A User must successfully authenticate, using a valid InfraLink User Account, to access InfraLink data and functionality. Once authenticated, the functionality and data available to the User is controlled by the Roles and Permissions assigned to the User Account. See User Roles for more information on User Roles. Please note, the User Account, as well as the assigned Roles and Permissions, apply to the InfraLink web interface and mobile application.

This article describes the features and functionality an Instance Administrator may rely on to manage InfraLink User Accounts.

Authentication Providers/Methods

Before granting access to the InfraLink resources, all users are verified with strong multi-factor authentication. Typically, this refers to authentication using two or more common authentication factors, such as: 

  • Something you know (e.g., a password)
  • Something you have (e.g., a hardware token)
  • Something you are (e.g., biometric)

Single Sign On (SSO)

Users authenticate via third-party IdP federation service using SAML 2.0 or OIDC protocols. InfraLink automatically re-routes users to their organization's IdP login page, based on user attributes such as email. The enterprise IdP verifies identity and prompts the user for a second factor, such as: 

  • SMS to the User's registered mobile device
  • Email to the User's registered email address
  • Push notification to the Okta Verify mobile app installed on the User's registered mobile device
  • Offline software token generated by Okta Verify mobile app installed on the User's registered mobile device

Common Access Card (CAC)/Public Key Infrastructure (PKI)

InfraLink may be configured to authenticate Users using standards-based Public Key Infrastructure (PKI) certificates, such as DOD CACs or, more generally, US Government PIV cards. An InfraLink Instance may support User certificates of different types and/or issued by different Certificate Authorities (CAs). In this scenario, the Instance must be configured with multiple authentication providers of the type "PKI", where each provider is associated with the specific certificate type and root CA.

Using PKI-based authentication (e.g. authenticating Users via DOD CAC) satisfies the MFA requirements, as the User must provide a PIN (i.e., something you know) to access the certificate stored on the card (i.e, something you have). InfraLink relies on the Online Certificate Status Protocol (OCSP) to query the OCSP responders associated with the CA/user certificate and verify that the presented valid certificate has not been revoked.

Multiple Authentication Providers can be configured for a single InfraLink Instance. However, an individual User Account can be associated with only one of authentication method. Users must specify the correct Authentication Provider/Domain every time they sign in to the application.

Accounts Grid View

User Accounts are managed via the Accounts grid view, which employs the standard viewing pane layout. To access the Accounts grid view:

  1. From the top-level navigation bar, select the Configure menu.
  2. Select Accounts to open the Accounts grid view.

The Accounts grid view provides access to all User Accounts, though some statuses (e.g., Inactive, Disabled) may be hidden by default filter settings. Adjust and apply the "User Status" filter to display User Accounts in all desired statusesn. The view also supports data export. See Exporting Data from Grid Views for more information. 

Filters - Filters along the left side of the view allow users to refine the User Account records displayed within the grid view.

To maintain the security posture of your InfraLink instance, it is necessary to perform periodic reviews of the User Account database. Grid view filtering options enable important review and auditing features.

  • Filtering by Role Scope and Role allows you to identify and review accounts with elevated global or Contract-level Permissions. Once you identify accounts with broad permissions, you can review the User Details for each to ensure that the assigned permissions are consistent with the justification/rationale. 

    • Note: To determine which roles should be used for this review, you may need to rely on the "Included Permissions"/"Excluded Permissions" filters of the InfraLink role list. See User Roles for more information.

  • Filtering by Last Login allows you to identify Users whose last login occurred during a specified interval. The filter offers predefined intervals (e.g., last week, last month, past 6 months) and also supports custom date ranges. Once identified, inactive accounts can be deactivated using the Change Status controls. See the "Deactivating and Termination Accounts" section below for more information.

  • Filtering by Rules Accepted allows you to identify all Users who accepted the Acceptable Use Policy (AUP) at the time of registration

    • Applies only if the AUP feature is enabled on your instance.


User Details Panel - Selecting any User from the Accounts grid view will open the corresponding User Details panel along the right side of the viewing pane. The User details panel displays the User attributes and updates associated with that account, along with the Administrator tools for modifying the same.

  • User Name - Each account must include standard attributes, such as first name, last name.
  • Account Status - The User Account's current status is displayed at the top of the details panel.
    • Change Status - An action button below that status allows an administrator with sufficient permissions to activate, deactivate, reject, disable or terminate the selected account
  • Login Name - Each User Account must have a unique Login Name. The Authentication Provider selected for the account may impose additional requirements on the Login Name, such as:
    • If the account is configured to use PKI, the Login Name must correspond to the information in the user certificate.
    • If the account is configured to use an external OpenID Connect provider, the Login Name must be the User's email address registered with the OpenID Identity Provider (IDP).
  • Last Login - displays the date and time of the last successful login; useful  for troubleshooting and account activity review purposes
  • Access log - provides direct access to the InfraLink access log, filtered to show the activity associated with the selected account
    • Note: The log displays successful and unsuccessful login attempts along with their respective time stamps, client type (mobile or web), and additional information, such as remote IP address
  • Action Log - provides direct access to the InfraLink action log, filtered to show the activity associated with the selected account
  • User Contacts - Each account must include standard attributes, such as email.
  • Roles - displays assigned Roles and allows an administrator with sufficient permissions to add and remove Roles
  • Work Progress Notifications - lists Notifications the User is presently subscribed to and allows an administrator with sufficient permissions to modify (add/remove) Notification subscriptions
  • Organizations - displays User's Organization associations and allows an administrator with sufficient permissions to modify (add/remove) Organization associations
  • Updates - Logs each update made to that User Account with timestamp and attribution

Creating User Accounts

User Account Requests

Most often, a User Account is initiated by the individual who is requesting an account. See Accessing InfraLink for more information.

NOTE: An account relying on a PKI authentication method must be initiated by the requesting individual, using the PKI credential.

Administrator-Initiated Accounts

In some circumstances, and Administrator with adequate permissions may initiate the User Account in the following manner:

  1. From the top-level navigation bar, select the Configure menu.
  2. Select Accounts to open the Accounts grid view.
  3. Select the Create User menu from the top of the view.
  4. Select User Account.
  5. Select the appropriate authentication method from the Authentication Provider/Domain drop-down menu.
    1. This selection will determine the fields displayed in the New User form.
    2. PKI will not be listed as an option, as accounts relying on a PKI authentication method must be initiated by the requesting individual, using the PKI credential.
  6. Populate all required data fields, ensuring the accuracy of each field entry.
  7. Populate any optional fields for which information is available.
  8. Select the Create User button at the bottom right corner of the form.

Approving/Rejecting New User Account Requests

With each New User Account Request, InfraLink will generate email notifications to the appropriate Instance Administrators, who are responsible for the thorough review and appropriate action on each request received.

User Management Permissions

When a new User Account is requested, email notification is sent to all administrative Users with the Users → Administrative → User Management - Update Permission.

Upon receiving notification of a new User Account request, the administrative user should:

  1. Follow the link provided in the email notification.
    1. This may require user authentication.
  2. Review the request via the User details panel, including the justification listed in the Description.
    1. Note: If the justification is insufficient and/or you are not familiar with the prospective User, contact the prospective User and/or supervisor to validate the request. Do not activate the User Account unless you have sufficient rationale/justification. 
  3. If there is sufficient rationale/justification for the account:
    1. Use the status transition menu at the top of the User details panel, located just below the User's name and current status (i.e., Requested).
    2. Select Activate.
    3. You will be prompted to enter a reason for the status change. Enter a reason(s) in the text field.
    4. Click OK to activate the User Account.
    5. Note: You must next assign the appropriate Role(s) to the User Account, per the Assigning Roles to User Accounts guidance.
  4. Alternatively, if you determined that access should not be granted:
    1. Use the status transition menu at the top of the User details panel, located just below the User's name and current status (i.e., Requested).
    2. Select Reject.
    3. You will be prompted to enter a reason for the status change. Enter a reason(s) in the text field.
    4. Click OK to reject the User Account Request.

Disabling and Terminating Existing User Accounts

Whether purging the Instance of inactive accounts or addressing employee reassignments and terminations, there are occasions when you will need to disable or terminate, depending on the scenario.

  • Disable - When disabled, the User's credentials will no longer provide access to the Instance. A disabled User Account can be reactivated and restored to use.
  • Terminate - When terminated, the account is permanently disabled. A terminated User Account can never be reactivated or restored to use.

Disabling User Accounts

To disable a User Account:

  1. Access the Configure menu from the top-level navigation toolbar.
  2. Select Accounts to open the Accounts grid view.
  3. Select the desired User Account.
    1. Note: You may have to apply "User Status" filters within the Filters panel to display the desired User Account, as it may be hidden by default filter settings.
  4. Use the status transition menu at the top of the User details panel, located just below the User's name and current status.
  5. Select Disable.
  6. You will be prompted to enter a reason for the status change. Enter a reason(s) in the text field.
  7. Click OK to disable the User Account.

Note: To display or access a deactivated User Account in the future, you must apply the "Disabled" User Status filter in the Accounts grid view.

Terminating User Accounts

To terminate a User Account: 

  1. Click Configure within the top-level navigation toolbar.
  2. Select Accounts from the drop-down menu. This will open the Accounts grid view.
  3. Select the desired User Account. Note: You may have to apply "User Status" filters within the Filters panel to display the desired User Account within the grid view.
  4. Click Change Status, located at the top of the grid view and select Terminate from the drop-down options.
  5. You will be prompted to enter a reason for the status change. Enter a reason(s) in the text field.
  6. Click OK.
  7. You will receive a warning message, "Terminated accounts can never be used again for authentication. Do you want to continue?"
  8. Click Yes to terminate the User Account.


  • No labels