This article explains how to manage your SDP users and view their connection activity across your account.
Efficient SDP user management is a fundamental part of an identity management framework. The Users screen gives you full visibility of all SDP users and their Clients from a centralized location. You can manually add and manage SDP users and view information about how they are using the SDP Client. The filters let you drill-down into usage activity.
Company ABC manages their Client Upgrade Policy (which defines how Clients in their account are upgraded to the latest version) using Automatic Silent Upgrades. Following the release of the latest Windows Client, the IT administrator wants to know how many SDP users have upgraded to this version. On the SDP Users Activity tab, the IT administrator adds the latest version to the Client version filter. The SDP users who have completed the Client upgrade are displayed.
The SDP Users Activity and Users Directory tabs display the SDP users in your account and how they are connecting to the Cato Cloud.
You can view all the SDP users in your account and their connection activity from the SDP Users Activity tab. You can sort and filter for each of the fields to quickly show the relevant data, for example: Connectivity status, Last PoP, Client version, and more.
The Devices column shows each device and operating system that is used by a SDP user to connect to the Cato Cloud. The Client version column shows the version the Client is running. This section can be helpful for security auditing purposes.
If a SDP user connects to the Cato Cloud with more than once device, a plus sign with the number of additional devices is displayed (
). To view all the devices used by the SDP user, click on this number.
You can also view additional device information, for example the Name and Identifier of the device.
To show additional device information:
-
From the navigation menu, click Access > Users.
-
Select a user from the list. The Access > User Monitoring screen for the user is displayed.
-
From the navigation menu, click User Monitoring > Devices. The Devices screen displaying all currently defined devices for the user.
The Member of Groups section shows you the groups that a SDP user belongs to.
To view associated groups of users
-
From the navigation menu, click Access > Users.
-
Select a user from the list. The Access > User Monitoring screen for the user is displayed.
-
Click User Configuration > Member of Groups. The General window opens. The Member of Groups window opens, showing groups that the user belongs to.
You can view and monitor SDP user provisioning information from the Users Directory screen. You can sort and filter for each of the fields to quickly show the relevant data, for example: Status, Source (SCIM, LDAP, or Manual), Authentication (SSO or MFA), and more.
The Status column displays the account status of the SDP user. The following table provides an explanation of each status.
|
Status |
Explanation |
|---|---|
|
New |
The SDP user is created, no Onboarding emails have been sent. |
|
Configured |
The SDP user has successfully signed into their account. |
|
Disabled |
The SDP user is disabled. They cannot connect to the Cato Cloud. |
|
Locked |
The SDP user failed six consecutive authentication attempts. |
|
Invitation sent |
An Onboarding email was sent to the SDP user, but the account has not been configured. |
|
Requires new code |
The SDP User's registration code has expired and requires a new one. For more information, see Provisioning SDP Users for Cato Clients. |
|
MFA invitation sent |
For SDP users that authenticate with MFA, an invitation email was sent, but the account has not been configured. |
You can view individual SDP User Monitoring and User Configuration from the SDP Users Activity screen or the Users Directory screen.
You can administer new and existing SDP users in your account as part of your identity management framework.
You can manually add individual SDP users to your account.
You can reset the password for a SDP user. After you reset the password, the user receives an email with a link to reset the password. The password reset link is valid for one hour after the email is sent. The new password must contain between 8 to 32 characters, at least one number, and a low case and upper letter.
Note: Before you reset the password for SDP users, make sure that they log out of the Client for all of their devices. Otherwise, the user can be locked out of the Client.
Note
Note: After you reset the password, users can no longer authenticate with the current password. They must create a new one in the User Portal.
To reset a SDP user's password:
-
From the Navigation menu, click Access > Users.
-
Click the Users Directory tab.
-
Select the SDP user.
-
From the Actions drop-down menu, select Reset Password.
-
In the Reset Password window, click Confirm.
The password is reset for the users and they receive an email with a link to create a new password.
After a new user is added to the Cato Management Application , you can choose to send them an activation e-mail. For more information, see Activating SDP Users for Cato Clients. If needed, the activation email can be resent.
If you no longer want an SDP user to access your network, they can be permanently deleted from the directory.
Note
Important! You cannot undo the delete user action.
This section explains how to manage users that are disabled or locked.
If required, you can temporarily disable user accounts, or enable accounts that have been disabled.
A disabled user cannot connect to the Cato Cloud and is not counted as using an SDP user license. However, they will still appear in its relevant references and entries in the Cato Management Application, such as security rules.
Following security best practices, after six consecutive authentication failures, Cato automatically locks SDP users for 30 minutes (unless you unlock the user earlier).
These six consecutive failures are counted separately for password and MFA authentication failures (meaning the lock will be triggered only after six consecutive MFA or six consecutive password failures).
You can view where the failure occurred (when the SDP user accessed the Cato User Portal or when authenticating via the Cato Client, and whether the failure was MFA or password related.
Note
Note: Unlocking an SDP user doesn't reset the user's password.
For accounts that use LDAP to synchronize users between Active Directory (AD) and the Cato Cloud, this feature lets you enable all the users that are currently disabled. Sometimes, an admin discovers that many users were disabled by mistake in the AD and then synced to Cato Cloud. When you select this option in the Users window, all users that were disabled in the most recent sync are enabled.
To enable all the disabled users after an LDAP sync:
-
From the Navigation menu, click Access > Users.
-
Click the Users Directory tab.
-
Select the SDP user.
-
From the Actions drop-down menu, select Re-enable LDAP Disabled Users.
-
In the Re-enable disabled LDAP users window, click Confirm.
The SDP user that was disabled in the most recent LDAP sync is now enabled.
You can revoke the Cato MFA authentication token on a specific device for an SDP user. After the MFA token is revoked the user must re-authenticate and enter a new MFA code in the Client.
To revoke the MFA token for a device:
-
From the navigation menu, click Access > Users.
-
Select a user from the list.
-
From the navigation menu, click User Monitoring > Devices.
The devices for that user are displayed.
-
At the end of the row for the device, click the More button
. -
Click Revoke Device.
-
In the pop-up window, click Revoke.
The MFA token for that device is no longer valid.
Comments
2 comments
Added a section about revoking the MFA token for a device.
Updated to include the new Users screen
Please sign in to leave a comment.