Crypt-o documentation - User management

User management

Index  Previous  Next


Crypt-o allows to define user accounts and assign needed permissions to them. User and group accounts from a Windows domain or LDAP directory can be used as well. In that case, user credentials will be checked using Windows domain or LDAP authentication.

To manage user accounts, choose Tools > Administrative tools from the menu. Then click on the User management link in the Administrative tools panel.

NOTE: Only users with the System administrator or User management permissions can manage user accounts.

The User management window

The User management window

The following account types are available:

 

Account type

Description

User

An account which represents a single user.

Group

A container account which can include other accounts as its members. Permissions assigned for a group are applied to all its members recursively.

Organizational Unit

A container account which is used to organize your accounts list as a hierarchy tree. Permissions assigned for an Organizational Unit are applied to all its members recursively.

Backup server account

A special user account which is used by %PROGNAME% backup servers.

 

To add a new user account choose Action > New user... from the menu.

To add a new group account choose Action > New group... from the menu.

To add a new Organizational Unit choose Action > New Organizational Unit... from the menu.

To add a new account for a backup server choose Action > New backup server account... from the menu.

To edit a user or group account select it in the list and choose Action > Properties... from the menu.

To delete a user or group account select it in the list and choose Action > Delete from the menu.

 

You can change some options for multiple user accounts at once. To do that select the accounts in the list and choose one of the following menu items:

Action > Request password change

Action > Cancel password change request

Action > Enable user account

Action > Disable user account

NOTE: If you select a group or OU account and choose to change an option such way, the option will be applied to all member user accounts of the group.

 

NOTE: When you use external user accounts (Windows domain, LDAP) in Crypt-o, it may happen that some user accounts have been deleted in Active Directory or LDAP directory with time.
To find out which user accounts have become invalid, choose Action > View > Invalid accounts in the menu.

User properties :: General page

General page

General page

Name - a name of the user account.
Account type - a type of the user account. Possible values:
Internal - internal Crypt-o user account. You need to specify a password for the user account or use key file authentication.
Windows domain - Windows domain authentication will be used to check the user account password. Enter a user account name of Windows domain in the UserName@Domain form. To select a user account from the list, click the ... button at the right of the Name input field.
LDAP - LDAP directory authentication will be used to check the user account password. Enter a distinguished name of the LDAP user account or click click the ... button at the right of the Name input field to browse LDAP directory. You need to configure available LDAP servers in the System options on the LDAP page.
Use key file authentication - if selected, the user will be authenticated using a key file. You will be prompted to to save a key file for this user, when this option is turned on. You need to pass this key file to the user. Only Crypt-o user accounts can use the key file authentication. You can create a new key file for a user by choosing Action > Create new key file... from the menu in the users list window.

NOTE: By default, a user must store a key file on a removable device, in order to be able to log on using the key file. You can control this behavior in the Crypt-o system options.

WARNING: Store key files on removable devices, such as USB flash drives, for security reasons. Unplug the device with your key file, when you finished working with Crypt-o.

Password - the user account password.
Retype password - verification of the password.
Request password change at the next user logon - if selected, the user will be prompted to enter a new password at the next logon.
Password expires - you can specify an expiration date for the password of the user account. When the password is expired, the user is forced to change the password.

NOTE: See the Security page in the System options for more settings related to password expiration.

Full name - optional full name of the user.
Organizational Unit - optionally select an Organizational Unit for this account.
Email - optional email address. It is used to send notifications about various events.
Description - optional description of the user.
Create home database - if selected, a home database will be automatically created for the user. The user will be the owner of his home database, but the database can not be deleted by the user. By default other users have no access to the home database, even administrators. The user may allow access to his home database for other users if necessary.

NOTE: If the Create home database option is enabled for a group, home databases will be created for all members of the group.

NOTE: By default, Web access is disabled for new home databases. You can enable it in the Crypt-o system options.

Disable user account - the user account is disabled and the user logon will fail.

User properties :: Permissions page

On that page you can assign permissions for a user account. Set a mark on the Allow column for a permission to enable this permissions for the user. Set a mark on the Deny column for a permission to disable this permissions for the user. Deny permission takes precedence over Allow permission.

Permissions page

Permissions page

The following system permissions are available:

 

Permission

Description

System administrator

A user can do everything.

User management

A user can manage user accounts and assign permissions.

The following restrictions apply:

It is not allowed to create or modify accounts with the System administrator permission.
It is not allowed to change a password for accounts which have access to private or home databases.
It is not allowed to modify a name and options of accounts which have access to private or home databases.
It is not allowed to delete accounts which have access to private databases.

OU user management

A user can manage user accounts only within the user's organizational unit (OU), including nested organizational units. The OU user manager can can add, modify, delete user accounts within his OU, add OU users to OU groups. But individual permissions for OU groups can be set only by other users with higher privileges (User management or System administrator).

 

The following restrictions apply:

All restrictions which apply to the User management permission.
When changing group membership for an account both the account and the group account must belong to the OU.
It is not allowed to change system permissions for accounts.
It is not allowed to change database permissions for accounts unless the user is the database owner.
It is not allowed to delete an account or change its password if the account has system permissions set or the account is the member of groups outside the OU.

System audit

A user can view the System audit log.

Create databases

A user can create new databases.

Access via API

A user account can be used to access Crypt-o via API.

 

The following object permissions are available:

 

Permission

Description

Owner

A user can do everything with an object.

Web access

This permission applies to databases only. A user can access a database via Web interface.

Portable mode

This permission applies to databases only. A user can create a portable/offline version of a database.

Audit

This permission applies to databases only. A user can view a database audit log.

Manage images

This permission applies to databases only. A user can add/modify/delete images, which are used as icons for folders and records.

Owner for new records

This permission applies to databases only. When a user creates a new record, the user becomes an owner of this record.

Insert data

A user can create new records and new sub-folders.

Modify data

A user can edit records and edit folders.

Delete data

A user can delete records and delete folders.

Manage attachments

A user can add or remove file attachments.

Extract attachments

A user can execute or extract file attachments.

View protected fields

A user can view data in protected fields. If a user does not have this permission, he is not able to view data in protected fields. But if the user has the Form filling permission, he is allowed to fill out forms with data of the protected fields.

Print and export

A user can print and export data.

Form filling

A user can use the form filling feature.

User properties :: Member of page

On that page you can specify group membership for a user account.

Member of page

Member of page

User properties :: MFA

On that page you can control multi-factor authentication (MFA) for a user account.

MFA page

MFA page

By default multi-factor authentication is disabled and this page is not available for a user account. To enable MFA use the Multi-factor authentication page in the Crypt-o system options.

Initially all user accounts use the default MFA method specified in the system options. If needed you can set a different MFA method for specific user accounts.

At user logon Crypt-o requests a user to enroll for MFA if it is not done yet.

 

If a TOTP/HOTP authentication method is used, a User manager or System administrator can select the following options:

Request user to enroll for MFA at next logon - when this option is selected Crypt-o will request the user to enroll for MFA at next logon.
Enroll user for MFA now - when this option is selected the user enrollment will start after pressing OK.

Specialized user account for backup servers

When you set up a backup server, you need to create a specialized user account on the primary server. This user account is used by a backup server to connect to the primary server. It is needed to allow transfer of the primary server's private data (TLS certificates and keys, licenses) to perform proper initialization of a backup server. The initialization is made only once during setup of a backup server.

To add a new account for a backup server choose Action > New backup server account... from the menu.

 

Adding a user account for a backup server

Adding a user account for a backup server

Name - a name of the user account.
Allow transfer of server private data - when this option is selected, backup servers will be able to obtain private data of the main server, such as TLS certificates and keys, registration data, etc.

WARNING: This option is needed only for initialization of a backup server. Turn off this option immediately after initialization of a backup server.

NOTE: For security reasons, this option is turned off automatically after 15 minutes.

Password - the user account password.
Retype password - verification of the password.
Full name - optional full name of the user.
Description - optional description of the user.
Disable user account - the user account is disabled and the user logon will fail.