Directory › Administration › Users

Purpose

Create a user account in CyberVision with the correct access scope, security controls, and resource assignments.

Critical Rule

Even when authentication is managed by SAML/SSO, the user must still be created in CyberVision.

Why this is mandatory

SAML validates identity, but CyberVision still needs a local user object to:

• assign role and organization,
• apply account/login restrictions,
• control vault and connection access,
• register user actions in audit logs.

Step-by-step

1) Open Credentials and create user

1. Go to Credentials.

2. Open Create User.

2) Fill account identity fields

In Create User:

• Username
• Password
• Re-enter Password
• Login disabled (optional)

Why?

• Username is the local account identifier.
• Password and confirmation are required for local authentication flows.
• Login disabled can be used to prevent local login when user access should happen only through SAML/SSO.

3) Fill profile fields

In Profile:

• Email address
• Full name
• Organization
• Role

Why?

• Email links identity mapping and notifications.
• Full name improves traceability and operations.
• Organization/Role define authorization scope and business context.

4) Configure user permissions

In Permissions:

• Administrator systems
• Audit system

Why?

• These switches grant elevated capabilities and log visibility.
• Must follow least-privilege principles.

5) Configure MFA/TOTP status (if applicable)

In TOTP Enrollment Status:

• Disable TOTP
• Authentication device confirmed
• Secret key generated

Why?

• Controls MFA enforcement and enrollment state.
• Important for security posture and onboarding consistency.

6) Apply account restrictions

In Account Restrictions:

• Do not allow access after
• Allow access after
• Password expires
• User time zone
• Enable account after
• Disable account after

Why?

• Enforces lifecycle governance (start/end dates, expiry policies, timezone behavior).

7) Apply login restrictions

In Additional Login Restrictions:

• Hosts from which user can log in
• Hosts from which user may not log in
• Hours user is allowed to log in
• Times user is denied from login

Why?

• Reduces attack surface by limiting source and schedule.

8) Assign resources

• Vaults: assign vault membership as needed.
• Connections: assign allowed connections.
• Web: assign allowed web entries.

Why?

• Access is not only identity-based; users also need explicit resource scope.

9) Save

• Click Save.
• Use Cancel to discard changes.

Validation and expected behavior

Required checks

• Password and confirmation must match.
• User appears in the credentials list after saving.
• Role/organization are correct.
• Intended vaults/connections/web resources are assigned.
• Restriction policies are active as configured.

SAML-specific checks

• User exists locally in CyberVision.
• Identity attributes (email/username) match the SAML identity.
• If local login is not allowed, ensure Login disabled is set appropriately.
• User can sign in via SAML and receives the expected authorization scope.

Best practices

• Enforce least privilege for role and permissions.
• Apply account validity windows for contractors/temporary users.
• Restrict login by host/time for sensitive accounts.
• Keep identity attributes consistent between SAML IdP and CyberVision.
• Periodically review users and deprovision inactive accounts.