-
Home
-
Crypt-o
-
Documentation
- User management
 |
User management |
|
Crypt-o allows to define user accounts and assign needed permissions to them. User and group accounts from a Windows domain or LDAP directory can be used as well. In that case, user credentials will be checked using Windows domain or LDAP authentication.
To manage user accounts, choose Tools > Administrative tools from the menu. Then click on the User management link in the Administrative tools panel.
NOTE: Only users with the System administrator or User management permissions can manage user accounts.
The User management window
The following account types are available:
Account type |
Description |
User |
An account which represents a single user. |
Group |
A container account which can include other accounts as its members. Permissions assigned for a group are applied to all its members recursively. |
Organizational Unit |
A container account which is used to organize your accounts list as a hierarchy tree. Permissions assigned for an Organizational Unit are applied to all its members recursively. |
Backup server account |
A special user account which is used by %PROGNAME% backup servers. |
To add a new user account choose Action > New user... from the menu.
To add a new group account choose Action > New group... from the menu.
To add a new Organizational Unit choose Action > New Organizational Unit... from the menu.
To add a new account for a backup server choose Action > New backup server account... from the menu.
To edit a user or group account select it in the list and choose Action > Properties... from the menu.
To delete a user or group account select it in the list and choose Action > Delete from the menu.
You can change some options for multiple user accounts at once. To do that select the accounts in the list and choose one of the following menu items:
Action > Request password change
Action > Cancel password change request
Action > Enable user account
Action > Disable user account
NOTE: If you select a group or OU account and choose to change an option such way, the option will be applied to all member user accounts of the group.
NOTE: When you use external user accounts (Windows domain, LDAP) in Crypt-o, it may happen that some user accounts have been deleted in Active Directory or LDAP directory with time.
To find out which user accounts have become invalid, choose Action > View > Invalid accounts in the menu.
User properties :: General page
General page
| • | Name - a name of the user account. |
| • | Account type - a type of the user account. Possible values: |
| ▪ | Internal - internal Crypt-o user account. You need to specify a password for the user account or use key file authentication. |
| ▪ | Windows domain - Windows domain authentication will be used to check the user account password. Enter a user account name of Windows domain in the UserName@Domain form. To select a user account from the list, click the ... button at the right of the Name input field. |
| ▪ | LDAP - LDAP directory authentication will be used to check the user account password. Enter a distinguished name of the LDAP user account or click click the ... button at the right of the Name input field to browse LDAP directory. You need to configure available LDAP servers in the System options on the LDAP page. |
NOTE: By default, a user must store a key file on a removable device, in order to be able to log on using the key file. You can control this behavior in the Crypt-o system options.
WARNING: Store key files on removable devices, such as USB flash drives, for security reasons. Unplug the device with your key file, when you finished working with Crypt-o.
| • | Password - the user account password. |
| • | Retype password - verification of the password. |
| • |  Request password change at the next user logon - if selected, the user will be prompted to enter a new password at the next logon. |
| • | Password expires - you can specify an expiration date for the password of the user account. When the password is expired, the user is forced to change the password. |
NOTE: See the Security page in the System options for more settings related to password expiration.
| • | Full name - optional full name of the user. |
| • | Organizational Unit - optionally select an Organizational Unit for this account. |
| • | Email - optional email address. It is used to send notifications about various events. |
| • | Description - optional description of the user. |
| • | Create home database - if selected, a home database will be automatically created for the user. The user will be the owner of his home database, but the database can not be deleted by the user. By default other users have no access to the home database, even administrators. The user may allow access to his home database for other users if necessary. |
NOTE: If the Create home database option is enabled for a group, home databases will be created for all members of the group.
NOTE: By default, Web access is disabled for new home databases. You can enable it in the Crypt-o system options.
| • | Disable user account - the user account is disabled and the user logon will fail. |
User properties :: Permissions page
On that page you can assign permissions for a user account. Set a mark on the Allow column for a permission to enable this permissions for the user. Set a mark on the Deny column for a permission to disable this permissions for the user. Deny permission takes precedence over Allow permission.
Permissions page
The following system permissions are available:
Permission |
Description |
||||||||||
System administrator |
A user can do everything. |
||||||||||
User management |
A user can manage user accounts and assign permissions. The following restrictions apply:
|
||||||||||
OU user management |
A user can manage user accounts only within the user's organizational unit (OU), including nested organizational units. The OU user manager can can add, modify, delete user accounts within his OU, add OU users to OU groups. But individual permissions for OU groups can be set only by other users with higher privileges (User management or System administrator).
The following restrictions apply:
|
||||||||||
System audit |
A user can view the System audit log. |
||||||||||
Create databases |
A user can create new databases. |
||||||||||
Access via API |
A user account can be used to access Crypt-o via API. |
The following object permissions are available:
Permission |
Description |
Owner |
A user can do everything with an object. |
Web access |
This permission applies to databases only. A user can access a database via Web interface. |
Portable mode |
This permission applies to databases only. A user can create a portable/offline version of a database. |
Audit |
This permission applies to databases only. A user can view a database audit log. |
Manage images |
This permission applies to databases only. A user can add/modify/delete images, which are used as icons for folders and records. |
Owner for new records |
This permission applies to databases only. When a user creates a new record, the user becomes an owner of this record. |
Insert data |
A user can create new records and new sub-folders. |
Modify data |
A user can edit records and edit folders. |
Delete data |
A user can delete records and delete folders. |
Manage attachments |
A user can add or remove file attachments. |
Extract attachments |
A user can execute or extract file attachments. |
View protected fields |
A user can view data in protected fields. If a user does not have this permission, he is not able to view data in protected fields. But if the user has the Form filling permission, he is allowed to fill out forms with data of the protected fields. |
Print and export |
|
Form filling |
A user can use the form filling feature. |
User properties :: Member of page
On that page you can specify group membership for a user account.
Member of page
On that page you can control multi-factor authentication (MFA) for a user account.
MFA page
By default multi-factor authentication is disabled and this page is not available for a user account. To enable MFA use the Multi-factor authentication page in the Crypt-o system options.
Initially all user accounts use the default MFA method specified in the system options. If needed you can set a different MFA method for specific user accounts.
At user logon Crypt-o requests a user to enroll for MFA if it is not done yet.
If a TOTP/HOTP authentication method is used, a User manager or System administrator can select the following options:
| • | Request user to enroll for MFA at next logon - when this option is selected Crypt-o will request the user to enroll for MFA at next logon. |
| • | Enroll user for MFA now - when this option is selected the user enrollment will start after pressing OK. |
Specialized user account for backup servers
When you set up a backup server, you need to create a specialized user account on the primary server. This user account is used by a backup server to connect to the primary server. It is needed to allow transfer of the primary server's private data (TLS certificates and keys, licenses) to perform proper initialization of a backup server. The initialization is made only once during setup of a backup server.
To add a new account for a backup server choose Action > New backup server account... from the menu.
Adding a user account for a backup server
| • | Name - a name of the user account. |
| • | Allow transfer of server private data - when this option is selected, backup servers will be able to obtain private data of the main server, such as TLS certificates and keys, registration data, etc. |
WARNING: This option is needed only for initialization of a backup server. Turn off this option immediately after initialization of a backup server.
NOTE: For security reasons, this option is turned off automatically after 15 minutes.
| • | Password - the user account password. |
| • | Retype password - verification of the password. |
| • | Full name - optional full name of the user. |
| • | Description - optional description of the user. |
| • | Disable user account - the user account is disabled and the user logon will fail. |
