Managing User Accounts
You can manage the user accounts and users as follows:
- Enable or Disable a User Account
- Locked User Accounts
- Move Users Between Security Domains
- Enable Users to Update Phone Numbers and E-mail Addresses
Enable or Disable a User Account
When you enable a user account, the user can authenticate and access protected resources.
To authenticate users to a directory server, you must enable the user in both the directory server and in the Security Console. Only users who are enabled in the directory server can authenticate to the directory server.
When you disable a user account, you suspend the user's permission to authenticate, which prohibits access to protected resources. You might disable users who take an extended absence, and then enable these users when they return to work.
Disabling a user does not delete the user from the identity source. When a user account is disabled, any tokens belonging to the user remain assigned. Disabling a user account does not unassign the user’s assigned tokens.
If you want to disable a user in an LDAP directory that is linked to RSA AM, you must use the native LDAP directory interface.
Procedure
In the Security Console, click Identity > Users > Manage Existing.
Use the search fields to find the user that you want to enable. Some fields are case sensitive.
Click the user that you want to enable, and select Edit.
Under Account Information, clear Account is disabled.
To disable a user account, under Account Information, select Account is disabled
Click Save.
Locked User Accounts
When a user account is locked, the user cannot authenticate and access protected resources. A user account can be locked in two ways:
Lockout policy. This policy locks a user account if authentication fails a specified number of times using the primary authentication method. Lockout policies apply to the total number of logon attempts a user makes regardless of the type of credential used for each attempt.
Note: If the lockout policy is configured to unlock a user after a certain period of time, the user will be unlocked when the time expires. The user will show as “True” (locked) in the Locked Out field in reports until the next successful authentication.
Token policies. Token policies determine RSA SecurID PIN lifetime and format, and fixed passcode lifetime and format. They are assigned to security domains and apply to all tokens assigned to users managed by a given security domain. If a user puts the wrong tokencode in a specified number of times, they will be locked out.
View Locked Users
You can view a list of locked users.
Procedure
In the Security Console, click Identity > Users > Manage Existing.
In the For search field, select Locked Out Users.
Click Search.
Unlock a User
RSA AM locks out users who violate the lockout policy. Locked out users cannot authenticate until they are unlocked.
The lockout policy specifies the number of failed authentication attempts allowed before the system locks the account. A lockout policy can unlock users after a specific time period, or you can require an administrator to manually unlock the user.
Procedure
In the Security Console, click Identity > Users > Manage Existing.
Use the search fields to find the user that you want to unlock. Some fields are case sensitive.
Click the user that you want to unlock, and select Edit.
Under Account Information, go to Locked Status, and clear all options that are selected.
Click Save.
Move Users Between Security Domains
You can manually move users whose accounts are stored in the internal database to other security domains. You can also move user groups.
When you move users to another security domain, the policies for the new security domain take effect immediately. Also, after you move users, only administrators with permissions to manage users in that security domain can manage the users you moved.
When you move users, consider that users who are enabled for risk-based authentication (RBA) before the move retain their RBA user settings after the move. If users are disabled for RBA before the move, the users remain disabled for RBA after the move.
You can automatically move LDAP directory users to other security domains by mapping directory objects, such as organizational units, to the security domain of your choice. AM uses security domain mappings to add users to the appropriate security domain when new user records are added to the database.
Procedure
In the Security Console, click Identity > Users > Manage Existing.
Use the search fields to find the users that you want to move. Some fields are case sensitive.
Select the users that you want to move.
From the Action menu, select Move to Security Domain, and click Go.
From the Move to Security Domain drop-down list, select the security domain where you want to move the user.
Click Move.
Enable Users to Update Phone Numbers and E-mail Addresses
You can configure the Self-Service Console to allow users to update their destination phone numbers and e-mail addresses for on-demand tokencode delivery.
Note the following:
Users can update their phone numbers and e-mail addresses only if this information is stored in the internal database.
All user attributes that are stored in an external identity source are read-only. Users cannot modify this information through the Self-Service Console.
Required fields are editable.
Before you begin
Configure AM to display the Change Delivery Option link on the Self-Service Console. The link displays on the My Account page when the user is enabled for on-demand authentication.
Verify that at least one attribute (either SMS phone number or e-mail address) is editable and viewable, or that both attributes (SMS phone number and e-mail addresses) are viewable, but not editable.
Procedure
In the Security Console, click Setup > Self-Service Settings.
Under Customization, click User Profile.
From the Choose an Identity Source drop-down list, select Internal Database.
Click Next.
Do one or both of the following:
To enable users to update a phone number:
Under Custom Attributes, select View and manage user profile attribute details for Mobile Number.
From the Make Field(for Update Profile) drop-down list, select Editable.
For Display Label, accept the default label or replace it with one of your own.
To enable users to update an e-mail address:
Under Core Attributes, select View and manage user profile attribute details for Email.
From the Make Field (for Update Profile) drop-down list, select Editable.
For Display Label, accept the default label or replace it with one of your own.
Click Save.
Related Articles
Manage Passwords Automatically Number of Views Manage Passwords Automatically Option Greyed Out Number of Views Managing Passwords Number of Views Changing root and tablus user passwords on DLP Network devices Number of Views Obtain SNMP security name and authentication password from command line with RSA Authentication Manager 8.X Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor…
