Identity lifecycle management, auditing, and compliance are key functions for IT Admins. User states allow admins to manage a user’s progression through the identity lifecycle and control when a user can access ºÚÁϺ£½Ç91Èë¿Ú-provided resources. Admins can track and report on user states for auditing and compliance purposes.
Configuring the Default User State for New Users
Considerations:
- If you are using a SCIM integration to create users in ºÚÁϺ£½Ç91Èë¿Ú from external identity sources, such as the BambooHR and Okta integrations, the value for the Settings > User Management > Default User State for User Creation > Manual/Single User API setting is what will determine the default state for these users.
- For users created in the Active user state, user emails are still determined by the method used to create a user in ºÚÁϺ£½Ç91Èë¿Ú and the password status. See the Building Users section in Get Started: Admin Implementation to learn more.
- If you are using the AD integration:
- Staged users are not provisioned to AD.
- The UserTakeoverAction value should be changed to retain. Otherwise, the password status will change back to a pending status when the user is associated with AD from ºÚÁϺ£½Ç91Èë¿Ú. To learn more about this setting and the difference between setting the value to retain and deactivate, see Advanced Configurations for AD Sync to learn more.
- The default value you set for Settings > User Management > Default User State for User Creation > Manual/Single User API is what will determine the default state for users imported from AD.
To configure the Default User State:
- Log in to the .
- Go to Users > Settings.
- Select a default user state for each method outlined under Default User State for User Creation.
- Click Save.
The default user state for users created from the AD integration or one of the SCIM integrations (e.g., Okta, BambooHR) will be determined by the value specified for the Manual / Single User API / ADI / SCIM API setting.
A new user can be created from the Admin Portal (select USER MANAGEMENT > Users > ( + ) or from an application Identity Management integration (USER AUTHENTICATION > SSO > select an application > Identity Management > manual import.) You can learn more about the listed user creation methods in these support articles:
Understanding User States
A user state indicates where a user currently is in the identity lifecycle. User states allow you to control access to ºÚÁϺ£½Ç91Èë¿Ú provided resources. Set the default user state from Settings > User Management > Default User State for User Creation.
The following user states are available:
- Staged - Easily identify users who still need to be onboarded. Preassign all the resources and policies new users will need on their start dates without granting access. The user account will not be provisioned in most cases until the user state is changed to Active. You can activate, suspend, or delete a user from this user state. Staged users are billed as normal users.
- Active - Immediately provision a user account and enable a user’s access to assigned resources and policies. You can suspend or delete the user from this user state. Active users are billed as normal users.
Note: After a new user is activated, the user must complete the onboarding process, including setting a ºÚÁϺ£½Ç91Èë¿Ú password, logging in to the ºÚÁϺ£½Ç91Èë¿Ú User Portal and, if required, setting up identity verification to use ºÚÁϺ£½Ç91Èë¿Ú resources.
- Suspended - Revoke a user’s access to assigned ºÚÁϺ£½Ç91Èë¿Ú resources or prevent a user from accessing resources. You can activate or delete the user from this user state. Suspended users are billed as normal users.
Note: Existing users do not need to take any additional steps when the user's state is changed from Suspended to Active, and the users receive the same access they had prior to being suspended.
User states are shown from the user’s page, User’s Details tab, and Highlights tab for a user from a User Group, Device, LDAP, Active Directory, Google Workspace Directory, and M365/Entra ID.
Managing User States
User states can be changed from Staged to Active, Active to Suspended, and Suspended to Active. A user cannot be changed back to a Staged user state once activated.
There are different ways to change a user state:
- Setting the default user state for new users to either Staged or Active is done from Settings > User Management > Default User State for User Creation. You can specify a different user state default for each user creation method.
- Changing a user state to Active can be scheduled or done manually. Activating a user immediately gives that user access to all assigned resources and applicable policies in ºÚÁϺ£½Ç91Èë¿Ú.
- Changing a user state to Suspended can be scheduled or done manually. Learn more below.
Warning: Users can't be changed back to Staged once they are activated.
Setting a Staged User State
Considerations:
- Staged users can’t receive emails. When you change their user state from Staged to Active, you control whether or not an email is sent. The type of email sent (activation or welcome) is automatically determined based on whether or not a password has been set for the user.
- A user state can't be changed back to Staged once activated.
- Staged users are not provisioned to AD.
Assigning Resources to Users with a Staged User State
Users in a Staged user state can be assigned resources. See Connect New Users to Resources to learn more about assigning resources.
A staged user won't have access to any assigned resources until their user state is changed to Active. The resource type will determine if a user account is or isn't provisioned. The table below outlines the behavior.
Resource | Provisioned | Access |
---|---|---|
User Portal | X | X |
SAML SSO Apps | N/A | X |
RADIUS | X | X |
LDAP | X | X |
Devices | X | X |
Google Workspace* | √ | X |
M365* | √ | X |
AD | X | X |
User provisioning through SCIM Identity Management integrations (ºÚÁϺ£½Ç91Èë¿Ú is the IdP) | X | X |
Seeing Devices Assigned Directly to a User in the Staged User State
You can see devices that have been assigned directly to a user in the Staged user state in the Resource Summary Section of the Details tab or in the Devices tab.
Setting a Password for a User in a Staged User State
You can assign or import a password on a staged user. This password isn't sent to any assigned resources until the user state is changed to Active.
To set a password when manually creating a new user:
- Log in to the .
- Go to USER MANAGEMENT > Users > (+).
- °ä³ó´Ç´Ç²õ±ðÌýManual user entry.
- Complete the User Information section.
- Scroll down to the User Security Settings and Permissions section.
- Under Password Settings, select the checkbox next to Specify initial password.
- Enter a password that meets the existing password complexity policy in the New Password* field.
- Select the eye icon to see the password, if needed.
- Select an option: Force user to set their own password at first login or Allow user to keep admin-created password.
- Complete the rest of the sections on the Details tab.
- Assign resources by adding the user to User Group, Devices, and/or Directories, as appropriate. See Connect New Users to Resources to learn more.
- Click save user.
To set a password when creating users via CSV import, specify a password In the CSV template. See Add Users to the Admin Portal or Import Users from CSV with the PowerShell Module for more details.
To set a password for an existing user:
- Log in to the .
- Go to USER MANAGEMENT > Users.
- Click anywhere on the row of the user you want to activate.
- Select the Details tab.
- Under Password Settings, click Reset Password.
- Enter a password that meets the existing password complexity policy in the New Password* field.
- Click Save Changes.
- Click save user.
Setting an Active User State
An Admin can transition users to an Active state via scheduled activation or manually.
Scheduling User Activation
Scheduled activation allows the admin to transition users between states on a specific date and time, thus minimizing the need to be available when a user starts while still providing them the right access at the right time. This feature is ideal when:
- Onboarding users
- Admins transitioning users from the Staged to Active user state.
- Reactivating contractors
- Returning contractors who have been suspended in ºÚÁϺ£½Ç91Èë¿Ú.
- Reactivating employees
- Returning employees who have been suspended in ºÚÁϺ£½Ç91Èë¿Ú while on extended leave.
- Rehired employees who have been suspended but not yet deleted in ºÚÁϺ£½Ç91Èë¿Ú.
There are two ways to schedule a user’s activation: From the change state menu or the user's record.
To schedule a user activation from the change state menu:
- Log in to the .
- Go to USER MANAGEMENT > Users.
- Select the checkbox next to the applicable user, click change state, and select Activate.
- Click Schedule Activation and select the date and time to start the activation.
- You can optionally select and populate the Send email when activated field.
- Click Save.
Note: The time must be at least one hour in the future.
To schedule a user activation from the user’s record:
- Log in to the .
- Go to USER MANAGEMENT > Users and select the user.
- Click the User State dropdown menu and select Activate.
- Click Schedule Activation and select the date and time to start the activation.
- You can optionally select and populate the Send email to field.
- Click Save.
Deleting a Scheduled Activation
If you scheduled a date and time to revoke a user’s access to ºÚÁϺ£½Ç91Èë¿Ú resources, but find that you need to change it, you can remove the scheduled suspension and create a new scheduled suspension.
- Log in to the .
- Go to USER MANAGEMENT > Users and select the user.
- Select the Details tab, and expand the Scheduled User State Changes section.
- Click delete (trashcan icon located under the Scheduled User State Changes Section) for the scheduled event.
- On the Delete Scheduled State Change window, click Delete. The user will remain in their current state.
Manually Activating Users
There are two ways to manually activate a user: From the Change State menu or the user's record.
To manually activate a user from the change state menu:
- Log in to the .
- Go to USER MANAGEMENT > Users.
- Select the checkbox next to the applicable user, click change state, and select Activate.
- Click Activate Now.
- You can optionally choose to send the user a welcome email by selecting the Send welcome email. The email can be sent to an alternate email or a company email.
- Click Save.
Email templates can be customized. See the Customize Email Templates article in the Learn More section to the right.
To manually activate a user from the user’s record:
- Log in to the .
- Go to USER MANAGEMENT > Users and select the user.
- Click the User State dropdown menu and select Activate.
- Click Activate Now.
- You can optionally choose to send an email to the user by selecting and populating the Send email to field.
- Click Save.
Setting a Suspended User State
An Admin can transition users to a Suspended user state manually or via scheduled suspension.
Considerations:
- Suspensions are scheduled and displayed using your browser’s time.
- Scheduled suspensions occur at an interval of every 10 minutes (e.g., 1:30, 1:40, 1:50). If entering a time that does not end in zero (0), the update will occur at the end of the next (10-minute) interval.
- You can schedule multiple suspensions for a single user. The next scheduled suspension is displayed.
- If you manually suspend a user who has a suspension scheduled, you should delete the scheduled suspension. Otherwise, the user will be suspended again on the scheduled date and time, and the reports will show the user is suspended twice, once manually and once through automation.
- Scheduled suspensions cannot be edited. To change the date (and time) of a scheduled suspension, you must delete the existing scheduled suspension event and create a new one.
- MacOS: The macOS agent will not allow suspension or deletion of all Secure Token users from a system. If a user suspended or deleted via the Admin Portal is the last Secure Token user on a system, this user will be suspended or deleted in the Admin Portal but will not be removed from the target system to prevent that system from being rendered inaccessible.
Scheduling User Suspensions
Scheduled suspension allows the admin to transition users between user states on a specific date and time. This feature minimizes the need to be available when access needs to be revoked while still ensuring the revocation occurs at the right time. This feature is ideal when:
- An employee resigns
- A contractor's contract expires
- An employee goes on extended leave
There are two ways to schedule a user suspension: From the change state menu or from the user's record.
To schedule a user suspension from the change state menu:
- Log in to the .
- Go to USER MANAGEMENT > Users.
- Select the user to schedule for suspension by selecting the checkbox next to the name.
- Click change state, and select Suspend.
- Scheduling a suspension revokes this user's access to all ºÚÁϺ£½Ç91Èë¿Ú-provided resources on the date and time you provide. The user is retained in the system and billed as a normal user.
- A Samba user, which is the Samba Service Account, can't be suspended from the Admin Portal.
- Click Schedule Suspension and select the date and time to start the suspension.
Note: The time must be at least one hour in the future.
- Click Save. A notification will appear along with a calendar icon next to the user state to indicate there is a scheduled event associated with this user.
7. Hover over the calendar icon to see more information about the scheduled event.
Tip: If you need to edit the date or time that you scheduled the suspension, delete the current scheduled suspension and then add a new scheduled suspension for that user.Â
To schedule a user suspension from the user record:
- Log in to the .
- Go to USER MANAGEMENT > Users and select the user.
- Click the User State dropdown menu and select Suspend.
- Click Schedule Suspension and select the date and time to start the suspension.
Note: The time must be at least one hour in the future.
- Click Save. A notification will appear along with a calendar icon next to the user state to indicate there is a scheduled event associated with this user.
Tip: If you need to edit the date or time that you scheduled the suspension, delete the current scheduled suspension and then add a new scheduled suspension for that user.Â
Deleting a Scheduled Suspension
If you scheduled a date and time to revoke a user’s access to ºÚÁϺ£½Ç91Èë¿Ú resources, but find that you need to change it, you can remove the scheduled suspension and create a new scheduled suspension.
- Log in to the .
- Go to USER MANAGEMENT > Users and select the user. .
- Select the Details tab, and expand the Scheduled User State Changes section.
- Click delete (trashcan icon located under the Scheduled User State Changes Section).
- On the Delete Scheduled State Change window, click Delete. The user will remain in their current state until the scheduled date.
Manually Suspending Users
There are two ways to manually suspend a user: From the change state menu or from the user's record.
To manually suspend a user from the change state menu:
- Log in to the .
- Go to USER MANAGEMENT > Users.
- Select the checkbox next to the user you want to suspend.
Tip: You can select multiple users to suspend.
- Click change state, then select Suspend.
- Suspending an account immediately revokes this user's access to all ºÚÁϺ£½Ç91Èë¿Ú-provided resources. The user is retained in the system and billed as a normal user.
- A Samba user, which is the Samba Service Account, can't be suspended.
- Click Suspend Now, then Save. A notification appears and the User State changes to Suspended.
To manually suspend a user from the user's record:
- Log in to the .
- Go to USER MANAGEMENT > Users and select the user.
- Click the User State dropdown menu and select Suspend.
- Click Suspend Now, then Save.
Note: Suspending an account immediately revokes this user's access to all ºÚÁϺ£½Ç91Èë¿Ú provided resources. The user is retained in the system and billed as normal users.
Important: A Samba user, which is the Samba Service Account, cannot be suspended.
Deleting a User from the Admin Portal
Considerations:
- Deleted users are permanently removed. The deletion is recorded in the ºÚÁϺ£½Ç91Èë¿Ú logs, but there is no state associated with the delete action. If you want to add a deleted user again, you will need to recreate the user's account.
- MacOS: The macOS agent will not allow suspension or deletion of all Secure Token users from a system. If a user suspended or deleted via the Admin Portal is the last Secure Token user on a system, this user will be suspended or deleted in the Admin Portal but will not be removed from the target system to prevent that system from being rendered inaccessible.
- Scenario A: A single user is left on a system, and they are a Secure Token user. An admin deletes the user in the Admin Portal. Result: The user is deleted in the Admin Portal, but is not deleted from the system.
- Scenario B: Five users are left on a system, and all are Secure Token users. An admin deletes all five users in the Admin Portal. Result: All users are deleted in the Admin Portal, but a single user (arbitrarily chosen) is not deleted from the system.
- Users bound to Cloud Directories should be deleted in ºÚÁϺ£½Ç91Èë¿Ú or unbound from the directory prior to deletion in Google Workspace or Entra ID/M365. Upon deletion in ºÚÁϺ£½Ç91Èë¿Ú, bound users will be suspended in the Google Workspace or Entra ID/M365. This could lead to the user being recreated in the Cloud Directory if they are still bound at the time of deletion in ºÚÁϺ£½Ç91Èë¿Ú.
- If the user is a Manager of one or more other users in ºÚÁϺ£½Ç91Èë¿Ú, you will be notified in the confirmation prompt. Furthermore, upon deletion of a Manager, all of the Manager’s direct reports will have their Manager attribute cleared, leaving all direct report users without a Manager.
To delete users from the Admin Portal:
- Log in to the .
- Go to USER MANAGEMENT > Users.
- Select the checkbox next to the applicable user(s).
- Click delete in the top right of the Users page.
- You will be prompted to confirm the number of users to be deleted.
- Note: If the user is a Manager, you will be notified in this prompt. See the Considerations section directly above for more information.
- Enter the appropriate number in the input.
- Click Delete User.