An account is an organization that subscribes to a STA service. An account includes account management features, such as billing and contact information, service details, token inventory, authentication connections, and so on.
In STA, each account is managed by a virtual server that has the same name.
You view and manage all of your accounts and their virtual servers independently. While you will likely standardize on a few service offerings, this independence means that you can customize your service for individual accounts without affecting any other account’s service. This includes pricing, billing, branding, and more.
STA does not obligate you to manage all aspects of an account’s service. In fact, you can allow some or all of your accounts to manage their own virtual server.
Virtual service provider and subscriber accounts
Accounts are created in a multi-tier, multi-tenant structure that accommodates just about any hierarchy, reporting structure, business structure, security segregation, or other delineation.
Within the account hierarchy, parent accounts manage child accounts, and child accounts cannot access their parent account. The account type determines whether you can create child accounts. There are two types of accounts:
Virtual service providers create and manage child accounts. The child accounts can be virtual service providers or subscriber accounts.
Virtual service providers can also distribute tokens to their child accounts and to users.
The top-level, or root, account is sometimes referred to as the service provider, but it is functionally the same as a virtual service provider.
Subscriber accounts cannot create child accounts, and therefore they are always child accounts.
You can use virtual service providers to create additional sales channels that resell your service under your banner or under their brand. However, virtual service providers are not limited to being resellers. They can also be large, complex accounts that need to independently extend and manage the service that they deliver to many subsidiaries or cost centers, accommodate multiple LDAPs and user data sources, or share access to protected resources across organizational boundaries.
Account managers and operators
Accounts and virtual servers are managed by users who are assigned a particular role. A role is a collection of permissions that grants access to the various tabs and features on the STA consoles.
There are two basic types of roles: account managers and operators. For both operators and account managers, you can create roles and customize the permissions to allow or deny access to the various tabs and features on the STA consoles. For example, you can create roles that have only view access, or roles that have access to only specific tabs, such as reports.
The same user can have both an account manager role for managing child accounts for the virtual service provider, and an operator role for managing the virtual server for a child account.
Account managers are users in a virtual service provider account who create and manage accounts. Account managers can perform account management for child accounts, and operator functions for their own virtual server if they also have an operator role.
They can access the account management tabs and features, such as account details, services, token allocations, and so on.
Operators are users in either virtual service provider or subscriber accounts who manage virtual servers. They can access only the virtual server tabs and features, such as users, tokens, policies, and so on. Operators cannot view or manage account information, such as the account details, services, or token allocations (unless they also have an account manager role).
There are two types of operators:
Internal operators are users in a virtual server that are assigned the operator role. They manage their own virtual server for their account (either virtual service provider or subscriber). They cannot view or manage any other virtual server.
External operators are users in a virtual service provider account who are delegated as operators for a child account. They manage the virtual server for that child account.
Account manager or operator enrollment
A tenant account must already be activated for the organization before an account manager or operator can start using STA. When an account is activated, it has an inventory of tokens and at least one account manager or operator is assigned.
The assigned account manager or operator receives an email with instructions for completing their enrollment. They must enroll a one-time password (OTP) token that is assigned to them and activate their logon credentials.
After they activate their credentials, they can log on and create additional operators, configure server settings, and so on, according to the access permissions that are defined for their assigned role.
Account management on the STA Token Management console
Account managers and operators have different views of the STA Token Management console. Account managers have an additional row of tabs for account management that is not available in the operator view of the STA Token Management console.
For account managers, who always belong to a virtual service provider, the STA Token Management console includes an additional row of tabs for managing the service and all accounts:
Dashboard is where you view alerts, subscriber metrics, and the token inventory.
On-Boarding is where you manage your accounts and add accounts, which involves configuring the service type, token allocations, operators, authentication nodes, and so on.
Virtual Servers lists the virtual servers for your accounts and provides access to the same tabs and features that operators see on the console.
Administration is where you create account managers, customize account manager role, generate and deliver services alerts, and so on.
Operators cannot access these tabs unless they also have an account manager role.
The name of the virtual server.
These virtual server tabs provide access to manage the account’s users, tokens, reports, policies, and so on.
Shortcuts provide quick access to popular tasks, such as creating an account or a user. You can collapse or expand the Shortcuts area. There are different shortcuts for each virtual server tab.
The view of the STA Token Management console can also differ based on the access permissions that are defined for a role. For example, account managers might not have access permissions for the Virtual Servers tab. Operators might not have access permissions for some tabs or features on the STA Token Management console, or for the STA Access Management console.
Manage account details and services
On the On-Boarding tab, you can create accounts, view a list of all your accounts, or select a specific account and view the details. The On-Boarding tab provides different views of your accounts, depending on whether you are viewing a list of accounts or a selected account.
The account list includes the following information:
Account: Click the account name to configure the account details and services.
Custom #1: The optional description can distinguish between similar accounts.
Class: The account type is either Service Provider (virtual service provider) or Subscriber.
Activated: The date and time when the service was set to Active in the Services module.
Expires: The date and time when the service ends and users are unable to log in to the account is set in the Services module.
Billing: The billing period is configured in the Services module.
Capacity: The maximum number of users who can authenticate against the virtual server is set in the Allocation module. This value is reduced each time inventory is allocated to an account.
Unused: The total unused capacity. Capacity is consumed when an authentication method is assigned to a user, or when a virtual service provider allocates capacity to an account that it manages.
Status: The state of the service: Active or Disabled, as set in the Services module. It will be Active unless the current date is greater than the Expires date or the services have been deactivated in the Services module.
Plan: The STA service plan is one of: STA Premium, STA, or STA Basic.
Remove: Click to remove an account. Before you can remove an account, all inventory must be revoked (that is, capacity, rental, and unused must be 0).
When you select an account, the account details and service configuration options are displayed.
Manage virtual servers
The Virtual Servers tab lists all the virtual servers that you can manage.
Accounts with management delegated to the service provider are listed on the Virtual Servers tab but not on the On-Boarding tab.
On the Virtual Servers tab, the Management column lists the name of the delegating organization.
When you select a virtual server, you see the same tabs on the STA Token Management console as an operator who has the same permissions.