Manage User Accounts
As an EPM administrator, you can add users that will be working in the various areas of the application. You can add users based on roles and responsibilities:
- Security administrators to look after policy
- IT administrators to look after configuration like SIEM integration or ServiceNow integration
For example, in an international corporate infrastructure, IT administrators might be assigned assets based on region. In this scenario, organize computers regionally in groups and the assign the IT administrator in that region to that group.
When creating accounts, consider the responsibilities of the user and use the role based access model of EPM to create groups and assign roles.
Overview
There are two parts to setting up a user account:
- User profile: Add information like email address and general information.
- User type: Determine the role and responsibilities of a user. There are two user types:
- Administrator: An administrator can access all areas of EPM. An administrator user does not require any additional setup for roles and resources, as this account can access and manage all areas of the system.
- Standard User: A standard user has delegated access based on the role of the user.
In the role-based access control (RBAC) system, the role assigned to a user dictates the features the user can access.
Main menu items and icons that appear on the left depend on the role assigned to a user. For example, if you only assign access to policies for a standard user, when logging in the user sees only the Home and Policies menu items.
Review EPM Roles
Learn more about the access roles available in EPM.
Computer Groups Roles
The following computer group roles can be assigned to a standard user, for either all groups or individually selected groups.
| Role | Menu access to | Description |
|---|---|---|
| Assign Policy to Group | Home, Policies, and Computer Groups |
User can view policies and computer groups, and assign policies and revisions to selected computer groups. |
| Analyze Group | Home, Computer Groups and Analytics |
User can view data analytics for selected computer groups. Access to Analytics 1.0 is restricted. A user requires the Analyze Groups permission for all groups for a user to see Analytics 1.0. |
| Create Groups | Home and Computer Groups | User can create, edit, and view selected group properties. |
| Edit Group | Home and Computer Groups | User can view and edit selected computer group properties. |
| View Group | Home and Computer Groups | User can only view selected computer groups. This option is automatically selected when any of the other options are selected. |
Policies Roles
The following policies roles can be assigned to a standard user, for either all policies or individually selected policies.
| Role | Access to | Description |
|---|---|---|
| Create Policies | Home and Policy | User can create, edit, and view selected policies. |
| Edit Policy | Home and Policy | User can view and edit selected policies. |
| View Policy | Home and Policy | User can only view selected policies. This option is automatically selected when the edit option is selected. |
Configuration Settings Access
As an administrator, delegate access to configuration settings so that the user only sees the resources they need access to. A standard user can be assigned edit and view permissions on each of the configuration areas of EPM.
Assign a standard user the Edit Setting permission when they need to access and change settings for a particular configuration setting.
A standard user can see but not interact with settings when assigned the View Setting permission.
The user will not see the configuration setting if neither edit nor view is selected.
The About configuration setting cannot be assigned edit permissions. All standard users can see About information but they cannot change the information on the About page.
Automatic Role Mappings on Upgrade
When upgrading from EPM 22.7 and earlier to version 22.8 and later, existing roles will be mapped as follows.
| 22.7 and Earlier Role | 22.8 and Later Role and Access |
|---|---|
| Administrator | Administrator |
| Computer Administrator | Group Editor and Viewer, Policy Viewer and Assigner |
| Policy Administrator | Group Viewer, Policy Editor, Policy Viewer, Policy Assigner, Analytics |
| Policy Editor | Group Viewer, Policy Editor and Viewer, Analytics |
| Standard User | Group Viewer, Policy Viewer, Analytics |
| Automation Client | Automation Client |
For more granular access, you can manually edit users and assign access to computer group and policy records.
Before Creating User Accounts
Before adding accounts, you need to get the following in place:
- All users that you want to add to EPM must exist in your authorization provider. Currently, Azure B2B and OpenID Connect are supported providers.
- Add a domain that can receive email notifications from EPM.
For more information, see:
Create a User Account
Once the initial administrator account is created and authorized, you can create additional user accounts in EPM with whichever roles are needed. You can also create future accounts with the Administrator role by following the same process outlined below.
To create a user account:
- On the sidebar menu, click Users.
- Click Create User.
- Choose whether you want to create the user from a blank user profile or base it on an existing user profile.
- To use an existing profile, select a user from the list, then proceed to the User Details section. Later, you can review the profile's Roles and Resources setup, or modify it as needed.
- In the User Profile section, enter general account information, like email address and time zone.
You can click Create User after this step. If you create a standard user account without assigning any resources, the user can log in to EPM, but cannot access any resources. A message indicates to contact their administrator to request access to EPM. It is better to continue with the following steps and grant some access to the new user.
- Click Next: Roles and Resources.
- In the Roles and Resources section, select a user type:
- Administrator: The user can access and manage all areas of the system. Click Create User to complete the process.
- Standard User: The user can only access and manage resources that you identify in the next steps.
- Under Computer Groups, select either All Computer Groups, or select individual groups and roles.
- If you select All Computer Groups, select one or more roles from the Computer Groups Role list. The user will have the role(s) across all existing and future computer groups. The View Groups role is automatically selected with any of the other options.
- If you want to select individual groups and roles, check the boxes for the roles to associate with each group selected. You can shorten the list by selecting the Name filter option, and then typing into the Name box.
- Under Policies, select either All Policies, or make individual policy and role selections.
- If you select All Policies, select one or more roles from the Policies Role list. The user will have the role(s) across all existing and future policies. The View Policies role is automatically selected with any of the other options.
- If you want to select individual policies and roles, check the boxes for the roles to associate with each policy selected. You can shorten the list by selecting the Name filter option, and then typing into the Name box.
- Under Settings, select the configuration items the user needs access to.
- Click Create User.
An email notification is sent to the user. The user must click the Get Started button to go to the invitation landing page. After clicking Accept, the user can log on to EPM using their credentials.
Resend User Invites
An email invitation can be resent to a user that has not accepted their invite to the EPM portal.
On the Users page, select the user, and then select Resend Email Invite.
There is no limit on how many times an invitation can be sent to a user.
View User Account Details
You can view information about a user account such as: email address, create date, and status.
To get a quick at-a-glance view of recent activities for a user, click the Activity tab. You can see the event time, audit type, and summary information on the action that occurred.
The information displayed on the User Details page varies depending on the user role and responsibilities.
Change the properties for a user account such as email address, date format, and time zone. The changes will take effect the next time you log on to EPM. You can also change these properties from the user account menu.
Remove Access for a User
Disable a user account when they no longer require access to EPM or if they leave the company.
- Go to the Users main page.
- Select the user account, and then select Disable from the menu.
If you need to reinstate the user account, select Enable from the menu to reverse the action.
Edit Roles and Resources for a User Account
As an administrator user, you can edit roles and resources for a user account.
- On the sidebar menu, click Users.
- Locate the user account you want to edit. Use the filter option to quickly reduce the list size.
- Select Edit User from the menu. You can also click the email address of the user in the grid to access the panel.
- Click Next: Roles and Resources.
- Make the role and resources changes, and then click Save Changes.
If you remove all access for a standard user account, the user can log in to EPM, but cannot access any resources. A message indicates to contact their administrator to request access to EPM.
