This article explains how to manage your users and view their connection activity across your account.
Efficient user management is a fundamental part of an identity management framework. The Users page gives you full visibility of all users and their Clients from a centralized location. You can manually add and manage users and view information about how they are using the Client. The filters let you drill-down into usage activity.
Company ABC manages their Client Upgrade Policy (which defines how Clients in their account are upgraded to the latest version) using Automatic Silent Upgrades. Following the release of the latest Windows Client, the IT administrator wants to know how many users have upgraded to this version. On the Activity Based tab, the IT administrator adds the latest version to the Client version filter. The users who have completed the Client upgrade are displayed.
The Activity Based and Full Directory tabs display the users in your account and how they are connecting to the Cato Cloud.
You can view all the users in your account and their connection activity from the Activity Based tab. You can sort and filter for each of the fields to quickly show the relevant data, for example: Connectivity status, Last PoP, Client version, and more. Users only appear after connecting.
The summary bar provides a high level overview of the total number of users in your account and how they are connecting.
In the Users table, the Devices column shows each device and operating system that is used by a user to connect to the Cato Cloud. The Client version column shows the version the Client is running. This section can be helpful for security auditing purposes.
If a user connects to the Cato Cloud with more than once device, a plus sign with the number of additional devices is displayed ( ). To view all the devices used by the user, click on this number.
You can also view additional device information, for example the Name and Identifier of the device.
To show additional device information:
- From the navigation menu, click Access > Users.
- Select a user from the list. The Access > User Monitoring page for the user is displayed.
- From the navigation menu, click User Monitoring > Devices. The Devices page displays all currently defined devices for the user.
The Member of Groups section shows you the groups that a user belongs to.
To view associated groups of users
- From the navigation menu, click Access > Users.
- Select a user from the list. The Access > User Monitoring page for the user is displayed.
- Click User Configuration > Member of Groups. The General window opens. The Member of Groups window opens, showing the groups that the user belongs to.
You can view and monitor user provisioning information from the Full Directory page. This page displays all the users in your account. You can sort and filter for each of the fields to quickly show the relevant data, for example: Status, Source (SCIM, LDAP, or Manual), Department, and more.
The Status column displays the account status of the user. The following table provides an explanation of each status.
The Remote Access column identifies users who have a license assigned. You can filter the column to clearly display all users with or without a license. For more information on how to assign a license, see Assigning ZTNA Licenses to Users .
You can view individual User Monitoring and User Configuration from the Activity Based page or the Full Directory page.
To view User Monitoring:
- From the navigation menu, click Access > Users.
- On either the Activity Based or Full Directory tabs, click the bar graph icon (
). The Access > User Monitoring page is displayed with a predefined filter for the User.
You can administer new and existing users in your account as part of your identity management framework.
You can manually add individual users to your account. After a user is created, you can choose to send them an onboarding email to welcome them to remote access at Cato. For more information, see Adding Users to Your Cato Account.
You can reset the password for a user with an SDP license. After you reset the password, the user receives an email with a link to reset the password. The password reset link is valid for one hour after the email is sent. Before you reset the password for users, make sure that they log out of the Client for all of their devices. Otherwise, the user can be locked out of the Client.
Once a password has been updated, users may have to wait up to 4 minutes before they can sign into the Client again. In Windows Clients on the Users page, users must be deleted and re-added before they can sign in with the new password.
Passwords must be between 8 - 32 characters and include at least:
- One number
- One lowercase character
- One uppercase character
- One special character
Note
Note: After you reset the password, users can no longer authenticate with the current password. They must create a new one in the User Portal.
To reset a user's password:
- From the Navigation menu, click Access > Users.
- Click the Full Directory tab.
- Select the user.
- From the Actions drop-down menu, select Reset Password.
-
In the Reset Password window, click Confirm.
The password is reset for the users and they receive an email with a link to create a new password.
After a new user is added to the Cato Management Application , you can choose to send them an activation e-mail. For more information, see Activating SDP Users for Cato Clients. If needed, the activation email can be resent.
If you no longer want a user to access your network, depending on how they were created, they can be permanently deleted or disabled. After being deleted users are no longer visible on the Full Directory page. Deleted users are still visible in policies and marked as deleted, for example, John Doe (Deleted). After being deleted, the user can no longer connect with the Cato Client or have a policy applied.
- Manually created users can be manually deleted.
- Users provisioned with SCIM can be deleted in the CMA but we recommend deleting them directly from your IdP. After the next sync, they are automatically deleted in the CMA and can no longer connect with the Cato Client.
-
Users provisioned with LDAP can be deleted or removed, depending on your configuration. After you delete a user from your IdP:
- If you configure users that no longer exist in your IdP to be disabled, after the next sync, you can manually delete the disabled user.
- If you configure users that no longer exist in your IdP to be removed, after the next sync, they are automatically deleted.
After the next sync, they are automatically deleted in the Cato Management Application and can no longer connect with the Cato Client.
If a user was recreated after they were deleted, in the Client, remove the existing (deleted) user and sign in again.
Note
Note: You cannot undo the delete user action. Ensure that Always-On is disabled for the user before they are deleted.
This section explains how to manage users that are disabled or locked.
If required, you can temporarily disable user accounts, or enable accounts that have been disabled.
A disabled user cannot connect to the Cato Cloud and is not counted as using a user license. However, they will still appear in its relevant references and entries in the Cato Management Application, such as security rules.
To disable a user account:
- From the Navigation menu, click Access > Users.
- Click the Full Directory tab.
- Select the user.
- From the Actions drop-down menu, select Disable.
-
In the Disable window, click Confirm.
The user is disabled.
Following security best practices, after six authentication failures within a 5-minute window, Cato automatically locks users for 30 minutes (unless you unlock the user earlier).
These six failures are counted separately for password and MFA authentication failures (meaning the lock will be triggered only after six MFA or six password failures).
You can view where the failure occurred (when the user accessed the Cato User Portal or when authenticating via the Cato Client, and whether the failure was MFA or password related.
Note
Note: Unlocking a user doesn't reset the user's password.
For accounts that use LDAP to synchronize users between Active Directory (AD) and the Cato Cloud, this feature lets you enable all the users that are currently disabled. Sometimes, an admin discovers that many users were disabled by mistake in the AD and then synced to Cato Cloud. When you select this option in the Users window, all users that were disabled in the most recent sync are enabled.
To enable all the disabled users after an LDAP sync:
- From the Navigation menu, click Access > Users.
- Click the Full Directory tab.
- Select the user.
- From the Actions drop-down menu, select Re-enable LDAP Disabled Users.
-
In the Re-enable disabled LDAP users window, click Confirm.
The user that was disabled in the most recent LDAP sync is now enabled.
You can revoke the session of a remote user. After a session is revoked, the remote user is prompted to authenticate in the Client using their configured authentication method. For more information, see Revoking a Remote User Session.
You can view user events that take place across your network. You can choose to view all user events together, or only user events from users connecting either remotely or behind a site. For more information about Events, see Analyzing Events in Your Network
-
To view events from a specific users, irrespective of where they connect from, filter on the User Email or User Display Name fields
-
To view events from users connecting remotely, filter on the Sources is Site or SDP User where the Value is SDP User
-
To view events from users connecting behind a site, filter on the Sources is Site or SDP User where the Value is Site
0 comments
Article is closed for comments.