Settings

User Management and Permissions

The names and email addresses of those who have been given access to the YubiEnterprise Console are displayed on the Users tab of the Settings screen.

The initial Org Owner for YubiEnterprise Services is created by YubiEnterprise Delivery’s customer support. In the case of a multinational organization shipping YubiKeys to both the EU and the US, there is a separate login for each. It may be the same person for each, but these are two separate organizations.

In addition to the Org Owner roles, there are Org Admin roles and Org Auditor roles. Together they make up the Org Members. Org members cannot have multiple roles within the same organization. The role a user has is displayed on the Edit user page. The permission levels of the different roles are set out in the table below.

User Permissions
Permission Owner Admin Auditor
Add / Delete org members yes no no
Change member roles yes no no
Reset member login credentials yes no no
Make / Edit Shipment Requests yes yes no
Correct shipping addresses yes yes no
View Shipments / Purchase Orders / Org settings yes yes yes
Manage personal login credentials yes yes yes
View other roles’ details yes yes yes
Generate API token yes yes no

Adding and Deleting an Org Member

Org Owners can add an Org Member by clicking Add new member from the Users tab of the Settings screen. The Add new member popup appears. Enter the new user’s email address and role (YubiEnterprise Auditor, YubiEnterprise Admin, Owner):

_images/201857-YE-Console-add-new-member.png

Add new member popup

For each new Org Member added by an Org Owner, the system generates the following email inviting the member to register:

From: no-reply@yubico.com
Date: Sep 10, 2020, 12:34 PM -0700
To: <new-user@example.com>
Subject: Welcome to YubiEnterprise!

**Please activate your account**

Hi,

Your system administrator has created a YubiEnterprise Delivery account for you.

To help you get started with YubiEnterprise Delivery Console, please see
Yubico's `Getting Started <https://www.youtube.com/watch?v=IHw5Qt-r-qM>`_ video.

Click the following link to activate your account:

**Activate your YubiEnterprise account**

This link expires in 7 days.
Your username is: <new-user@example.com>

This is an automatically generated message from Yubico. Replies are not monitored
or answered.

To delete an Org Member, on the Users tab of the Settings screen, the Org Owner clicks the trashcan icon to the right of the member’s role.

Granular Management of Users

Org owners can do any of the following:

  • Invite a user to register for YubiEnterprise Delivery
  • Reset a user’s password
  • Change or remove a user’s role
  • Remove a user from an org
  • Ask customer support to suspend a user

User Status

The actions listed above precipitate the user into the following states:

Active:

operational.

Inactive:

A user who is not a member in any org. This state is automatically entered when a user who is part of a single org is removed from that org. Any API token the user has is deleted. All user credentials are reset. If an inactive user tries to log in, they get the userID / password invalid message. When any org owner adds this user to any org, they move from the Inactive state to the Invited state.

Reset:

Need to re-register

Invited:

An invitation to register has been sent to the user, but they have not yet reacted.

Suspended:

Contact customer support to suspend a user to disable their YED access in response to a security concern. Only Yubico can put a user into this state or move them out of it. Any API token the user has is deleted, and login credentials are reset.

Putting users into this state does not alter their org mappings; in other words, from the perspective of Yubico, they still exist, so if their access is re-instated, nothing further needs to be done.

All owners of the user’s org receive an email notifying them that this user is suspended and that these owners must contact customer support for re-activation, since they themselves cannot edit this user at all.

If a suspended user tries to log in, they get the userID / password invalid message

To use these controls, navigate to Settings > Users and click the Edit icon to the right of the username. Each action and its consequences are fully explained on the GUI.

Managing Your Own Profile

To manage your own login credentials and API tokens, click on the profile icon (the green button with your initials) on the top right of any page. The profile page appears, showing your username and a button for each option.

If you have login credentials for more than one organization, the Authentication field lists those organizations. To change from one organization to another, click on the name of the desired organization.

Managing Login Credentials

Important

There is no going back if you click Manage Login Credentials: you must enter your current password. If you do not know your password, you will be automatically logged out immediately, and you will need to request a new password from your administrator.

To change your own password, click Manage Login Credentials, enter your current password, then your new password and confirm that new password by re-entering it.

Adding WebAuthn Credentials

To add WebAuthn credentials (register a security key), click your login icon - your initial - on the top left of any screen, then click Manage login credentials. The Account page is displayed:

_images/webauthn-credentials.png

Click Add, and the emsuing dialog prompts you to insert a security key, then asks you if you will allow the YubiEnterprise Delivery site (the console) to “see” that key. Click Allow. In the screenshot above, the item registered as Authenticator is actually a YubiKey from the 4 Series; the YubiKey 5Ci was used for the first time.

Managing API Tokens

For information on API tokens and the relevant guidelines, see API Onboarding Playbook and Best Practices respectively.

Managing Others’ Profiles

Viewing Org Members’ Details

All roles can view the Users tab of the Settings screen, which displays the email address of each Org Member and that person’s role. The screenshot below shows the Owner’s view. Admins and Auditors do not see the controls for downloading CSV files or adding new members.

_images/201857-YE-Console-settings-users-owner-view.jpg

Org Owner’s View of Settings Tab

Downloading Org Member Details Spreadsheet

Org Owners can download a list of all the Org Members and their details in the form of a spreadsheet by clicking Download CSV from the Users tab of the Settings screen.

Editing an Org Member’s Details

An Org Owner can change the role of an Org Member and edit their email address by deleting and then re-adding the member.

Resetting Passwords

An Org Owner can reset an Org Member’s password by clicking the blue paper airplane icon next to the red trashcan icon.


To file a support ticket with Yubico, click Support.