Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Account management

search

Please Note:

Account management

An account is an organization that subscribes to a SAS service. An account includes account management features, such as billing and contact information, service details, token inventory, authentication connections, and so on.

In SAS, each account is managed by a Virtual Server that has the same name.

You view and manage all of your accounts and their Virtual Servers independently. While you will likely standardize on a few service offerings, this independence means that you can customize your service for individual accounts without affecting any other account’s service. This includes pricing, billing, branding, and more.

SAS does not obligate you to manage all aspects of an account’s service. In fact, you can allow some or all of your accounts to manage their own Virtual Server.

Virtual Service Provider and Subscriber accounts

Accounts are created in a multi-tier, multi-tenant structure that accommodates just about any hierarchy, reporting structure, business structure, security segregation, or other delineation.

Within the account hierarchy, parent accounts manage child accounts, and child accounts cannot access their parent account. The account type determines whether you can create child accounts. There are two types of accounts:

  • Virtual Service Providers create and manage child accounts. The child accounts can be Virtual Service Providers or Subscriber accounts.

    Virtual Service Providers can also distribute tokens to their child accounts and to users.

    The top-level, or root, account is sometimes referred to as the service provider, but it is functionally the same as a Virtual Service Provider.

  • Subscriber accounts cannot create child accounts, and therefore they are always child accounts.

You can use Virtual Service Providers to create additional sales channels that resell your service under your banner or under their brand. However, Virtual Service Providers are not limited to being resellers. They can also be large, complex accounts that need to independently extend and manage the service that they deliver to many subsidiaries or cost centers, accommodate multiple LDAPs and user data sources, or share access to protected resources across organizational boundaries.

Account Managers and Operators

Accounts and Virtual Servers are managed by users who are assigned a particular role. A role is a collection of permissions that grants access to the various tabs and features on the SAS console.

There are two basic types of roles: Account Managers and Operators. For both Operators and account managers, you can create roles and customize the permissions to allow or deny access to the various tabs and features on the SAS console. For example, you can create roles that have only view access, or roles that have access to only specific tabs, such as reports.

The same user can have both an account manager role for managing child accounts for the Virtual Service Provider, and an operator role for managing the Virtual Server for a child account.

Account Managers

Account Managers are users in a Virtual Service Provider account who create and manage accounts. Account managers can perform account management for child accounts, and operator functions for their own Virtual Server if they also have an operator role.

They can access the account management tabs and features, such as account details, services, token allocations, and so on.

Operators

Operators are users in either Virtual Service Provider or subscriber accounts who manage Virtual Servers. They can access only the Virtual Server tabs and features, such as users, tokens, policies, and so on. Operators cannot view or manage account information, such as the account details, services, or token allocations (unless they also have an account manager role).

There are two types of Operators:

  • Internal Operators are users in a Virtual Server that are assigned the operator role. They manage their own Virtual Server for their account (either Virtual Service Provider or Subscriber). They cannot view or manage any other Virtual Server.

  • External Operators are users in a Virtual Service Provider account who are delegated as Operators for a child account. They manage the Virtual Server for that child account.

Account Manager or Operator enrollment

A tenant account must already be activated for the organization before an account manager or operator can start using STA. When an account is activated, it has an inventory of tokens and at least one account manager or operator is assigned.

The assigned account manager or operator receives an email with instructions for completing their enrollment. They must enroll a one-time password (OTP) token that is assigned to them and activate their logon credentials.

After they activate their credentials, they can log on and create additional Operators, configure server settings, and so on, according to the access permissions that are defined for their assigned role.

MFA for Account Managers and Operators

Multi-factor authentication (MFA) for account managers and operators enhances security by requiring account managers and operators to provide at least two distinct authenticators when they login.

MFA-enabled and -disabled login requirements for account managers and operators with and without an Active Directory (AD) password are shown in the following table:

Sequence MFA enabled
AD user		 MFA enabled
Non-AD user		 MFA disabled
AD user or non-AD user
1st factor AD password Authenticator 1 Authenticator
2nd factor Authenticator Authenticator 2 -

AD users: If MFA for account managers and operators is enabled, they must use their AD password as their 1st factor and an authenticator as their 2nd factor to login to the SAS console. It is mandatory to have the AD user's password synchronized to SAS in order to use MFA for account managers and operators.

Non-AD user: If MFA for account managers and operators is enabled, they must use two different authenticators as their 1st and 2nd factors to login to the SAS console.

If MFA for account managers and operators is not enabled, they need only one authenticator to login to the SAS console.

To provision MFA for account managers and operators:

  1. Enable MFA for account managers and operators.

  2. Provision account managers and operators for MFA or promote a user to the operator or account manager role for MFA.

Enable MFA for account managers and operators

To avoid access disruptions, inform all account managers and operators about changes to the login flow and ensure that they have at least two authenticators or an AD password and an authenticator before MFA is enabled.

To enable MFA for account managers and operators:

  1. Deploy the latest version of SAS PCE that supports MFA.

  2. Login to the SAS console at the tenant account level using an administrator account.

  3. Navigate to System > Setup > Multi Factor Authentication.

  4. Select Enable and then select Apply.

    alt_text

After MFA for account managers and operators is enabled at the tenant level, it is applied to all child accounts. Configuration changes related to MFA are not permitted at the child account level.

Provision account managers and operators for MFA

To provision an account manager or operator with two authenticators:

  1. After you enable MFA for account managers and operators, select On-Boarding and then select the account.

  2. Select Create Operator and then select Add.

    alt_text

  3. Provision a first authenticator, for example a MobilePASS+ authenticator.

    alt_text

  4. Provision a second authenticator, for example an SMS authenticator.

    The second authenticator must be different from the first authenticator.

    alt_text

    The system emails an enrollment notification for both of the authenticators to the account manager or operator who is being provisioned.

  5. The recipient of the notification enrolls both of the authenticators.

  6. After the authenticators are enrolled, the system sends an email requesting that the recipient use both authenticators to complete the validation process.

Promote a user to the operator or account manager role for MFA

In addition to selecting an existing operator or account manager, you can optionally promote a user to either of those roles for MFA. Users require two authenticators or an AD password and an authenticator before they can be promoted to an operator or account manager role.

To promote a user to an operator or account manager role for MFA:

  1. If the user does not have at least two authenticators or an AD password and at least one authenticator, provide one as described in Provisioning tokens to users.

  2. Promote the user to the operator or account manager role as described in Add an internal operator.

After the user is promoted to operator or account manager, if MFA is enabled they must login using two authenticators or an AD password and an authenticator.

Login flow for account managers and operators

This section describes the login flow after MFA for account managers and operators is enabled. Operator or account manager login with Push OTP is not supported for this feature.

To login after MFA for account managers and operators is enabled:

  1. Navigate to the SAS PCE login page.

  2. Enter your 1st factor of authentication.

    alt_text

  3. Enter your 2nd factor of authentication.

    alt_text

After successful authentication, access is granted.

Role provisioning rule and account role provisioning rule

If MFA is enabled and either a role provisioning rule or an account role provisioning rule is configured, then validation emails will be sent in the following cases only:

  • To non-AD users who have at least two different authenticators.

  • To AD-synchronized users who have a synchronized password and at least one authenticator.

Authentication logging

All MFA authentication events are logged and accessible from the SAS console at Snapshot > Authentication Activity for auditing and monitoring purposes.

alt_text

Account management on the SAS console

Account Managers and Operators have different views of the SAS console. Account Managers have an additional row of tabs for account management that is not available in the operator view of the SAS console.

alt_text

alt_text For Account Managers, who always belong to a Virtual Service Provider, the SAS console includes an additional row of tabs for managing the service and all accounts:

  • Dashboard is where you view alerts, subscriber metrics, and the token inventory.

  • On-Boarding is where you manage your accounts and add accounts, which involves configuring the service type, token allocations, Operators, authentication nodes, and so on.

  • Virtual Servers lists the Virtual Servers for your accounts and provides access to the same tabs and features that Operators see on the console.

  • Administration is where you create Account Managers, customize Account Manager role, generate and deliver services alerts, and so on.

    Operators cannot access these tabs unless they also have an account manager role.

alt_text The name of the Virtual Server.

alt_text These Virtual Server tabs provide access to manage the account’s users, tokens, reports, policies, and so on.

alt_text Shortcuts provide quick access to popular tasks, such as creating an account or a user. You can collapse or expand the Shortcuts area. There are different shortcuts for each Virtual Server tab.

The view of the SAS console can also differ based on the access permissions that are defined for a role. For example, account managers might not have access permissions for the Virtual Servers tab. Operators might not have access permissions for some tabs or features on the SAS console, or for the STA Access Management console.

Manage account details and services

On the On-Boarding tab, you can create accounts, view a list of all your accounts, or select a specific account and view the details. The On-Boarding tab provides different views of your accounts, depending on whether you are viewing a list of accounts or a selected account.

alt_text

The account list includes the following information:

  • Account: Click the account name to configure the account details and services.

  • Custom #1: The optional description can distinguish between similar accounts.

  • Account — Name of the account on the Virtual Server.

  • Account Owner — Name of the account owner.

  • Class: The account type is either Service Provider (Virtual Service Provider) or Subscriber.

  • Activated: The date and time when the service was set to Active in the Services module.

  • Expires: The date and time when the service ends and users are unable to login to the account is set in the Services module.

  • Billing: The billing period is configured in the Services module.

  • Capacity: The maximum number of users who can authenticate against the Virtual Server is set in the Allocation module. This value is reduced each time inventory is allocated to an account.

  • Unused: The total unused capacity. Capacity is consumed when an authentication method is assigned to a user, or when a Virtual Service Provider allocates capacity to an account that it manages.

  • Status: The state of the service: Active or Disabled, as set in the Services module. It will be Active unless the current date is greater than the Expires date or the services have been deactivated in the Services module.

  • Remove: Click to remove an account. Before you can remove an account, all inventory must be revoked (that is, capacity, rental, and unused must be 0).

When you select an account, the account details and service configuration options are displayed.

alt_text

Search for an account

  1. Click On-Boarding > List Accounts (shortcut) or On-Boarding > Account (module).
  2. Type all or part of the Account name and/or Custom #1 name assigned to the account in the fields provided in the Search section.
  3. Click Search to display the results or click Clear to empty the search fields.
  4. To display account details, click the account name hyperlink in the list of search results.

Manage Virtual Servers

The Virtual Servers tab lists all the Virtual Servers that you can manage.

Accounts with management delegated to the service provider are listed on the Virtual Servers tab but not on the On-Boarding tab. On the Virtual Servers tab, the Management column lists the name of the delegating organization.

alt_text

To manage an account on the Virtual Server:

  1. Click Virtual Servers. The Manage module displays.

  2. Click the Account name from the Managed Account List.

    The Virtual Servers tabs, which are available to you for the selected account display.

    alt_text

When you select a Virtual Server, you see the same tabs on the SAS console as an operator who has the same permissions.

On this page