PortalRequest proposal
Directory › Administration › Users

How to Create a User in CyberVision

Purpose

Create a user account in CyberVision with the correct access scope, security controls, and resource assignments.

Critical Rule

Even when authentication is managed by SAML/SSO, the user must still be created in CyberVision.

Why this is mandatory

SAML validates identity, but CyberVision still needs a local user object to:

  • assign role and organization,
  • apply account/login restrictions,
  • control vault and connection access,
  • register user actions in audit logs.

Step-by-step

1) Open Credentials and create user

1. Go to Credentials.

2. Open Create User.

2) Fill account identity fields

In Create User:

  • Username
  • Password
  • Re-enter Password
  • Login disabled (optional)

Why?

  • Username is the local account identifier.
  • Password and confirmation are required for local authentication flows.
  • Login disabled can be used to prevent local login when user access should happen only through SAML/SSO.

3) Fill profile fields

In Profile:

  • Email address
  • Full name
  • Organization
  • Role

Why?

  • Email links identity mapping and notifications.
  • Full name improves traceability and operations.
  • Organization/Role define authorization scope and business context.

4) Configure user permissions

In Permissions:

  • Administrator systems
  • Audit system

Why?

  • These switches grant elevated capabilities and log visibility.
  • Must follow least-privilege principles.

5) Configure MFA/TOTP status (if applicable)

In TOTP Enrollment Status:

  • Disable TOTP
  • Authentication device confirmed
  • Secret key generated

Why?

  • Controls MFA enforcement and enrollment state.
  • Important for security posture and onboarding consistency.

6) Apply account restrictions

In Account Restrictions:

  • Do not allow access after
  • Allow access after
  • Password expires
  • User time zone
  • Enable account after
  • Disable account after

Why?

  • Enforces lifecycle governance (start/end dates, expiry policies, timezone behavior).

7) Apply login restrictions

In Additional Login Restrictions:

  • Hosts from which user can log in
  • Hosts from which user may not log in
  • Hours user is allowed to log in
  • Times user is denied from login

Why?

  • Reduces attack surface by limiting source and schedule.

8) Assign resources

  • Vaults: assign vault membership as needed.
  • Connections: assign allowed connections.
  • Web: assign allowed web entries.

Why?

  • Access is not only identity-based; users also need explicit resource scope.

9) Save

  • Click Save.
  • Use Cancel to discard changes.

Validation and expected behavior

Required checks

  • Password and confirmation must match.
  • User appears in the credentials list after saving.
  • Role/organization are correct.
  • Intended vaults/connections/web resources are assigned.
  • Restriction policies are active as configured.

SAML-specific checks

  • User exists locally in CyberVision.
  • Identity attributes (email/username) match the SAML identity.
  • If local login is not allowed, ensure Login disabled is set appropriately.
  • User can sign in via SAML and receives the expected authorization scope.

Best practices

  • Enforce least privilege for role and permissions.
  • Apply account validity windows for contractors/temporary users.
  • Restrict login by host/time for sensitive accounts.
  • Keep identity attributes consistent between SAML IdP and CyberVision.
  • Periodically review users and deprovision inactive accounts.
Was this helpful?
Yes: 0 · No: 0