HDE Access Control Admin Console Guide : User Settings (Access Policy Groups)

This article consists of instructions on how to properly configure and customise the settings in Access Control Admin Console in order to best suit the environment of your organisation.

There are three parts of settings in Access Control Admin Console: System settings, User settings, and Secure Browser Settings. As for this particular article, only the User settings will be explained. The System settings and Secure Browser Settings can be found in separate documents.

This Admin Console guide is consists of two components:

1) Users
2) Access Policy Groups

1) Users 

☆ 1 - Log in to your Access Control Admin Console

https://ap.ssso.hdems.com/admin/yourdomain

20.png

☆ 2 - Click on the "Users" and you will be able to see the interface for all user settings. 

2__1_.png

☆ 3 - To add a New User, click on the "New User" button as shown as below:

3__1_.png

☆ 4 - In the "Add New User" interface, there is a number of information that is required as shown as below:

4__1_.png5__1_.png

☆ 5 - To edit an existing User, click on the "Edit" button as shown as below:

6__1_.png

☆ 6 - In the "Edit User" interface, there is a number of information that is required as shown as below:

7__1_.png

8__1_.png

☆ 7 - To register/update a number of users at once, please click "Batch registration / update" button as shown as below.

9__1_.png

☆ 8 - In the "Batch registration / update" interface, you are required to upload a TSV file that contains the user information :

10__1_.png

11__1_.png
12__1_.png

☆ 9 - The following is the sample spreadsheet you can create accordingly to create, update or delete multiple users at once.

The followings are the columns from A to H:

13__1_.png

The followings are the columns from I to M:

14.png

After inputting the information in a correct manner, you shall upload the .tsv file using the interface below.

15.png

☆ 10 - To download the user list from Access Control, click on the "Download(TSV)" button as shown as below:

16.png

☆ 11 - To delete user, simply click on the "Delete" icon.

17.png

☆ 12 - Additional Info For Office 365.

- All operations related to users shall be done using Access Control Admin Console NOT on Office 365.

- The operations such as Creating, Updating and Deleting users on Access Control will be synchronised with Office 365 periodically (1 hour). 

- For new user creation on Access Control and synchronised to Office 365, the system admin may need to fill in additional information such as:

(i) Assigning Office 365 License:

18.png

(ii) Fill in "Job title", "Department" and etc.:

19.png

2) Access Policy Groups 

☆ 1 - Log in to your Access Control Admin Console

https://ap.ssso.hdems.com/admin/yourdomain

20.png

☆ 2 - Click on the "Access Policy Groups" and you will be able to see the interface for all Access Policy Groups settings. To add a New Access Policy Group, click on the "New Access Policy Group" button or to configure an existing Access Policy Group, click on the edit button button as shown as below:

21.png

☆ 3 - The Access Policy Group configuration interface is as shown as below:

22.png23.png

☆ 4 - Here are the breakdowns of each component in the Access Policy Group and its options for configuration.

(a) Display Name : The Display Name of the Access Policy Group. 

 24.png

(b) Cookie Expires : The timespan (hour) to keep login state and allow user to log in without password when user checks "Remember this login" while logging on. Default is 168 which means 1 week. When set to 0, keeps login state until the browser window is closed.

25.png

(c) Condition to allow access : When enabled, the users are allowed to access ONLY IF they meet the specified condition inputted. 

26.png

(d) Condition not to require OTP : When enabled, the users are allowed to access without being required to input One-Time Password ONLY IF they meet the specified condition inputted. In other words, the users who do not meet the specified condition will be required to input One-Time Password during the login process.

*This rule is recommended to improve security for the users that are accessing the service from an untrusted network or device.

27.png

(e) Condition to change OTP secret : When enabled, the users are allowed to setup/change the OTP for smartphone using the Access Control User Console ONLY IF they meet the specified condition inputted.

28.png

(f) Condition to change OTP notification email: When enabled, the users are allowed to setup/change OTP via email using the Access Control User Console ONLY IF they meet the specified condition inputted.

29.png

(g) Condition to access to secure browser control panel : When enabled, the users are allowed to access to HDE Secure Browser Settings using the Access Control User Console ONLY IF they meet the specified condition inputted.

30.png

(h) Condition to change unread email check target : When enabled, the users are allowed to change unread email check target ONLY IF they meet the specified condition inputted.

31.png

(i) Condition to allow Desktop/Mobile application access : When enabled, the users are allowed to access via specific applications for Desktop and Mobile ONLY IF they meet the specified condition inputted.

32.png

The following list is consists of the available types of condition: 

(a) To allow or deny : true / false

To authorise or restrict the users from the Access Policy Group to perform certain action, simply insert true or false into the condition field.

For the example below, "false" is inputted to restrict any user to "change OTP notification email" in the Access Control User Console.

33.png

(b) To specify And/Or conditionand / or

To add two or more conditions into the condition field, simply insert and / or in between the two conditions. "and" requires both conditions to be met and "or" requires only one condition to be met. 

For the example below, there are two conditions and are put together with "or" which is representing that "the user is allowed to access if one met either of the conditions".

34.png

(c) To exclude certain conditions : not 

"not" can be used to exclude certain conditions such as the example below, which Saturday and Sunday is excluded from the day of the week for the user to be allowed to access and the time range during weekdays that the users are allowed to access is from 10 a.m. to 8 p.m..

35.png

(d) To specify allowed networkip4:xxx.xxx.xxx.xxx

To authorise or restrict the users from a specific network to gain access. Please note that this address has to be the public IP address of your targeted network.

36.png

(e) To allow specific user : login_name:Username

To authorise a particular user to gain access a specific control, please specify the username in the condition field as shown as below where the user with the username "billgates" is the only user that is allowed to access. "or false" defines that any other user will be restricted to access.

37.png

(f) To allow user with Pass-cookie : has_pass:true

To authorise a user with "Pass-cookie" to gain access, please input the line "has_pass:true" into the condition field such as below:

This condition specified that the users of this Access Policy Group have to either be connected to the network 123.123.123.123 or obtained the Pass-cookie from previous success logged in session.

38.png

(g) To allow user with Pass-cookie that was issued within a specific time period : has_pass_within:hours

To authorise a user with "Pass-cookie" that was issued within a specific time period to gain access, please input the line "has_pass_within:hours" with "hours" being the number of hours you desired to specify. 

This condition specified that the users of this Access Policy Group have to either be connected to the network 123.123.123.123 or obtained the Pass-cookie that was issued by the system within the past 30 hours. 

39.png

          
Was this article helpful?

Frequently Asked Questions (FAQs)

Powered by Zendesk