Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

Provisioning tokens to users

Self-provisioning rules for groups

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Provisioning tokens to users
Self-provisioning rules for groups

Self-provisioning rules for groups

No users can self-provision an authenticator until you configure which groups can self-provision and which authenticator types are available. Users who are not allowed to self-provision continue to use the email workflow.

This feature allows you to accommodate the differing security requirements of multiple groups as well as test the use of an authenticator-type within a small group before wide-scale deployment. For example, you can enable factory floor workers to self-provision GrIDsure tokens, and office workers to self-provision either FIDO or MobilePASS+ tokens.

You match specific groups with specific authentication types using rules. As rules are added they are placed at the top of the list. The highest ranking rule, top-most in the list, that matches a group is the only one applied to the group. You can move rules up and down the list to ensure that the highest-ranking rule is applied to a group that is included in multiple rules.

The availability of authenticators for self-provisioning is based upon the rules. Activation switches for authenticators are no longer supported.

Example configurations

The following examples show various ways that self-provisioning can be applied. See Configure self-provisioning for details.

Allow all users to self-provision

The default rule (bottom-most) applies to All users.
Select the authenticator types that the users are allowed to self-provision.

If other rules exist in this list, they are higher-ranking and will be applied before the default rule. Review their settings to ensure that they do not restrict users from self-provisioning. Alternately, delete all other rules in this list to ensure that only the default rule is applied.

Allow specific groups to self-provision

Select Members of these groups only.
Enter the relevant group names.
Select the authenticator types that the users are allowed to self-provision.
Place this rule top-most in the list of rules.

Restrict specific groups from self-provisioning

Create a rule that allows all groups to self-provision.
1. Select All users.
2. Select the authenticator types that the users are allowed to self-provision.
Add a rule that disallows specific groups to self-provision.
1. Select Members of these groups only.
2. Enter the group names that are not allowed to self-provision.
3. Do not select any authenticator types for use by these groups.
4. Place this rule top-most in the list of rules.

Restrict all users from self-provisioning

This is the default rule and cannot be moved higher in rank in cases where there are additional rules.

Select All users.
Select Cannot self-provision.

If there are additional rules, they will be higher in rank than this default rule. Therefore, groups that are listed in the higher-ranking rules will not be affected by this rule. Whereas groups that are not listed in higher-ranking rules will be restricted from self-provisioning.

If your intent is to ensure that all users are restricted from self-provisioning, delete any conflicting rules.

Configure self-provisioning

To configure self-provisioning:

On the STA Access Management console, select Settings > Self-Provisioning > Edit.

The default self-provisioning rule for new accounts is Cannot self-provision.
Create self-provisioning rules with Members of these groups only for exception groups.

For example, you could allow administrators to self-provision both FIDO and MobilePASS+ authenticators, and front-line workers to self-provision GrIDsure tokens only.
1. Select Add Self-Provisioning Rule.
2. Enter the name of one or more groups in the field provided (for example, Administrators).
3. Select the authenticator types that the group are allowed to use for self-provisioning. For details about the authenticator types, see:
  - FIDO
  - GrIDsure
  - SafeNet MobilePASS+
    1. Repeat these steps to add rules for other groups (for example, Front-line Workers).
  As you add rules, they are placed at the top of the list. If the same group is assigned to multiple rules then the top-most rule for that group is applied and all subsequent rules are ignored.
4. To delete or change the rank of a rule, use the self-provisioning rule menu .
Select Save to apply your changes.

The self-provisioning rules display.
For additional options, select More Provisioning Options.

The STA Token Management console Policy > Token Policies module displays.

On this page

SafeNet Trusted Access

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com