Editing a local account

Before you begin

Note: If Single Sign-On is enabled, editing a local account is limited to a unique email address. Each Administrator must have a unique email address.

Use the page Global Settings > General > Administrators to edit the access and authentication permissions for existing local accounts.

Steps

  1. From the Administrators page, click the name of an administrator account.
    The Edit Local Account page displays.
  2. To change the name, enter a unique name up to 50 characters in the field Name.
    • The name must be between 1 and 50 characters long, and cannot include any of the following characters:

      * < > ' { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,

    • Names can include spaces and dashes.
  3. To change the administrator email address, enter a valid address for the user in the field Email address.

    This email address is used to send account information to the administrator.

  4. To reset the administrator’s password, enter and confirm a password in the fields Change password and Confirm password.
    The password must be 8–255 characters and include at least one each of the following:
    • uppercase letter
    • lowercase letter
    • number
    • special character (such as hyphen, underscore, or blank)
    Note:
    • If certificate authentication is enabled and password authentication is disabled on the page General > Two- Factor Auth, password logon is not available for the local account.
    • When SSO is enabled, all local accounts will not be able to configure their passwords. Only Global Security Administrator can have a password configured.

    • When SSO is disabled, make sure to configure passwords for local accounts. The local account will be able to generate a temporary password by clicking Forgot password? link on the login page.

    • When SSO is enabled, only the Global Security Administrator can generate a temporary password by clicking Log in as Global Administrator from SSO login page and selecting the Forgot password link, in case the login password is forgotten.
  5. Under Administrator type, select either User or Application. (Added in version 8.6.3)
    • Select User for administrator accounts that require access to the Security Manager. This is the standard type for all administrators.
    • Select Application if the account is used to access REST API services in the Data Security module. The Application type provides permissions to perform API requests to the Security Manager.

      The Email Address provided for this account will be used as the Application owner’s contact. Forcepoint DLP uses this email address if there is an issue with the Application.

      If you select Application, then all module access permission options on this page are disabled. The Application type grants access to the Data module by default and grants no permissions to the other modules. These permissions cannot be edited. Also, the Notify administrator of the new account via email and Force administrator to create a new password at logon options are not available.

  6. To give the administrator full permissions across all Security Manager modules, mark the check box Global Security Administrator.
    Note: Only Global Security Administrators can create other Global Security Administrators.
  7. To send account update information to the administrator via email, mark the check box Notify administrator of the account changes via email.
    Note: Selecting this option notifies the administrator only of the current changes being made. If you return to make further edits to this or another administrator’s details, you will need to mark the option again.
  8. To require the administrator to change the account password the next time they log on to the Security Manager, mark the check box Force administrator to create a new password at logon.
    Note:

    When SSO is enabled, the Force administrator to create a new password at logon option is enabled only when the Global Security Administrator option is checked.

    When SSO is enabled and both Global Security Administrator and Force administrator to create a new password at logon options are checked, the Global Security Administrator is forced to create a new password only when Global Security Administrator clicks on Log in as Global Security Administrator on the login page.

  9. If certificate authentication is enabled on the page General > Two-Factor Auth:
    1. Click Certificate Authentication.
    2. Browse to the location of the certificate that the administrator will authenticate against when logging on to the Security Manager.
    3. Click Upload Certificate.

    For more information, see Configuring two-factor authentication.

  10. If this is not a Global Security Administrator account, use the section Module Access Permissions to update permissions for the administrator. Choose a setting under each of the available options (Web, Data, Email) to give the administrator permissions to manage one or more of the Security Manager modules.

    For each available module, choose whether the administrator has:

    • No access to that module
    • Only access to the module
    • Both access and the ability to manage other administrators in that module

      For more information, see Security Manager administrators.

    Note: Administrators can assign access permissions only for the Security Manager modules to which they have management permissions.
  11. When you are finished making changes, click OK.
    The settings are saved.