Skip to main content
日本語 简体中文 繁體中文

[Access Control] Adding New Users in an Environment with Access Control Enabled

Questions

In an environment where an Access Control policy is enabled, adding a new user may result in them being unable to log in due to access control restrictions. What configurations are required?

Answer

This article explains the initial login procedure for adding new users in environments where Access Control access policies are enabled.

Since new users have not yet set up Device Certificates or OTP (One-Time Password), they may not be able to log in with the same authentication policy as existing users. This article introduces an operational method where a temporary access policy is applied only during the initial login, and after completing the necessary setup, the user is transitioned to the official policy.

Using an Access Policy for Initial Login

This section describes how to create an Access Policy Group (APG) that is applied only during the initial login for new users. After logging in for the first time, users set up their Device Certificates and OTP, and are then transitioned to the official APG once setup is complete.

Procedure

  1. Create a temporary APG dedicated to new users.
    [Access Control] Create / Edit Access Policy Group
  2. Configure the temporary APG with only the conditions required for initial login.
    For example, set conditions that do not require Device Certificate authentication or OTP authentication.
  3. Create the new user and assign the temporary APG.
    [Access Control] Create / Edit New User
  4. Provide the user with their ID and password, and have them perform the initial login.
  5. After logging in, have the user set up their Device Certificate and OTP.
    [Device Certificate] Device Certificate Installation Procedures
    [Access Control] Setting Up OTP (One-Time Password) with an Application
    [Access Control] Setting Up OTP (One-Time Password) via Email
  6. Once you have confirmed that the Device Certificate and OTP setup is complete, switch the user to the official APG.

Operational Points

  • Use the temporary APG exclusively for initial login, and remove users from it after setup is complete.
  • After switching to the official APG, be sure to confirm that the user has been removed from the temporary APG.
  • If an existing session remains after switching APGs, perform a forced logout as needed to apply the new authentication conditions.
    [Access Control] How to Force Logout a User

Supplement: Using Emergency OTP

If only OTP setup is an issue, it is also possible to perform the initial login using an emergency OTP issued by the admin.

When using an emergency OTP, share it via a secure channel other than email (such as chat or SMS). After logging in, have the user complete their own OTP setup.

If Device Certificate authentication is also required, you must distribute and install the Device Certificate before using the emergency OTP.

For more details, please refer to the following article.
[Access Control] OTP Issuance Method and Expiration