|
Go to Help > Account Info. You'll see general information about your account configuration and privileges, a summary of recent and scheduled maps and scans in your account, and a list of scanner appliances in your account.
Select Account Activity below your user name (in the top, right corner). The Account Activity page can help you identify unusual or unauthorized account access. You’ll also have the ability to sign out of other active sessions. We’ll show you when each session was created and the IP address from which the session was established.
If you’re a Manager, you can view account activity for other users by selecting Info or Edit for any user in the users list.
Show me an exampleShow me an example
Go to the Asset Groups section. Assigned asset groups identify IP addresses the user can scan, domains the user can map, and scanner appliances the user can use for scanning the internal network.
Which asset groups can I assign to the user?Which asset groups can I assign to the user?
If the user is part of a business unit, any asset group in the business unit may be assigned. If the user is not assigned to a business unit, any asset group in the subscription may be assigned.
Tell me about the "All" groupTell me about the "All" group
The asset group "All" is a special service-defined asset group. For a user in the Unassigned business unit, the asset group "All" includes all assets in the subscription (IP addresses, domains and scanner appliances). For a user in a business unit, the asset group "All" includes all assets in the business unit.
Can I create a user without asset groups?Can I create a user without asset groups?
Yes. This is especially useful if you want to create a user for the sole purpose of installing scanner appliances and do not want the user to be able to perform other actions.
You start by assigning the user a role which comes with a basic set of permissions, for example the role Scanner allows the user to launch scans and the role Reader allows the user to create reports. Then you can give individual users additional permissions like the ability to create authentication records and add assets. You do this by editing the user's account. The permissions available to each user depend on the user's role. See User Roles and Permissions.
When you create a new user, the user appears on the user accounts list with a status of "Pending Activation". The user will automatically receive a registration email with a secure one-time-only link to the credentials for their new account and login instructions. The registration email is sent to the email address defined in the user's account. The user's status changes to "Active" after logging in for the first time. (Note that users with a "Contact" user role do not receive login credentials, and cannot log in to the application.)
If the new user does not receive the registration email (perhaps because it was sent to an incorrect email address), then any Manager in the account or Unit Manager in the user's business unit (if applicable) can request new login credentials to be sent to the user. First edit the user's account and correct the email address. Then edit the user's account and go to the Password section (under Options) and follow the online prompts to change the password. The user will receive an email with new login credentials.
A Manager can change the password for any user in the subscription. A Unit Manager can do this for users in their business unit. Edit the user, go to Security and click Change to generate a new password. An email will be sent to the user with new login credentials. Important: If the subscription has only one Manager, and that user's password is lost, contact Support.
Note: You can use these special characters while creating user-defined password: ( ) ` ~ ! @ # $ % ^ & * - + = | \ { } [ ] : ; " ' < > , . ? /.
Go to Users > Setup > Security to set advanced password security settings. For example, allow users to define their own passwords, set password expiration, set the number failed login attempts that lock a user's account. Your settings will apply to all user accounts in the subscription.
Go to Users > Setup > Password Never Expires to set the password of API-only access accounts to never expire. The password of such accounts will not expire until a password change request is initiated through the UI or the password change API. Contact your Technical Account Manager or Qualys support to activate this feature for your subscription.
For more information, see Set Security Options: Tell me about password security.
Edit your own user account and go to the Security section. Then choose and answer three secret questions (answers are case-sensitive). Make sure your answers are private, memorable and do not change over time. We'll use this information to help you reset your password if you forget it.
Creating business units (Users > Business Units) lets you configure user access to assets to match your organization's policies and procedures. For example, if you have a group of users in the US and another in the EU, you can create a business unit for each group. Assign the US users and the assets they manage to US business unit and assign the EU users and their assets to the EU business unit. (Business units are not available to Express Lite users)
Tell me about business unit IP allocationTell me about business unit IP allocation
Managers can grant Unit Managers permission to add assets and then also control the number of new IP addresses that Unit Managers can add. To put controls in place, enable the new IP limit feature at the subscription level on the Business Units Setup page (Users > Setup > Business Units) and then define new IP limits for individual business units. Note that you do not have to set a limit for every business unit.
Yes. In an enterprise setting with multiple users and business units, you may at times need to move users from one business unit to another. You can do this by editing the business unit or an individual user. A workflow is provided to assist you with transferring the user's personal configurations and asset groups.
For accounts without AGMS enabled, see the following:
You'll be prompted to choose whether you want to allow the user to keep their configurations and asset groups.
1) Personal configurations - If you do not move a user's personal configurations, they will be deleted. Personal configurations include report templates, option profiles, scheduled scans, scheduled reports and search lists. If you transfer the user's configurations without also moving their asset groups, then report templates, scheduled scans and scheduled reports may need to be modified to reference a new target.
2) Asset Groups - You may allow users to continue to have access to the asset groups from their old business unit.
Asset groups created by Managers will be added to the new business unit without change. The Manager will continue to own the asset group.
Asset groups created by Unit Managers will be copied to the new business unit and renamed. The asset group name for the copied version will be appended with a number. For example, a group called "California" will be renamed "California 1" in the user's new business unit and stay "California" in the user's old business unit."California 1" will be owned by the primary contact for the subscription.
Personal asset groups will be added to the user's new business unit without change, and the user will continue to own them.
3) Affect on Remediation Tickets - Moving users could result in invalid remediation tickets. This is possible if you move a user to a new business unit without also moving their asset groups. If the user has tickets for assets that they can no longer access, then these tickets become invalid. Invalid tickets appear grayed out on the tickets list and an asterisk (*) appears next to the IP address. Invalid tickets should be reassigned to users who can take action on them.
For accounts with AGMS enabled, see the following:
Options to Transfer Personal Configurations and Asset Groups
Edit the user's account, go to User Status and select the "Deactivate this user" check box. (Note - this option only appears when a Manager is editing a user account.) Once deactivated, the user will not be able to log in to the cloud platform.
What happens to the user's stuff? Any schedules owned by the user will be deactivated at the next scheduled launch time. You can prevent this by reassigning the schedules to an active user. Other account settings (such as option profiles, asset groups and reports) will not be affected.
You cannot deactivate the primary contactYou cannot deactivate the primary contact
If a user has primary contact status first assign this status to another user and then deactivate the user. A Manager can do this by going to Users > Setup > Primary Contact.
Deactivating a Contact userDeactivating a Contact user
Users with the Contact user role have one privilege only - to receive email summary notifications. When a Contact's account is deactivated, the Contact will not receive email notifications, regardless of the notification setting.
You can re-activate a user's account - allowing the user to once again log in - by editing the user's account and clearing the "Deactivate this user" check box. This may be necessary if the user is locked out of the account because of too many failed login attempts.
Go to the Users list, identify the user account you want to remove and choose Delete from the Quick Actions menu. You'll have the option to save the user's map and scan results and transfer user configurations to another user in the subscription so they remain available to other users. Just follow the online prompts during the delete workflow.
Learn more about what gets deleted
Who has permission to delete users?Who has permission to delete users?
A Manager can delete any user, and a Unit Manager can delete any user within their own business unit.
What happens to Manager owned objects?What happens to Manager owned objects?
When deleting a Manager or Unit Manager, some business objects are reassigned to the Primary Contact for the business unit or subscription. These objects are reassigned: asset groups, scheduled scans, global option profiles and global report templates. Authentication records are kept but not reassigned since they don't have assigned owners.
Remediation policies with the deleted user set as the assignee are automatically reset to the default assignee "User Running Scan". Remediation tickets currently assigned to the deleted user become invalid and appear grayed out in the tickets list so that they may be manually reassigned to someone else.
There is one primary contact for the subscription and one primary contact for each business unit. You'll see an asterisk (*) next to the name of each primary contact on the Users list. Go to Help > Account Info to escalate support issues to your contact. Want to change the primary contact? Go to Users > Setup > Primary Contact (Managers and Unit Managers).
The primary contact is shown in email notifications by default. You can provide another user to appear in scan email notifications. Learn more about email contacts
The Activity Log is a list of user actions like when a user logged in, launched a scan, edited an asset group, and so on. Managers see all user actions. Unit Managers see actions performed by users in their business unit. Scanners and Readers see their own actions only. Go to Users > Activity Log.
Want to find API logs? From Users > Activity Log, choose the Search option above the data list, and enter "API" in the Details search field. You'll get a list of recorded API activities. The User IP column shows the IP address from which the connection was established.