View and edit user attributes#

To display information on any found user, click on the identifier of the user. It contains the attribute values that were defined in the section “Data sources”, as well as linked accounts of external identity providers, user devices, security keys, etc.

image087_en

You can perform the following operations in the user card:

  • edit user attributes;

  • reset user sessions;

  • change the password;

  • view the list of bound accounts of external authentication providers, unbind external accounts;

  • change the required authentication level for the user;

  • bind or remove authentication devices: one-time password generators and mobile apps to receive push notifications;

  • view the groups the user is included in;

  • view the user’s rights and the rights that are available for that user;

  • view and delete saved user’s devices and browsers;

  • view, add, and delete user security keys;

  • view and delete scopes granted to applications.

Editing attributes#

Administrators can change any attribute of the user when viewing the card of the selected user account. Note, when editing an account, be aware of the datastore configurations and restrictions to which the record is being written.

Note that changing data via the attribute editing interface disregards the rules used in the user self-registration process. For example, changing the e-mail address or cell phone number does not require confirmation.

Resetting sessions#

To reset user sessions, use the button Reset sessions in the block Resetting user sessions.

When resetting user sessions, the following actions are performed:

  • security tokens issued to applications by the user (access tokens, update tokens, identification tokens) become invalid – when calling the introspection service with such tokens in Blitz Identity Provider, the service returns that the token is invalid;

  • in devices stored for the user, the flags of trusted devices and the storage of long sessions on them are removed;

  • dynamic client_id/client_secret pairs issued for mobile applications linked to the user account are canceled;

  • the SSO sessions stored in the user’s browser become invalid, so that at the next request from the identification applications in Blitz Identity Provider, a new identification and authentication will be requested.

Changing the password#

To change the password, use the block Changing the password. You can enter a new password manually, or generate it – to do this you, need to leave a checkbox Generate a password. The new password will be displayed in the information block of the successful operation. When changing the password, you can also set a checkbox Reset sessions, then the user’s sessions will be reset simultaneously with the password change.

When setting a new password manually, take into account the limitations of the password policy of the store where you are saving the password.

View and unlink external providers#

In the block “Linked accounts of external systems”, you can view the list of accounts of external identity providers (social networks, etc.) linked to the account of the found user. Each linking is characterized by a unique identifier, where the last part is the internal identifier of the account in the corresponding identity provider. If necessary, you can remove the link to an external account.

Binding devices for 2FA with a one-time password#

The administrator can bind a two-factor authentication tool to the selected user account. For example, a hardware HOTP/TOTP generator can be bound by serial number, or a mobile application that generates TOTP codes can be bound to the account by QR code.

image080_en

image081_en

Binding Duo Mobile#

To make authentication via Duo Mobile, it is necessary to bind the mobile application to the user account. The recommended scenario is that the user binds their mobile app to the user’s account in the “User profile” web application.

Another way to bind is via the admin console. To do this, it is necessary to find the necessary account in the “Users” section and the settings block “Duo Mobile application (QR code)”. In this block, click on the “Attach Duo Mobile” button, then scan the displayed QR code with the Duo Mobile mobile application.

Group Membership Management#

If the user is included in groups, this information will be displayed in the block “Group membership”. The following data will be displayed for each group:

  • group identifier;

  • group attribute values.

To exclude a user from a group using the delete button or add a user to another group use the “Add to group” link. To add a user to a group, you will need to enter the value of the attribute identifying the group, click the “Search” button, select the appropriate group from the list of found groups, and click the “Add” button.

Viewing, assigning, and revoking rights#

If the user has rights to the user from applications or other accounts, this will be displayed in the “Rights of subjects on user” block. If the user has rights over objects, such as other accounts, this will be displayed in the *”User object permissions” block.

Each right is characterized by the following parameters:

  • object identifier;

  • name;

  • right.

You can revoke an access right using the delete button next to the access right. You can assign an access right using the “Assign rights” link. In this case you will have to select the assigned access right from the list, select the type of subject (user or application) or object (user, group or application), find and select the subject/object.

Memorized devices and browsers#

The administrator can view the devices and browsers the user has logged in using their account from. The description of devices includes:

  • an indication of whether the device has a login session saved and whether the device is trusted. The indication is color coded:

    • gray - the login session is not saved on the device and the device is not trusted;

    • yellow - the login session is not saved on the device, but the device is trusted;

    • blue - a login session is saved on the device, but the device is not trusted;

    • green - the login session is saved on the device and the device is trusted.

  • the name and operating system version of the device, determined from UserAgent;

  • the browser name and version defined based on UserAgent;

  • the date and time of the last login from this device and browser;

  • The IP address of the user that was determined the last time the user logged in from this device and browser.

browsers_en

Security keys#

The administrator can view the list of security keys (Passkey, WebAuthn, FIDO2, U2F) registered for the user account. For each security key, the following are listed:

  • key name;

  • date and time of key registration;

  • scope of application (for Passkey and FIDO2 - for login and for login confirmation; for U2F - for login confirmation only);

  • date and time of the last use of the key.

security_key_en

The administrator can register a new security key using the “Add key” link. In a typical usage scenario, security keys are added by the user himself at the moment of login (onboarding) or via the User profile.

security_key_new_en

The ability for an administrator to add a key can be useful in the following scenarios:

  • The administrator personally issues users a hardware FIDO2/U2F key and binds it to the account. Two-factor authentication is used to access the company’s applications.

  • The administrator needs the ability to log in to the user account for technical support purposes. Resetting the password from the account will inconvenience the user - instead, a security key can be registered and used to log in. All actions to register and delete security keys are logged as security events.

Permissions granted to applications#

The administrator can view a list of permissions granted by the user to applications.

Each permission is described by:

  • identifier of the application;

  • list of permissions (scope);

  • date when the permissions were granted.

101