Managing local users and groups

Even if you use an external identity provider like CyberArk Identity or Active Directory for most of your workforce, Trust Protection Foundation maintains an internal, local user directory. This local directory is entirely isolated from your external data sources.

The local directory is automatically created during installation and includes your primary master administrator account (Admin). You will typically use local identities for system maintenance tasks, emergency access, or granting access to users who don't exist in your external directories.

Creating a local user

To create users and groups, you must log in with an account that has Master Admin privileges and explicitly has Read, Write, and Create permissions to the Local Identity object.

  1. From the administration console menu, click Policy Tree.
  2. Select the Identity tree from the drop-down list.
  3. In the tree, select the Local identity provider.
  4. Click the Users & Groups tab, and then click Add > User.
  5. Complete the user information fields:
    • Login Name: The username the person will use to log in (required).
    • First Name / Last Name: The user's given and surname.
    • Email: The user's email address for system notifications.
    • Password: The local password for the user.
    • Master Admin: Select this only if you want to grant the user full permissions to every object in the database. Use this role with extreme caution.
  6. Click Save.

By default, new local users are automatically added to the local Everyone group.

Creating a local group

You can organize local users into groups to make assigning permissions easier. Remember that user directories are closed systems; you can only add local users to a local group.

  1. From the Policy Tree, select the Identity tree.
  2. Select the Local user directory.
  3. Click the Users & Groups tab, and then click Add > Group.
  4. Enter a Group Name.
  5. Next to the Group Member(s) field, click the browse button (...).
  6. In the Available Users list, select the users you want to add, and click the right-arrow to move them to the Selected Users list. (You can use Shift+click or Ctrl+click to select multiple users).
  7. Click Select, and then click Save to create the group.

Changing local user passwords

If you are logged in using a local identity, you can change your own password directly from your account profile.

  1. Click your user account icon in the top corner of the console, and then click My Account.
  2. Click Change Password.
  3. Enter your current password.
  4. Type and confirm your new password. The system will validate your new password against the displayed complexity requirements.