Local Accounts
Common User Related Tasks
To manage users, you must be an Administrator or GlobalAdmin. To access the User Management page, do the following:
- Click "Setup"
- Click the "Identity & Access Management" tab on the left side of the screen
- Click the "Manage" button underneath Users
You should now see the options for managing users as shown in the screenshot below:
The basic operations are shown by the numbers in the figure above:
- Add New User - create a new RegScale user
- Search - search for a given user or set of users
- Filters - toggle between active and inactive users (NOTE: Active users are the default)
- Activation - activate or de-activate a given user account
- Edit User - edit user metadata, view their activity, and view emails sent to the user
- Reset Password - generates a one-time token that allows a user to reset their password.
These abilities in aggregate provide a useful set of mechanisms for managing user accounts within RegScale. The overall flow of user management is shown below:
WARNING: While email setup is not required to provision users, it is highly desired. RegScale sends emails allowing users to register and reset passwords in a self-service model. If email is not configured for a tenant, the Administrator will need to manually perform these steps for each user.
RegScale User Security
The RegScale platform provides multiple security controls around managing local user accounts (NOTE: EE customers may also delegate user management to AD/LDAP if desired). The first set of controls revolves around password complexity which includes:
- Minimum of 12 characters in length
- Must contain upper and lower case letters
- Must contain one or more numbers
- Must contain one or more special characters
These controls are enforced when creating a default password during account creation and when changing passwords. In addition, RegScale enforces account lockout based on:
- 5 invalid login attempts (incorrect passwords for a given account)
- Accounts lock for 8 hours after 5 failed attempts and then the user may attempt to login again
- Administrators may manually unlock a user from the Admin panel under Setup
These controls ensure that passwords are robust and that accounts are protected from brute force hacking schemes. If more robust requirements are necessary, account management can be delegated to Active Directory (AD) for enforcing password change frequency, Multi-Factor Authentication (MFA), and other related security controls.
Managing Groups
RegScale allows customers to logically group their users for ease of management. Each user can be assigned to zero or many groups within the system. To assign groups:
- Click "Setup"
- Click the "Identity & Access Management" tab on the left side of the screen
- Click the green "Manage" button underneath Groups
- The list of existing groups will be shown in the grid and can be searched/filtered
- Click the "Add New Group" button to create a new group
- Give the group a name and click the green "+" button
- The new group is now added to the list
- Click the "View Users" button to see who is in a given group
- Click the "Add User" button to add new users to the group
- Click the red "x" to de-activate a group (NOTE: Groups are not deleted to avoid data integrity issues) Groups are currently used to assign workflow steps within RegScale.
COMING SOON: In the future, groups will be used to apply access control to individual records and for email distributions.
Security Policies
The Security Policies page allows an administrator to set Password and Session policies for local accounts. This page also allows the administrator to set up Multi-factor authentication based on a Time-based one-time password (TOTP). The page is an option under the Setup menu and listed as "Security Policies".
Password Policies
Set the password policies for your organization here:
- Minimum Password Length - the minimum character length for user entered passwords
- Password Rotation Frequency (in days) - the calendar days after which a user must update their password
- Session Length (in hours) - the maximum number of hours a user can be logged in before they must reenter their password
- Maximum Password Retry - the maximum number of consecutive times a user can enter their password incorrectly before their account is locked
Multi-Factor Authentication
When Multi-factor Authentication (MFA) is enabled, the site requires users to enter a TOTP from an Authentication Application like Google Authenticator (or any OATH/TOTP compliant authenticator application). The user will log on with their username and password and then be presented with a challenge to enter the validation code from their Authentication Application. Only with username, password, and validation code will the user be permitted to access the site.
<image here?>
Prior to setting up MFA, ensure that your email configuration is correct. The MFA setup will email all users with the link to set up their Authentication Application. If the users can't receive this email, they will be locked out (including the global administrator).
To setup MFA, Select the "Require Multi-Factor Authentication (MFA) for All Local User Accounts?" and enter an "MFA Prefix". This prefix is simply a way to make the issuer (RegScale) unique per customer. Best to use your organization name. The otpauth
URI generated into a QR Code will contain this Prefix as follows:
otpauth://totp/RegScale%20-%20{PREFIX}:admin-admin?secret={USER SPECIFIC SEED}issuer=RegScale%20-%20{PREFIX}
Click "Save".
The next time a user attempts to log in, they will be presented with a message to "Enter Google Authenticator Token"
They should click the "Generate QR Code for Google Authenticator. This will send them an email containing the links to download Google Authenticator app for Android and iOS along with a QR Code to be scanned within that application. After installing the application in a mobile device, use the app and "Add an account". User will be presented the option to "Scan a barcode". Scan the barcode in the email message. Afterwards, a six-digit code will appear. Enter that into the MFA challeng dialog shown in the image above. Each time the user logs in, they will need to enter the current six-digit code from the Authenticator app.
Updated 12 months ago