User Inheritance for Managed Accounts

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

User inheritance enables your Service Providers to request that you inherit AuthPoint users from their account. This makes it easier for Service Providers to help you manage your account. Inherited users do not consume an AuthPoint user license in your account. You do not need available AuthPoint user licenses to inherit a user.

An operator from your account must approve or reject each user inheritance request you receive from a Service Provider.

When you approve a user inheritance request, you select which AuthPoint groups to add the inherited user to. AuthPoint adds the inherited user to your account and the user can authenticate to your resources based on their group membership and the authentication policies that apply.

Inherited LDAP users can only authenticate to your Firebox resources if the Firebox can connect to the LDAP database of your Service Provider. This is because the authentication flow for Firebox resources is different than the authentication flow for RADIUS resources. RADIUS resources (and Fireboxes configured as RADIUS resources) do not need to be able to connect to the LDAP database of your Service Provider.

Inherited users must have an Internet connection to authenticate to computers with the Logon app installed.

If you reject or delete a user inheritance request, AuthPoint does not add the user to your account and the user cannot authenticate to your resources.

When you inherit users from a Service Provider, be aware of these rules:

  • If you add a new user with the same user name or email address as an inherited user, AuthPoint deletes the inherited user from your account.
  • Service Providers managed inherited users. Operators in your account cannot block an inherited user or their tokens.

User Inheritance Process Overview

Here is an overview of the user inheritance process:

  1. A Service Provider sends a user inheritance request to one or more managed accounts.
  2. An operator from the managed account approves the user inheritance request. The operator must select which AuthPoint groups to add the inherited user to.
  3. AuthPoint adds the inherited user to the managed account. The inherited user can authenticate to the resources of the managed account based on the authentication policies for their user group(s).
  4. An operator from either the Service Provider account or the managed account can end the user inheritance at any time.

Approve User Inheritance Requests

You see and manage user inheritance requests from the User Inheritance page. When a Service Provider sends a user inheritance request, you can see the details of the request in the User Inheritance Requests Awaiting Approval list.

To approve a user inheritance request:

  1. Log in to WatchGuard Cloud.
    The WatchGuard Cloud Dashboard page opens.
  2. From the navigation menu, select Configure > AuthPoint. If you are a Service Provider, you must select your Subscriber account from Account Manager.
    The AuthPoint Summary page opens.
  3. Select User Inheritance.
  4. If you have a Service Provider account, select the Approve tab .

Screen shot that shows the User Inheritance Requests page for Service Providers.

  1. In the User Inheritance Requests Awaiting Approval list, next to the user, click and select whether to approve, reject, or delete the user inheritance request.
    • Approve — Approve the user inheritance request and inherit the user in your AuthPoint account.
    • Reject — Reject the user inheritance request. The request remains visible with the Rejected status and your AuthPoint account does not inherit the user. You can delete a rejected request if you do not want it to see it in the Approved User Inheritance Requests list.
    • Delete — Delete the user inheritance request. The request does not appear in the list and your AuthPoint account does not inherit the user.

    If you reject or delete a user inheritance request, you cannot approve it later. Your Service Provider must send a new user inheritance request.

Screen shot that shows the menu for a pending user inheritance request.

  1. If you chose to approve the user inheritance request, select the AuthPoint groups to add the inherited user to. The groups that you add the inherited user to determine which authentication policies apply and which of your resources the inherited user can authenticate to.

Screen shot that shows the Select Groups window.

  1. Click Save.

Screen shot that shows the list of completed user inheritance requests.

The user inheritance request is approved and AuthPoint adds the inherited user to your account. You can see and manage the inherited users from the User Inheritance page. Inherited users do not appear in the Users list.

Manage Inherited Users

Service Providers primarily manage inherited user accounts. Operators from your account cannot block an inherited user, and you cannot see or block tokens that belong to the inherited user.

To control what resources an inherited user can get access to, edit group membership for the inherited user or the authentication policies that apply to their group(s). If you do not want an inherited user to access your resources but do not want to remove the inherited user from your account, configure the policies associated with their group(s) to deny authentications.

Related Topics

User Inheritance for Service Providers