User Profile - User Authentication

Admin users can perform these tasks.

• To access a user 's Authentication settings:

  Click USERS > username. The Profile Page (User Name) opens. Locate the User Authentication section.

User Authentication section

Last Signon

Date and time of the user's most recent successful sign-on

Account Status

• To change a user account status:

  Select USERS > username > User Authentication > Account Status > Change Status. On the Change Account Status page, make a selection, add an optional remark, and click Change Account Status.

  Options:

  • Active. User can sign on, and receive notifications. Expiration policies take effect.
  • Inactive. User cannot sign on, cannot receive notifications. Expiration policies take effect.

    Accounts are automatically set to Inactive for reasons such as failure to change a password within an allotted time, or too many incorrect password attempts. Admins can manually set an account to Inactive.

    Admins can manually unlock inactive accounts, or in the case of too many bad password attempts, wait for a timer to unlock the account.

    Accounts locked (set to Inactive) for security reasons are listed on an administrator's home. Email notifications are sent to Admins who have admin notifications set to on.

  • Template. Account cannot sign on, and does not receive email notifications. Not subject to expiration, even if an expiration policy is set on the account.

    Template accounts are typically used as a parent account for user cloning, for manually created users and for users created automatically, such as by an External Authentication source. In these cases, the resulting user has the same expiration policy and other settings as the template account, and are subject to the expiration policy

Expiration Policy

The policy assigned to this user. User accounts can be assigned an expiration policy by class or individually.

• To change a user expiration policy:

  Select USERS > username > User Authentication > Expiration Policy > Change Policy. Make a selection and click Change Expiration Policy.

  Note: If an expired user account is deleted, the user's home folder is automatically deleted, unless another user has explicit permissions to that user home folder.

  • Current Policy Settings - This account will expire... Lists expiration time/date according to current policy. If the account has not yet expired, click Reset Last Signon to restart the policy so that the user has the maximum number of days as defined by the policy.

  Expiration policy for the organization is set in SETTINGS > Security Policies > User Auth > Expiration.

Authentication Source

Lists the source currently used by the user. See Source Options, below.

• Change Source.

  This link is available If the source for the organization is set to External then MOVEit. The admin can also change the user's external authentication source affinity, which determines the external authentication source with which the user primarily authenticates. For more information, see User Authentication.

• To change a user's authentication source:

1. Click USERS > username > User Authentication > Authentication Source > Change Source. The Change Authentication Method page opens.
2. Select an option and click Change Authentication Method.

Source Options:

• External Only. User is authenticated by an external source only. This value:
  • Is automatically applied when the organization is set to use only external sources for authentication.
  • Can be applied to the user when the organization is set to use both external sources and the internal user database for authentication.

  Note: Users who are configured for External Only authentication cannot change their password on the Account Options page. All password changes must take place through the external authentication server.

• External then MOVEit - User is first authenticated by each active external source available to the organization. If all external sources fail, the user is authenticated against the internal user database using a cached copy of the most recently successful external authentication password.

  The External then MOVEit option is available only when the organization is set to use external sources and the internal user database for authentication.

  Users created through the MOVEit Transfer web interface use this authentication source by default, unless the Admin sets a different source for this user.

• MOVEit Only - User is authenticated only by the MOVEit Transfer internal user database.

  The MOVEit Only option is available only when the organization is set to use both external sources and the internal user database for authentication.

For users created automatically by an external authentication signon, the authentication method and authentication source affinity are set automatically. To configure the authentication method applied to users who are created in this manner, configure the authentication method for each external authentication source in the organization. (SETTINGS > Security Policies > User Auth > Auth Method) The authentication source affinity is automatically set to the authentication source that the user was created from.

Note: By changing the authentication method to an external server, you place the responsibility of user security on that server. If your authentication server is compromised, the data contained within MOVEit Automation might also be compromised. If you switch authentication methods to External Only, users must be configured on the external server in order to be able to sign on to MOVEit Transfer.

Change Multi-Factor Authentication Status...

You can exempt, reset, and clear the trusted device lists of specific users. Users > username > User Authentication - Multi-Factor Authentication: Change

• Reset multi-factor authentication. Click Disable. A user that self-opted multi-factor authentication (not enabled by site policy) will return to the default sign-on experience using simple credentials.
• Reset user's trusted device list. Click Forget All. All verified MOVEit Transfer sessions initiated from a given browser on now reset (cleared).
• Exempt users from class policy. Click Exempt this user checkbox and click Save. This user can now belong to a user class where multi-factor authentication is policy but not participate in the policy.

Password

If password aging is enabled, the Password row shows the number of days until password expires, and number of days until an expiration warning is sent to the user.

• To change the user's password:

  Select USERS > username > User Authentication section > Change Password. The Change Password page opens. Make your selections and click Change Password.

Options:

• Password Delivery. Delivery method is set for the organization. See Notes, below
• Suggested Password, New Password. Select Use Suggested Password (default) or Type Custom Password and provide a password. .Maximum password length is 32 characters. Passwords that exceed this length will be truncated.
• Force user to change password on next login checkbox.
  • If you send passwords by email, this checkbox must be selected.
  • If you select this option, and the user is currently suspended because their password expired, an additional checkbox appears to reactivate the user at the same time their password is changed.
• Force user to change password on next login checkbox.
  • If you send passwords by email, this checkbox must be selected.
  • If you select this option, and the user is currently suspended because their password expired, an additional checkbox appears to reactivate the user at the same time their password is changed.
• Password Aging Exemption. Password aging policy is set for the organization. See Notes, below.
  • This user is exempt from password aging. Make a selection and click Change Password Aging Exemption.

    Tip: Consider exempting automated users from password changes, especially any FileAdmin users used by MOVEit Automation to connect to MOVEit Transfer.

• Change Password Permissions. This section appears if the organization password permissions allow end users to reset their own passwords without signing on (request a password change on the sign-on page).
  • Prohibit user from requesting automatic password changes. Make a selection and click Change Password Permissions.

Notes: Password delivery method and permissions are set for the organization in SETTINGS > Security Policies > Password > Permissions.
Password aging policy is set for the organization in SETTINGS > Security Policies > Password > Aging & History

Credentials Required for Access

This section lists the interfaces the user can use to access the MOVEit Transfer server, and the credentials that are required to authenticate.

The username is required for all authentication methods

• To edit permissions and credentials for user, based on interface type:

  Select USERS > username. On the user profile page, go to the User Authentication section. In the Credentials Required for Access row, click Policy for the interface type

  Your selections override, for this user, the organization's default interface policy. Your selections are not preserved if you change the default organization policy and apply changes to all existing users.

  Selections:

  • To manage SSL Client Certs, select HTTP Policy or FTP Policy.
  • To manage SSH Client Keys, click SSH Policy.
  • If there are any pending SSL Client Certs or SSH Client Keys attached to the user that need to be accepted or denied, notes appear under the appropriate sections indicating the number of pending certs and/or keys.

• HTTP Server:
  • Web Interface: Web browser interface.
    • No Access Allowed - The user is not allowed to use this interface.
    • SSL Client Cert OR Password - An SSL client certificate or a password are required.
    • SSL Client Cert AND Password - An SSL client certificate and password are required.
    • SSL Client Cert Only - Only an SSL client certificate is required.
    • Password Only with SSL - A password is required, with or without an SSL client certificate.
  • HTTP Clients: Non-browser HTTP interface, used by other MOVEit clients such as MOVEit Automation and MOVEit Transfer API.
    • No Access Allowed - The user is not allowed to use this interface.
    • SSL Client Cert OR Password - An SSL client certificate or a password are required.
    • SSL Client Cert AND Password - An SSL client certificate and password are required.
    • SSL Client Cert Only - Only an SSL client certificate is required.
    • Password Only with SSL - A password is required, with or without an SSL client certificate.

• FTP Server:
  • Secure (SSL): FTP/SSL interface.
    • No Access Allowed - The user is not allowed to use this interface.
    • SSL Client Cert OR Password - An SSL client certificate or a password are required.
    • SSL Client Cert AND Password - An SSL client certificate and password are required.
    • SSL Client Cert Only - Only an SSL client certificate is required.
    • Password Only with SSL - A password is required, with or without an SSL client certificate.
  • Insecure: Plain-text unencrypted FTP interface.
    • No Access Allowed - The user is not allowed to use this interface.
    • Password Only - A password is required. Requires Non-Secure FTP to be enabled and allowed for the IP addresses for the user. For more information, see FTP Configuration.

• SSH Server: FTP over SSH (SFTP) interface.
  • No Access Allowed - The user is not allowed to use this interface.
  • SSH Client Key OR Password - An SSH client key or a password are required.
  • SSH Client Key AND Password - An SSH client key and password are required.
  • SSH Client Key Only - Only an SSH client key is required.
  • Password Only - Only a password is required.

• Mobile Interface: Mobile App and Mobile Web interface.
  • No Access Allowed - The user is not allowed to use (sign in from) the Mobile App.
  • Password, no caching allowed - A password is required every time to sign in from the Mobile App; the password cannot be cached on the mobile device.
  • Password, optionally cached and protected by PIN code - A password is required; the password can be optionally cached on the mobile device (and if it is, it is required to be protected by PIN code).

    Note: The required PIN length is inherited from the Organization default Required PIN length policy (SETTINGS > Security Policy > Interface > Mobile). For more information, see Security Policies - Interface.

Remote Access Policy

• To specify remote access policy settings for a user:

  Select USERS > username. On the user profile page, go to the User Authentication section. In the Remote Access Policy row, make a selection.

  • Select Ruleset. Options: Use Custom Rules, Use Default Rules. Make a selection and click Change Remote Access Settings.
    • Use Custom Rules - View Custom Rules. The Remote Access Ruleset page opens. Click Add New Remote Access Rule..., define a rule, and click Add Entry.
    • Use Default Rules - View Default Rules.

      Default rules are defined in SETTINGS > Security Policies > Auth Method

    • Return to the full access permit list. Opens the Settings (Security) page for defining all default remote access rules
  • Multiple Signons Allowed. Defines whether a user can sign on from more than one IP address to the same interface

    When multiple signons are prohibited, a user cannot sign on from more than one IP address to the same interface. For example, a browser session for the jsmith user would be allowed from 192.168.1.1, but a second concurrent jsmith browser session from 192.168.2.2 would be refused. At the same time, however, "jsmith" could sign on using an FTP client from 192.168.2.2, because the web and FTP are two different interfaces.

Sections on a User Profile (User Name) page:

• General Settings
• User Authentication
• User Settings
• Group Information
• Address Book Information
• Shared Mailbox Information