This page describes how Service Providers can send user inheritance requests. If your account is managed by a Service Provider, see User Inheritance for Managed Accounts.
User inheritance enables Service Providers to request that managed accounts inherit an AuthPoint user from the Service Provider account. If the managed account approves the request, the specified Service Provider users are added to the managed account and can authenticate to resources for that account. This makes it easier for Service Providers to help manage accounts for their customers. You might do this if you manage AuthPoint services for a customer, or if you need access to troubleshoot protected resources for an account you manage.
You cannot send user inheritance requests to a delegated account.
You can request that managed accounts inherit these types of user accounts:
- Local AuthPoint users
- LDAP and Activate Directory users
- Azure Active Directory users
Managed accounts do not have to configure an external identity or a Gateway to inherit users synced from an external user database.
Inherited users do not use an AuthPoint user license in the managed account.
User Inheritance Process Overview
Here is an overview of the user inheritance process:
- A Service Provider sends a user inheritance request to one or more managed accounts.
- An operator from the managed account approves the user inheritance request. The operator must select which AuthPoint groups to add the inherited user to.
- AuthPoint adds the inherited user to the managed account. The inherited user can authenticate to the resources of the managed account based on the authentication policies for their user group(s).
- An operator from either the Service Provider account or the managed account can end the user inheritance at any time.
When you configure user inheritance, be aware of these rules:
- Service Providers cannot send user inheritance requests to a delegated account.
- Service Providers cannot add an inherited user to an account that already has a user account with the same user name or email address.
- The AuthPoint Inherited Users feature must be enabled for both the Service Provider account and the managed account that will inherit the user.
- Service Providers can only send a user inheritance request to managed accounts with an active AuthPoint license.
- If a managed account adds a new user with the same user name or email address as an inherited user, AuthPoint deletes the inherited user.
- For inherited LDAP users, AuthPoint sends the LDAP user credentials to the external user database of the Service Provider for validation. If the managed account uses the agent for Windows, RD Web, or ADFS, AuthPoint only validates the second factor.
- If you delete an inherited user in your Service Provider account, AuthPoint removes the inherited user from all managed accounts that inherit that user.
- If you block an inherited user or their tokens in the Service Provider account, AuthPoint also blocks the user or token in all managed accounts that inherit the user.
- Operators from the managed account cannot block an inherited user or the tokens of an inherited user.
Send a User Inheritance Request
If you have a Service Provider account and you want one or more of your managed accounts to inherit one of your AuthPoint users, you can send a user inheritance request to the managed accounts. Each account that accepts the user inheritance request will inherit the AuthPoint user account.
You must send a separate user inheritance request for each user that you want a managed account to inherit.
You see and manage user inheritance requests from the AuthPoint management UI.
To send a user inheritance request:
- Log in to WatchGuard Cloud.
- Select your Subscriber account from Account Manager.
- From the navigation menu, select Configure > AuthPoint.
The AuthPoint Summary page opens.
- Select User Inheritance.
The User Inheritance Requests page opens.
- Click Send User Inheritance Request.
- From the Users to Inherit drop-down list, select the AuthPoint user account you want your managed account(s) to inherit. To search for a specific user, type a name or user name.
Additional fields appear.
- From the list of accounts, select the managed accounts that you want to inherit this user. If you select more than one account, after you send the request, you must manage the user inheritance for each account separately.
- Click Send Request.
AuthPoint sends a user inheritance request to each of the selected accounts. An operator from the managed account chooses whether to accept or reject the request. If the operator accepts the user inheritance request, they must choose which AuthPoint groups to add the inherited user to. The groups that the inherited user belongs to determine which authentication policies apply to the user and which resources of the managed account the inherited user can authenticate to.
Inherited users use their existing tokens for authentication.
AuthPoint sends you a notification when a managed account accepts or rejects the user inheritance request. You can also see the status of your user inheritance requests in the User Inheritance Requests list.
- Pending — The managed account has not responded to the user inheritance request.
- Rejected —The user inheritance request has been rejected and the user has not been inherited by the managed account.
- Accepted — The user inheritance request has been approved and the inherited has been added to the managed account.
Managed accounts can also choose to delete a pending user inheritance request. User inheritance requests and inherited users that are deleted do not appear in the User Inheritance Requests list.
End User Inheritance
To end user inheritance and remove the inherited user from a managed account:
- From the AuthPoint management UI, select User Inheritance.
The User Inheritance Requests page opens.
- From the User Inheritance Requests list, click the delete icon next to the user that you want to end user inheritance for. If the user multiple managed accounts inherit the user, the list includes a separate item for each account. Make sure that you delete the user inheritance for the correct managed account.
The Remove Inherited User window opens.
- To confirm that you want to delete the user inheritance, click Yes.
AuthPoint removes the inherited user from the managed account. AuthPoint sends a notification to the managed account to let them know that the inherited user has been removed from their account.