User management

OneSpan Threat View enables you to configure your own user accounts and offers different types of user accounts.

Types of user accounts and permissions: Threat View user roles

Threat View organizes the user accounts in three different roles:

• Account Owner

  Owner of the Threat View tenants.

  Permissions: users with this role have full access to all Threat View functionalities. Users with the Account Owner role can create, view, update, and delete other user accounts.

• User Administrator

  Used to install and set up Threat View securely, and to manage other user accounts.

  Permissions: users with the User Administrator role can view, create, update, and delete other user accounts but cannot view the Dashboard and Threat event reports. The User Administrator can assign roles except for the Account Owner role.

• Insights Viewer

  Used to access and use the solution.

  Permissions: users with the Insights Viewer roles can access and view the Dashboard and Threat event reports but cannot access user management.

Account Owner

Users with this role are owners of the Threat View tenants and have full access to all Threat View functionalities. The Account Owner user role has the following permissions:

• View a list of users and can filter / sort the list

• View a user and see their assigned roles

• Create a new user and specify what roles they are allowed

• Update user and change their assigned roles and scopes

• Delete a user

User Administrator

The User Administrator account is used to install and set up Threat View securely, and to manage other user accounts.

During the setup of your Threat View solution, OneSpan creates a deployment secret containing the user name and initial password for the first Threat View User Administrator. The default credentials are:

• User name: admin@onespan

• Password: Demo1234567890

If you prefer, you can change these default credentials: in the threat-view/.env file of the product package, change the default values to your preferred values for the following parameters:

• SECRET_IDENTITY_MANAGEMENT_USER_ADMINISTRATOR_USER_NAME

• SECRET_IDENTITY_MANAGEMENT_USER_ADMINISTRATOR_PASSWORD

To use the User Administrator account

1. Open the Threat View Administration Interface.

2. Log in to Threat View with the initial credentials you received from OneSpan.

3. Upon this first log in, you will be prompted to change your password.

   Threat View enforces password strength rules, i.e., if the new password does not comply with these rules, the application will terminate.

4. After changing the password, you are logged in and can start using Threat View and manage other user accounts.

Insights Viewer

Insights Viewer user roles are intended to provide access to and allow users to use the solution. Users with an Insights Viewer user role can access Threat View as soon as the Account Owner has created their user account. The Insights Viewer can log in to Threat View and perform the actions according to the permissions for the assigned user role. If set up accordingly, the Insights Viewer can perform the same actions as an Account Owner.

User management

The user accounts are managed via the Threat View Identity Management microservice which contains self-service APIs and the user management database where the administrator credentials are stored. To access the User management page, click the Users icon in the left navigation bar.  On this page, Threat View displays a table with the existing users.

The visibility of data on this page depends on the permissions assigned to you.

The table displays the following user account details:

• User name

  Unique name identifying the user.

• Display name

  Free name of the user to display in the Threat View Administration Interface.

• Role

  User role assigned to the user.

• Creation date

  Date when the user account was created.

You can sort and filter each table column, edit the user details, and delete user accounts. The required permissions are read and update.To edit a user account, click the three dots at the end of the row for that user. In the form that opens, you can make your updates, and you can also see optional information such as the user’s email address and phone number.

Threat View does not permit deleting your own user account, regardless of assigned permissions. Deleting accounts of other users is final and cannot be undone, the deleted user account cannot be restored.

The following user details can be updated with the corresponding permissions:

• Username

  Threat View validates the new username to avoid duplicates. If the new username already exists, Threat View denies the change request and displays an error message.

• Role

• Email address

• Phone number

Any user can update the following details of their own user account:

• Display name

• Email address

• Phone number

Threat View does not permit changing your own username and role.

Input validation

Threat View allows you to preview the information you have entered before you save it, and validates the input, e.g., if any required information is missing. Input is validated ad hoc while filling in the form fields as well as upon clicking Create after filling in the entire form.