Users are the key components of a SASE deployment since security policies are applied to users (or to their devices). At a high level the steps to setting up users are:
Let's start with creating groups and users.
Before you create users, setup the Groups that you will assign users to. Groups are important since you can assign policies to entire groups of users rather than individuals. To create Groups go to User > Groups in the left navigation bar and then click “Add User Group” on the top right of the page.
The admin and readonly groups exist by default. We recommend creating groups for “AllEmployees”, “Executives”, and for departments or locations as needed. A user can be a member of multiple groups. Pay attention to the relative priority of the groups; a lower number means that policies for that group have a higher priority when being applied to a single user.
For example, if a user is a member of “AllEmployees” and “Executives” in the image below then the “Executive” policies will take precedence if there is a conflict.
Before you create any users make sure that the customer level settings are setup correctly, especially the Default User Subscriptions and Welcome Email settings (https://docs.exium.net/en/public/Admin_Console/Customer_Setup).
There are three different ways to create users in the admin console. Pick the one that works best for this specific customer.
User Creation Method |
How it works |
When to Use |
Manual | Create each user manually one by one in the Admin Console. | Use for small customers with less than 30 users. |
Spreadsheet Upload | Create multiple users at once by uploading a spreadsheet. | Use for any customer that does not have an IAM system. |
Azure AD Integration (or other IAM system) | Link the customer’s Exium account to their Azure AD instance for auto user creation. | Use for any customer that has Azure AD (or other IAM system). |
To manually create a user, go to Users in the left navigation and then click on “Add User” on the top right of the tab.
Fill out the form that appears with the user’s information.
The email and mobile phone number will be used to authenticate the user during the agent install process (if the manual install process is used).
User Groups: assign the user to a group if you have setup groups already. You can also do this later by editing the user after it is created.
Very Important. Select the security services for this user. Remember that SIA is Internet security while SPA is for remote access to private networks. Users that do not have SPA turned on will not be able to access internal resources using Exium.
To create users in bulk by uploading a spreadsheet, first download the sample CSV file by going to Users in the left navigation and then clicking on the little question mark next to Upload Users.
Find the downloaded file (it is called User_Upload_UserFlow.csv) and fill it out. Some helpful hints:
Phone number: include the country code. For example, (214) 111-1999 for the US (country code +1) will be entered into the spreadsheet as 12141111999.
Groups: populate the group(s) you want the user to be a member of, otherwise you will have to do this manually later.
Security Services: all users created using this method will be assigned the “Default User Subscriptions” that are set at the customer level. You can manually edit these if needed.
Once the spreadsheet is filled out save it as a CSV file and then upload it using “Upload Users” button. The users should populate in the table. Click on a user to verify information and settings.
If the customer has an Identity and Access Management (IAM) solution such as Azure AD then it is best to link Exium with it to automatically import users from it.
Instructions for linking with Azure AD are here:
https://docs.exium.net/en/public/SSO-Integrations/Azure-AD-SCIM-SAML-Integration
Instructions for other IAM platforms can be found at:
https://docs.exium.net/en/public/SSO-Integrations
When you add users using one of the methods described above and like to use the User Install method for Client installation and activation, you need to initiate an invite email to the users. You can do this by clicking on the “mail” sign icon against the user (s) name or send in bulk to all users by clicking on the “re-invite users” icon on the top-left as highlighted in the picture below.
The email invite has one hour expiry. In case the client download link in the email expires, admins can re-initiate invite for the users or users can log in via https://service.exium.net/exium/sign-in to download and activate the client.
TBC