

Configured

The user has been created in the Cato Management Application.

Disabled

The user is disabled. They cannot connect to the Cato Cloud.

Locked

The user failed six consecutive authentication attempts.

Filtering for Users with a License

The SDP License column identifies users that have a license assigned. You can filter the column to clearly display all users with or without a license. For more information on how to assign a license, see Assigning SDP Licenses to Users .

Viewing User Monitoring and Configuration

You can view individual User Monitoring and User Configuration from the SDP Users Activity page or the Users Directory page.

To view User Monitoring:

  1. From the navigation menu, click Access > Users.

  2. On either the SDP Users Activity or Users Directory tabs, click the bar graph icon (Bar_Graph.png). The Access > User Monitoring page is displayed with a predefined filter for the User.

To view User Configuration:

  1. From the navigation menu, click Access > Users.

  2. On either the SDP Users Activity or Users Directory tabs, click the cog icon (Cog.png). The Access > User Configuration page is displayed with a predefined filter for the user.

Creating and Managing Users

You can administer new and existing users in your account as part of your identity management framework.

Adding A User Manually

You can manually add individual users to your account. After a user is created you can choose to send them an onboarding email to welcome them to remote access at Cato. For more information, see Adding Users to Your Cato Account.

AddNewUser.png

To manually add a user:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Click New. The Add User panel opens.

  4. Enter the user's First Name, Last Name and E-mail.

  5. Click Apply.

    The user is created and can be viewed on the Users Directory page.

Resetting User Passwords

You can reset the password for a user. After you reset the password, the user receives an email with a link to reset the password. The password reset link is valid for one hour after the email is sent. The new password must contain between 8 to 32 characters, at least one number, and a low case and upper letter.

Before you reset the password for users, make sure that they log out of the Client for all of their devices. Otherwise, the user can be locked out of the Client.

Once a password has been updated, users may have to wait up to 4 minutes before they can sign into the Client again. In Windows Clients on the Users page, users must be deleted and re-added before they can sign in with the new password.

Passwords must be between 8 - 32 characters and include at least:

  • One number

  • One lowercase character

  • One uppercase character

Note

Note: After you reset the password, users can no longer authenticate with the current password. They must create a new one in the User Portal.

To reset a user's password:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the user.

  4. From the Actions drop-down menu, select Reset Password.

  5. In the Reset Password window, click Confirm.

    The password is reset for the users and they receive an email with a link to create a new password.

Resending Activation Emails

After a new user is added to the Cato Management Application , you can choose to send them an activation e-mail. For more information, see Activating SDP Users for Cato Clients. If needed, the activation email can be resent.

To resend an invitation to a User:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the user.

  4. From the Actions drop-down menu, select Resend activation email.

  5. In the Resend Invitation window, click Confirm.

    The activation email is sent to the user.

Deleting and Disabling Users

If you no longer want a user to access your network, depending on how they were created, they can be permanently deleted or disabled. After being deleted users are no longer visible on the Users Directory page. Deleted users are still visible in policies and marked as deleted, for example, John Doe (Deleted). After being deleted, the user can no longer connect with the Cato Client or have a policy applied.

  • Manually created users can be manually deleted.

  • Users provisioned with SCIM can be deleted by deleting them from your IdP. After the next sync, they are automatically deleted in the Cato Management Application and can no longer connect with the Cato Client.

  • Users provisioned with LDAP can be deleted or removed, depending on your configuration. After you delete a user from your IdP:

    • If you configure users that no longer exist in your IdP to be disabled, after the next sync, you can manually delete the disabled user.

    • If you configure users that no longer exist in your IdP to be removed, after the next sync, they are automatically deleted.

    After the next sync, they are automatically deleted in the Cato Management Application and can no longer connect with the Cato Client.

Note

You cannot undo the delete user action.

Ensure Always-On is disabled for the user before they are deleted.

To manually delete a user:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the user.

  4. From the Actions drop-down menu, select Delete.

  5. In the Delete window, click Delete.

    The user is deleted.

Restricting User Access

This section explains how to manage users that are disabled or locked. You can also revoke a user's session.

Disabling/Enabling Users

If required, you can temporarily disable user accounts, or enable accounts that have been disabled.

A disabled user cannot connect to the Cato Cloud and is not counted as using a user license. However, they will still appear in its relevant references and entries in the Cato Management Application, such as security rules.

To disable a user account:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the user.

  4. From the Actions drop-down menu, select Disable.

  5. In the Disable window, click Confirm.

    The user is disabled.

To enable a user account:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the user.

  4. From the Actions drop-down menu, select Enable.

  5. In the Enable window, click Confirm.

    The user is enabled.

Unlocking Users

Following security best practices, after six consecutive authentication failures within a 5-minute window, Cato automatically locks users for 30 minutes (unless you unlock the user earlier).

These six consecutive failures are counted separately for password and MFA authentication failures (meaning the lock will be triggered only after six consecutive MFA or six consecutive password failures).

You can view where the failure occurred (when the user accessed the Cato User Portal or when authenticating via the Cato Client, and whether the failure was MFA or password related.

Note

Note: Unlocking a user doesn't reset the user's password.

To unlock a locked user:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the user.

  4. From the Actions drop-down menu, select Unlock.

  5. In the confirmation window, click OK.

    The user is unlocked.

Enabling All Users after an Active Directory Sync

For accounts that use LDAP to synchronize users between Active Directory (AD) and the Cato Cloud, this feature lets you enable all the users that are currently disabled. Sometimes, an admin discovers that many users were disabled by mistake in the AD and then synced to Cato Cloud. When you select this option in the Users window, all users that were disabled in the most recent sync are enabled.

To enable all the disabled users after an LDAP sync:

  1. From the Navigation menu, click Access > Users.

  2. Click the Users Directory tab.

  3. Select the user.

  4. From the Actions drop-down menu, select Re-enable LDAP Disabled Users.

  5. In the Re-enable disabled LDAP users window, click Confirm.

    The user that was disabled in the most recent LDAP sync is now enabled.

Revoking the MFA Token for a Device

You can revoke the Cato MFA authentication token on a specific device for a user. After the MFA token is revoked the user must re-authenticate and enter a new MFA code in the Client.

To revoke the MFA token for a device:

  1. From the navigation menu, click Access > Users.

  2. Select a user from the list.

  3. From the navigation menu, click User Monitoring > Devices.

    The devices for that user are displayed.

  4. At the end of the row for the device, click the More button More_icon.png.

  5. Click Revoke Device.

  6. In the pop-up window, click Revoke.

    The MFA token for that device is no longer valid.

Viewing User Events

You can view user events that take place across your network. You can choose to view all user events together, or only user events from users connecting either remotely or behind a site.   For more information about Events, see Analyzing Events in Your Network

  • To view events from a specific users, irrespective of where they connect from, filter on the User Email or User Display Name fields

    Use_Email.png
  • To view events from users connecting remotely, filter on the Sources is Site or SDP User where the Value is SDP User

    Site.png
  • To view events from users connecting behind a site, filter on the Sources is Site or SDP User where the Value is Site

    SDP_user.png

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment