Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

Users and groups

Groups

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - SAS PCE Windows Services Startup Recommendations
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Operators
- External Operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
Users and groups
Groups

Groups

Groups can be used for auto-provisioning and for authorization (RADIUS attributes or pre-authentication rules).

Groups are attributes that can be attached to a UserID and used for authorization during the authentication process. Group attributes provide a way to distinguish between valid users (all users that can authenticate) and those that should be allowed to authenticate to gain access to a particular resource.

For example, assume you have two valid users, User1 and User2, who can both authenticate. However, one of your protected resources is the HR network, which should be available to only User1. By creating an HR group, adding User1 to the HR group, and then creating a firewall rule or a pre-authentication rule in the virtual server, only User1 can authenticate to the HR network. To accommodate more complex requirements, use a combination of group memberships and pre-authentication rules.

The Groups tab provides access to functions that enable you to:

Create and Manage Groups (Group Maintenance module)
Manage User Group Memberships (Group Membership module)
Apply RADIUS Attributes to Groups (RADIUS Attribute (Group) module)
Create and Manage Containers (Container Maintenance module)
Manage Container Objects (Container Members module)

alt_text

Internal and synchronized groups

There are two types of groups:

Internal Groups: Groups that you create and to which you add members.
Synchronized Groups: Groups that exist on an external source such as Active Directory (AD). The Synchronization Agent can be used to synchronize Active Directory groups. Synchronization not only synchronizes AD groups, it also retains each synchronized user’s group membership.
- AD groups can be used for authorization. Simply by adding or removing a user from an AD group, the Virtual Server using pre-authentication rules can allow or deny access to resources based on user group membership attributes.
- Auto-provision users with tokens based on their AD group membership. For example, if in AD there were two groups, remote access and KT, you could automatically provision users that belong to the KT group with a KT hardware token.
- By using a combination of groups, pre-authentication, and auto-provisioning, you can accomplish most authentication management functions (creating users, authorization, assigning tokens, revoking tokens) without any administration.

Synchronized users can belong to both synchronized and internal groups.

Add or remove internal groups

You can add and remove groups on the Groups tab, in the Group Maintenance module.

On the SAS console, select the Internal option, and then click New.
Type a group name and a brief description of its purpose in the fields provided, and then click Add. This adds the group and updates the Internal Groups List.
To update group names and descriptions, click Edit.
To remove a group, click Remove.

After you add a group, you can add an individual user to the group on the Assignment tab, or add multiple users to the group on the Groups tab.

Manage group memberships for an individual user

Manage groups for individual users on the Assignment tab, in the Group Membership module.

On the SAS console, select the Assignment tab, and then search for the user.
Select the user.
Expand the Group Membership module.
To add the user to a group, click the Add button.
In the Add to list, select the group, and then click Apply.
To remove a membership, click the corresponding Remove link and confirm the action.

Manage group memberships for multiple users

To display all members of a group or modify the memberships of many users at a time, use the Group Membership module on the Groups tab.

alt_text

Synchronized groups cannot be added or removed from users from the SAS console. This is because synchronized group membership is obtained from the AD/LDAP or other external user source. However, you can use the Search Synchronized tab to view groups and group memberships.

List the members of a group

On the SAS Management console, select either the Search Internal Groups or Search Synchronized Groups tab.
Enter the search criteria.
- Is a member of: Refines the list to users that are members of any group or the specified group.
- Is not a member of: Refines the list to users that are not members of any group or the specified group.
Select Search.
To display the details for a user, select the User ID.

Add users to an internal group

On the SAS console, select the Group Membership module, and then search for the users.
Select the users that you want to add to a group, and then select New.

The Add Membership options are displayed.
In the Add above user(s) to select group list, select the group.
Select Add.

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com