17 Jul 2019

User administration in Collaborate

A System Administrator can manage users associated with Collaborate. Open System Admin from your profile menu, then click User admin:

The User administration section provides several tools for managing existing users. By default, the User administration section displays a search form:

Select filters then click Search.

 

  • Display Name - Enter the display name of the user here.
  • Domain - Type all or part of a domain name, then select from the list. Alternatively, select a domain from in the left pane to add it directly to the text box.
  • Email address - Any part of the email address of the user(s) to be managed: the prefix ("jsmith") or the suffix ("abc.com") or the entire email address.
  • Status - By default, the search will look for active users, but archived users can be located as well. The search can further be filtered to include just locked users.
    • An active user can log in and access their Collaborate account and any sites they have access to.
    • An archived user is no longer permitted to log in and is not a member of any site.
    • An inactive user has had their account suspended but they are not archived. 
    • A locked user is currently locked out from accessing Collaborate because they made too many failed login attempts recently.
  • Created date - Search using the filters to see all users created over a custom time period. 
  • Last login date - Search using the filters to see users' last login dates.
  • Orphaned users - Users who were added to at least one site in the past but now have been removed from every site. An orphaned user can log in to Collaborate, but they will not have access to any content.
  • User roles - limit the search to the selected admin roles.
  • Never logged in - Users who were added to at least one site but never confirmed their account and never logged in, either because no invitation was sent, the user ignored an invitation that was sent, or the email invitation was trapped in the user's spam filter. (Inactive users are not the opposite of Active users.)
  • User registered for 2FA with app - Search for users who have registered for 2FA with an app.
  • User type - limit the search to the selected account type: All, Internal, External or Basic.
  • Users granted bypass of XSS protection - Filter for users with permission to add custom javascript to a site.

When the search is performed, a list of matching users is displayed at the bottom of the page:

As of October 2022, you can change the order of the search results to follow the Last login dates. Click the sort icon next to Last login to sort the results in ascending order; click again to change to descending order.

This is helpful when finding users that have not logged in for a long time, so that they may be Archived.

Individual user actions

Above the list of users returned by the search is a group of buttons indicating different actions that can be taken with individual users. To take an action, check the box next to a user and select the appropriate action.

Although a checkbox is shown next to each user, many actions can be taken but only for one user at a time.

  • Reset - Reset emails a reset password link to the user(s) selected.
    As with all password reset requests, the user's password will not be reset until the user clicks on the link in the email and then enters a new password on the reset password screen.
  • Invite - Invite will send out an email invitation to the selected user(s). This invitation will contain a link that allows the user to activate their account. If the user's account has already been activated, the link will merely take the user to the login page.
  • Roles - The Roles action allows a System Administrator to give the selected user certain system-level roles. The roles available are a function of whether the user is an internal or external user, and if they can bypass XSS protection.
    • External Users - External users are users associated with organisations that do not maintain the instance of Collaborate. For external users, there are 2 choices available: External Admin and External User. Do not uncheck the box next to External User. Currently, making a user an External Admin does not grant them any extra rights.

    • Internal Users - Internal users are users associated with the organisations that maintain the instance of Collaborate. (This determination will be made automatically if the user's email domain is associated with the internal organisation.)

       

For internal users choose an option:

  • System Admin - These users have full control over the system, can create new sites and can access any site (except for sites that are password protected or IP address restricted) and any data in those sites. This role should be given out sparingly.
  • Internal User (do not uncheck this box): simply an internal user without any special rights.
  • Create Site: a user who can create new sites and are automatically granted Site Administration rights to those sites. This role can be given out more liberally than the Internal Admin role

 

  • Active - Make an archived or inactivated user active. When searching for such users, do not forget to filter on Status = Archived.
  • Move - Moves the selected user(s) to a different organisation and associated email domain.
  • Export - This will export all of the listed users from the search to an Excel file.
  • Unlock User - If a user's account has been locked because they failed to enter their password correctly after a few attempts, this will allow the user to log in again with their existing password, instead of requiring the user to change their password using the reset option.
  • Archive - Archive does two different things. First, it removes the user from every site they were given access to. Second, the user is archived, which means the user will no longer be able to log in to Collaborate and their name will not match the Quick Search when new users are added to a site. Once you click on Archive, the below message displays.

If the archived user is added to another site in the future, their account will be reactivated, but only for the site they were just added to and not any previously accessed sites. Once you have archived a user, a system administrator is then able to anonymise a user.

This feature was added to ensure Collaborate complies with GDPR regulations.

Click here to find out more about GDPR. Search for the archived user in the list of users returned the option to anonymise is dispayed. 

Click on Anonymise and the below window displays.

Click Anonymise and the user details are removed from the listing and they are removed from the system. 

  • Inactive - This will inactivate a user. Unlike archiving a user, the inactivated user is not removed from sites and system groups. However, that user will not be able to log on until their account has been reactivated. Throughout Collaborate, that user will appear with the word Inactive after their name. Inactivate a user when their access to Collaborate should be suspended temporarily.
  • Reset 2FA - This option is available if 2FA is enabled. Click Reset 2FA and confirm to remove two-factor authentication from the selected user account. The user may then reset access via email or an authenticator app.
  • Change to: - If you search with the Basic or Internal User Type filter, you may switch Internal users to Basic users, or Basic users to Internal users.

Individual user action links

When the list of matching users is presented, the following links may appear for each user:

  1. User name - The user's name is a link to their profile page. From the profile page, the System Administrator can edit the user's profile, including changing the prefix of the user's email address.
  2. Organisation - This is simply a link to the organisation administration page for that organisation, discussed here.
  3. Email address - The email address associated with the user.
  4. Last login - the date and time of the last time the user logged in to the site.
  5. Proxy login - A System Administrator may log in as any other user by clicking on the login button in this column. Once this occurs, from the system's perspective, the System Administrator is acting as that other user and can take any actions that the other user could take. (The system maintains a record of every time a System Administrator proxy logs in as another user.) To revert back to their own account, the System Administrator will need to logout as the other user and manually log back in as themselves.
  6. Reset password link - This link does not appear for every user, only for users who have an unused reset password request (meaning the password request was sent out but the link in the email was not clicked) or for users who have been invited to Collaborate but never completed the account registration process. This link permits the System Administrator to set the password for another user, but ONLY if the other user has not set their own password or rest their own password. For example, if the invitation or reset password email sent to the user is trapped in the user's spam filter, the user will not be able to access the invitation and authenticate their account. In that situation, the System Administrator would set the password for the user and communicate the password to that user verbally. Alternatively, the System Administrator can copy the link the send it to the user in a different way, so that it will not be caught in their spam filter. When a System Administrator clicks on that link, they will see the regular Set Your Password screen.
  7. Site list - The Site list link simply shows a list of every site the user has been invited to or otherwise has access to, and when the user last accessed each site (if ever).
  8. System Groups - The Manage Groups link takes the System Admin to a page that lists of every system group, shows which one the user is a member of, and permits the System Admin to change those.
  9. User registered for 2FA with app - Search for users who have registered for 2FA with an app.

 

Auto Login

If Auto login is active on your instance, you see an Auto login checkbox and Auto login URL in the Roles screen for a user:

This feature must be explicitly requested to be enabled on an instance.

Please speak to your Customer Success Manager.

If enabled, auto login allows anyone with the Auto login URL to paste that URL into their browser and automatically be logged in as that auto-login user, without needing to authenticate or enter a password.

Once a person has auto logged in as another user, their access to Collaborate will be limited in certain ways.

  • In the upper right-hand corner of the page, there are no options to edit the auto-login user's profile. 
  • There is no way to log out as that user, which also means there is no way to request a password reset as the auto-login user.
    • If the user whose account has been the autologin enabled tries to manually login to Collaborate using their email address and password, they will experience the same behaviour once they are logged in: their profile is not accessible and they cannot reset their password.

Purpose

The purpose of the auto login feature is to provide access to a site, for example, an intranet, to many people without needing to create an account for each person or require those people to remember a password. In other words, a shared account. While the use of auto login for this purpose should generally be avoided, there are use cases and client demands that warrant its use. It is recommended that an auto-login user account only be given read permissions on any sites the auto-login user has been given access to.

Auto login links can be changed by completing a password reset for the respective user account. Once the password is reset, the auto login link will be changed in the User admin tool and cannot be reverted to the old URL. 

Adding Users

The User administration page includes the Add user tab:

Click Add users to open a page for creating one or more new users, exactly the same as the process for creating new users to add to a site.

You may also click Bulk import to import multiple users from an excel template.

Self-Registered Users

Some users do not have a full Collaborate account and are created merely for the purpose of receiving files after having registered. These files can be managed by clicking on a new Self-registered users tab on the User admin page:
 

Clicking on this tab will reveal a list of self-registered users:

This shows the email address of each self-registered user (full names are not available for these users), their status and last login date. A System Administrator may manage these users by using the action icon across from each user. The options are to:

  • send a reset password email to a user or
  • archive the user, so that they can no longer access files that were shared with them or otherwise log in to Collaborate

Limits on user licences

Depending on your account type, you may have limits on the number of users you may add. Limits are set per instance for the number of Internal users, External users and Basic users

As of the October 2022 release, designated system admins can receive alerts when the number of users reaches 80%, 90% and 100% of the purchased licenses. Please contact your HighQ support representative to activate these alerts.

 

Was this article helpful?