A User must successfully authenticate, using a valid InfraLink User Account, to access InfraLink data and functionality. Once authenticated, the functionality and data available to the User is controlled by the Roles and Permissions assigned to the User Account. See User Roles for more information on User Roles. Please note, the User Account, as well as the assigned Roles and Permissions, apply to the InfraLink web interface and mobile application.
This article describes the features and functionality an Instance Administrator may rely on to manage InfraLink User Accounts.
Authentication Providers/Methods
Before granting access to the InfraLink resources, all users are verified with strong multi-factor authentication. Typically, this refers to authentication using two or more common authentication factors, such as:
- Something you know (e.g., a password)
- Something you have (e.g., a hardware token)
- Something you are (e.g., biometric)
Single Sign On (SSO)
Users authenticate via third-party IdP federation service using SAML 2.0 or OIDC protocols. InfraLink automatically re-routes users to their organization's IdP login page, based on user attributes such as email. The enterprise IdP verifies identity and prompts the user for a second factor, such as:
- SMS to the User's registered mobile device
- Email to the User's registered email address
- Push notification to the Okta Verify mobile app installed on the User's registered mobile device
- Offline software token generated by Okta Verify mobile app installed on the User's registered mobile device
Common Access Card (CAC)/Public Key Infrastructure (PKI)
InfraLink may be configured to authenticate Users using standards-based Public Key Infrastructure (PKI) certificates, such as DOD CACs or, more generally, US Government PIV cards. An InfraLink Instance may support User certificates of different types and/or issued by different Certificate Authorities (CAs). In this scenario, the Instance must be configured with multiple authentication providers of the type "PKI", where each provider is associated with the specific certificate type and root CA.
Using PKI-based authentication (e.g. authenticating Users via DOD CAC) satisfies the MFA requirements, as the User must provide a PIN (i.e., something you know) to access the certificate stored on the card (i.e, something you have). InfraLink relies on the Online Certificate Status Protocol (OCSP) to query the OCSP responders associated with the CA/user certificate and verify that the presented valid certificate has not been revoked.
Multiple Authentication Providers can be configured for a single InfraLink Instance. However, an individual User Account can be associated with only one of authentication method. Users must specify the correct Authentication Provider/Domain every time they sign in to the application.
Accounts Grid View
User Accounts are managed via the Accounts grid view, which employs the standard viewing pane layout. To access the Accounts grid view:
- From the top-level navigation bar, select the Configure menu.
- Select Accounts to open the Accounts grid view.
The Accounts grid view provides access to all User Accounts, though some statuses (e.g., Inactive, Disabled) may be hidden by default filter settings. Adjust and apply the "User Status" filter to display User Accounts in all desired statusesn. The view also supports data export. See Exporting Data from Grid Views for more information.
Filters - Filters along the left side of the view allow users to refine the User Account records displayed within the grid view.
User Details Panel - Selecting any User from the Accounts grid view will open the corresponding User Details panel along the right side of the viewing pane. The User details panel displays the User attributes and updates associated with that account, along with the Administrator tools for modifying the same.
Creating User Accounts
User Account Requests
Most often, a User Account is initiated by the individual who is requesting an account. See Accessing InfraLink for more information.
NOTE: An account relying on a PKI authentication method must be initiated by the requesting individual, using the PKI credential.
Administrator-Initiated Accounts
In some circumstances, and Administrator with adequate permissions may initiate the User Account in the following manner:
- From the top-level navigation bar, select the Configure menu.
- Select Accounts to open the Accounts grid view.
- Select the Create User menu from the top of the view.
- Select User Account.
- Select the appropriate authentication method from the Authentication Provider/Domain drop-down menu.
- This selection will determine the fields displayed in the New User form.
- PKI will not be listed as an option, as accounts relying on a PKI authentication method must be initiated by the requesting individual, using the PKI credential.
- Populate all required data fields, ensuring the accuracy of each field entry.
- Populate any optional fields for which information is available.
- Select the Create User button at the bottom right corner of the form.
Approving/Rejecting New User Account Requests
With each New User Account Request, InfraLink will generate email notifications to the appropriate Instance Administrators, who are responsible for the thorough review and appropriate action on each request received.
User Management Permissions
When a new User Account is requested, email notification is sent to all administrative Users with the Users → Administrative → User Management - Update Permission.
Upon receiving notification of a new User Account request, the administrative user should:
- Follow the link provided in the email notification.
- This may require user authentication.
- Review the request via the User details panel, including the justification listed in the Description.
- Note: If the justification is insufficient and/or you are not familiar with the prospective User, contact the prospective User and/or supervisor to validate the request. Do not activate the User Account unless you have sufficient rationale/justification.
- If there is sufficient rationale/justification for the account:
- Use the status transition menu at the top of the User details panel, located just below the User's name and current status (i.e., Requested).
- Select Activate.
- You will be prompted to enter a reason for the status change. Enter a reason(s) in the text field.
- Click OK to activate the User Account.
- Note: You must next assign the appropriate Role(s) to the User Account, per the Assigning Roles to User Accounts guidance.
- Alternatively, if you determined that access should not be granted:
- Use the status transition menu at the top of the User details panel, located just below the User's name and current status (i.e., Requested).
- Select Reject.
- You will be prompted to enter a reason for the status change. Enter a reason(s) in the text field.
- Click OK to reject the User Account Request.
Disabling and Terminating Existing User Accounts
Whether purging the Instance of inactive accounts or addressing employee reassignments and terminations, there are occasions when you will need to disable or terminate, depending on the scenario.
- Disable - When disabled, the User's credentials will no longer provide access to the Instance. A disabled User Account can be reactivated and restored to use.
- Terminate - When terminated, the account is permanently disabled. A terminated User Account can never be reactivated or restored to use.
Disabling User Accounts
To disable a User Account:
- Access the Configure menu from the top-level navigation toolbar.
- Select Accounts to open the Accounts grid view.
- Select the desired User Account.
- Note: You may have to apply "User Status" filters within the Filters panel to display the desired User Account, as it may be hidden by default filter settings.
- Use the status transition menu at the top of the User details panel, located just below the User's name and current status.
- Select Disable.
- You will be prompted to enter a reason for the status change. Enter a reason(s) in the text field.
- Click OK to disable the User Account.
Note: To display or access a deactivated User Account in the future, you must apply the "Disabled" User Status filter in the Accounts grid view.
Terminating User Accounts
To terminate a User Account:
- Click Configure within the top-level navigation toolbar.
- Select Accounts from the drop-down menu. This will open the Accounts grid view.
- Select the desired User Account. Note: You may have to apply "User Status" filters within the Filters panel to display the desired User Account within the grid view.
- Click Change Status, located at the top of the grid view and select Terminate from the drop-down options.
- You will be prompted to enter a reason for the status change. Enter a reason(s) in the text field.
- Click OK.
- You will receive a warning message, "Terminated accounts can never be used again for authentication. Do you want to continue?"
- Click Yes to terminate the User Account.