ARCON|PAM

Administrative Console
Administrative Console

Disclaimer

The handbook of ARCON PAM solution is being published to guide stakeholders and users. If any of the
statements in this document are at variance or inconsistent, they shall be brought to the notice of ARCON
through the support team. Wherever appropriate, references have been made to facilitate a better
understanding of the PAM solution. ARCON team has made every effort to ensure that the information
contained in it was correct at the time of publishing.

Nothing in this document constitutes a guarantee, warranty, or license, expressed or implied. ARCON disclaims
all liability for all such guarantees, warranties, and licenses, including but not limited to: Fitness for a particular
purpose; merchantability; non-infringement of intellectual property or other rights of any third party or of
ARCON; indemnity; and all others. The reader is advised that third parties can have intellectual property rights
that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice
of competent legal counsel, without obligation of ARCON.

Copyright Notice

Copyright © 2023 ARCON All rights reserved.

ARCON retains the right to make changes to this document at any time without notice. ARCON makes no
warranty for the use of this document and assumes no responsibility for any errors that can appear in the
document nor does it make a commitment to update the information contained herein.

Trademarks

Other product and corporate names may be trademarks of other companies and are used only for explanation
and to the owners' benefit, without intent to infringe.

2
Administrative Console

Table of Contents
1 Administrative Console Dashboard ................................................................................................................................... 10
1.1 All Human Identities Dashboard....................................................................................................................................... 10
1.1.1 Widgets .....................................................................................................................................................................................11
1.1.2 Charts.........................................................................................................................................................................................12
1.2 Asset Dashboard ..................................................................................................................................................................... 15
1.2.1 Widgets .....................................................................................................................................................................................16
1.2.2 Charts.........................................................................................................................................................................................17
2 Manage........................................................................................................................................................................................... 20
2.1 Human Identity ........................................................................................................................................................................ 24
2.1.1 Creating New Human Identities .....................................................................................................................................26
2.1.2 Manual Human Identity Onboard ..................................................................................................................................27
2.1.2.1 Human Identities Details ................................................................................................................................................ 28
2.1.2.2 Security .................................................................................................................................................................................. 32
2.1.2.3 Assign...................................................................................................................................................................................... 38
2.1.2.4 Custom Fields ...................................................................................................................................................................... 41
2.1.2.5 Assign Tags ........................................................................................................................................................................... 42
2.1.3 Bulk Human Identities Creation......................................................................................................................................42
2.1.4 Modify Details of Human Identities ..............................................................................................................................47
2.1.4.1 Changing Status of the Human Identities................................................................................................................. 48
2.1.4.2 Disabling/Activating the Human Identities ............................................................................................................. 50
2.1.4.3 Multifactor Authentication Enable/disable............................................................................................................. 51
2.1.4.4 Clone Human Identity ...................................................................................................................................................... 52
2.1.4.5 Bulk Update.......................................................................................................................................................................... 56
2.2 IAM Privilege ............................................................................................................................................................................ 58
2.2.1 Create IAM Privilege ...........................................................................................................................................................59
2.2.2 Modify IAM Privilege...........................................................................................................................................................62
2.2.2.1 Disabling/Activating the IAM Privilege..................................................................................................................... 63
2.2.3 Client Privileges.....................................................................................................................................................................64
2.2.4 Admin Privileges....................................................................................................................................................................79
2.2.5 Group Admin Privileges......................................................................................................................................................93
2.3 Role/Department and Asset Group................................................................................................................................. 94
2.3.1 Creating a Role/Asset Group............................................................................................................................................97
2.3.2 Creating Role/Department Or Asset Group Using Create Button...................................................................97

3
Administrative Console

2.3.2.1 Assign Tags While Creating Asset Group...............................................................................................................104

2.3.3 Creating Role/Department Or Asset Group Using Import File....................................................................... 104
2.3.4 Modify Details of Role/Department Or Asset Group ......................................................................................... 108
2.3.4.1 Deleting The Role/Department or Asset Group..................................................................................................110
2.3.4.2 Transferring Role/Department or Asset Group ..................................................................................................111
2.4 Assets........................................................................................................................................................................................ 113
2.4.1 Onboarding a New Asset ................................................................................................................................................ 115
2.4.2 Infrastructure Asset Manual Onboard...................................................................................................................... 115
2.4.2.1 Infrastructure Asset Details ........................................................................................................................................120
2.4.2.2 Infrastructure Asset Connection Details ...............................................................................................................122
2.4.2.3 Infrastructure Asset Credentials ...............................................................................................................................123
2.4.2.4 Infrastructure Asset Single Sign-On Configuration ...........................................................................................126
2.4.2.5 Infrastructure Asset Digital Identity LifeCycle Management........................................................................128
2.4.2.6 Infrastructure Asset Reconciliation..........................................................................................................................133
2.4.2.7 Infrastructure Asset Entitlement ..............................................................................................................................134
2.4.2.8 Infrastructure Asset Assign Of Assets.....................................................................................................................138
2.4.2.9 Infrastructure Asset Custom Fields Of Assets.....................................................................................................139
2.4.2.10 Infrastructure Asset Customized Connectors .....................................................................................................141
2.4.2.11 Infrastructure Asset Advanced ..................................................................................................................................142
2.4.2.12 Infrastructure Asset Vault Configuration ..............................................................................................................145
2.4.2.13 Infrastructure Asset Assign Tags...............................................................................................................................145
2.4.3 Business Asset Manual Onboard ................................................................................................................................. 146
2.4.3.1 Business Asset Details ...................................................................................................................................................150
2.4.3.2 Business Asset Credentials ..........................................................................................................................................152
2.4.3.3 Business Asset Single Sign-on .....................................................................................................................................154
2.4.3.4 Business Asset Digital Identity Life Cycle Management..................................................................................159
2.4.3.5 Business Asset Identity Governance........................................................................................................................164
2.4.3.6 Business Asset Reconciliation.....................................................................................................................................167
2.4.3.7 Business Asset Entitlement..........................................................................................................................................168
2.4.3.8 Business Asset Assign ....................................................................................................................................................172
2.4.3.9 Business Asset Custom Fields.....................................................................................................................................173
2.4.3.10 Business Asset Advanced .............................................................................................................................................174
2.4.3.11 Business Asset Vault Configuration .........................................................................................................................175
2.4.3.12 Business Asset Assign Tags..........................................................................................................................................175
2.4.4 Bulk Assets Creation......................................................................................................................................................... 176
2.4.5 Modify Details of Asset.................................................................................................................................................... 179

4
Administrative Console

2.4.5.1 Deleting / Disabling / Activating the Asset ............................................................................................................181

2.5 Digital Identities ................................................................................................................................................................... 182
2.5.1 Onboarding New Digital Identities............................................................................................................................. 185
2.5.2 Infrastructure Asset Digital Identities Manual Onboard................................................................................... 186
2.5.2.1 Infrastructure Asset Digital Identity Details ........................................................................................................188
2.5.2.2 Infrastructure Asset Digital Identity Credentials ...............................................................................................191
2.5.2.3 Infrastructure Asset Digital Identity Mapping.....................................................................................................194
2.5.2.4 Infrastructure Asset Digital Identity Asset Form................................................................................................195
2.5.2.5 Infrastructure Asset Digital Identity Entitlements ............................................................................................195
2.5.2.6 Infrastructure Asset Digital Identity Advanced ..................................................................................................196
2.5.2.7 Infrastructure Asset Digital Identity Assign Tags...............................................................................................197
2.5.3 Business Asset Digital Identities Manual Onboard.............................................................................................. 198
2.5.3.1 Business Asset Digital Identity Details....................................................................................................................199
2.5.3.2 Business Asset Digital Identity Credentials ..........................................................................................................202
2.5.3.3 Business Asset Digital Identity Mapping ................................................................................................................205
2.5.3.4 Business Asset Digital Identity Asset Form...........................................................................................................206
2.5.3.5 Business Asset Digital Identity Entitlements........................................................................................................206
2.5.3.6 Business Asset Digital Identity Advanced..............................................................................................................207
2.5.3.7 Business Asset Digital Identity Assign Tags ..........................................................................................................208
2.5.4 Associate Digital Identities ............................................................................................................................................ 209
2.5.4.1 Associate Digital Identity Details ..............................................................................................................................211
2.5.4.2 Associate Digital Identity Mapping...........................................................................................................................213
2.5.4.3 Associate Digital Identity Assign Tags.....................................................................................................................214
2.5.5 Bulk Digital Identities Creation.................................................................................................................................... 214
2.5.6 Modify Details of Digital Identities............................................................................................................................. 217
2.5.6.1 Disabling/Activating the Digital Identities ............................................................................................................218
2.6 LOBs .......................................................................................................................................................................................... 219
2.6.1 Create LOB ........................................................................................................................................................................... 220
2.6.2 Modify LOB........................................................................................................................................................................... 223
2.6.2.1 Bulk Update........................................................................................................................................................................224
3 Setting.......................................................................................................................................................................................... 227
3.1 Tags Management................................................................................................................................................................ 227
3.1.1 Tags Configuration ............................................................................................................................................................ 227
3.1.1.1 Tag Creation.......................................................................................................................................................................230
3.1.1.2 Delete/Modify Details Of Tag.....................................................................................................................................241
3.1.1.3 Dropping, Disabling, And Activating Of Tags........................................................................................................243

5
Administrative Console

3.1.2 Tags Ordering ...................................................................................................................................................................... 249

3.2 User Attribute ....................................................................................................................................................................... 252
3.2.1 Create User Attributes .................................................................................................................................................... 254
3.2.1.1 User Attributes Creation Screen ...............................................................................................................................258
3.2.2 Modify User Attributes.................................................................................................................................................... 262
3.2.2.1 Activating Disabled User Attribute ..........................................................................................................................264
3.2.3 Attributes Ordering .......................................................................................................................................................... 265
3.3 Application Attribute.......................................................................................................................................................... 267
3.3.1 Create Application Attributes ...................................................................................................................................... 269
3.3.1.1 Application Attributes Creation Screen .................................................................................................................272
3.3.2 Modify Application Attributes...................................................................................................................................... 275
3.3.2.1 Activating Disabled Application Attribute ............................................................................................................278
3.4 Local App Store ..................................................................................................................................................................... 279
3.4.1 Onboard Local App............................................................................................................................................................ 280
3.4.1.1 Manual Upload Of Local Apps.....................................................................................................................................280
3.4.1.2 Upload From Marketplace ...........................................................................................................................................282
3.4.1.3 Modify Connectors..........................................................................................................................................................282
3.4.1.4 Activate Disabled Connectors ....................................................................................................................................287
4 Acronyms.................................................................................................................................................................................... 289
5 Related Documents................................................................................................................................................................ 290

6
Administrative Console

Overview

The Administrative Console is a crucial element of the ARCON Converged Identity (CI) platform, providing the
IT risk management team with a comprehensive view of the identity and access management (IAM)
environment. The unified digital identity management engine empowers administrators to manage and
onboard users, IT assets, and secure digital identity by applying security measures based on the criticality of an
application.

In a typical mid-sized or large enterprise, the identity and access management environment is constantly
expanding, with hundreds or even thousands of privileged human identities accessing critical systems on a daily
basis.

Let us consider some day-to-day enterprise use cases:

• Network admins and system admins require continuous access to network devices, databases, and
servers

• IT infrastructure and operations personnel require frequent access to the IT service desk and mission-
critical applications

• Development teams require constant access to production environments

• Remote users require RDP sessions

• Third-party consultants and IT project managers require intermittent access to IT resources

• Business-privileged users require considerable access to a host of business applications (CRM, HR, and
Social Media handles among others)

Given the vast number of privileged human identities, it is essential to manage and control them from a data
security and compliance perspective. The Administrative Console enables administrators to manage different
entities in the IAM environment, such as human identities, roles/departments, assets, asset groups, and various
Lines Of Business (LOBs) seamlessly.

ARCON Administrative Console enables an administrator to:

• Enforce the principle of least privilege

• Ensure a maker-checker concept

• Gain overall visibility over the organization's identity and access management environment

• Segregate human identities based on roles and map to assets

• Enhance administrative efficiency and reinforce security

Click on the Administrative Console icon on the ACMO screen to navigate to the Administrative Console
application. The Administrative Console screen will be visible:

7
Administrative Console

The Administrative Console comprises the following menus in the left pane:

Menu Description

Dashboard Administrator activities on the Administrative

Console are represented in a graphical format. A
dashboard is a kind of graphical user interface that
frequently offers quick glances at key performances
indicators (KPIs) pertinent to a specific goal or
business processes.

Manage This helps to create, modify, or drop entities such as

human identities, roles/departments, assets, asset
groups, and LOBs.

Settings This Settings section provides Tags Management for

the configuration of tags that assist in improving
security, User Attributes for the creation of
customized attributes that can be utilized to store
supplementary values for users, Application
Attributes for the creation of customized attributes
that can be utilized to store supplementary values for
applications, and Local App Store for the provision of
connectors for the onboarding of diverse
infrastructure assets.

Refer to the table below to understand the header row in the Administrative Console:

8
Administrative Console

Option Functionality

LOB Selection This drop down shows the list of LOBs assigned to
you. The data in each menu will be displayed
according to the drop down that is selected. Select the
All LOB option to view the complete data of all the
LOBs assigned to you. You can also select a particular
LOB to view the data on a need-to-know basis.

User Profile The user profile screen provides users the

opportunity to modify any language preference by
selecting the language drop-down, alter the text font
by selecting the A-/A+ option, adjust the screen color
by selecting the color icons, and log out of the
application by clicking on the Logout option.

9
Administrative Console

1 Administrative Console Dashboard

Effective management of identity and access environments is a challenging task that requires accurate
information about all assets, asset groups, roles, human identities, and activities taking place within the system.
Failure to do so can result in administrative inefficiencies and data breaches. To address this issue, ARCON CI
offers administrators an Administrative Console Dashboard.

The Dashboard provides a comprehensive overview of all entities typically found in an identity and access
management (IDAM) environment, including the total number of human identities, business assets,
infrastructure assets, privileged IDs, active sessions, IAM privileges, role/department numbers, and the number
of assets being accessed. The Dashboard also includes widgets and graphical representations to facilitate the
analysis of this information.

By providing administrators with accurate and up-to-date information, the Dashboard enables them to make
well-informed decisions, reduce the privileged access threat vector, and mitigate the risk of unauthorized
access to systems.

ARCON CI offers two dashboards, such as the All Human Identities dashboard and the Assets dashboard.

1.1 All Human Identities Dashboard

The “All Human Identities" presents a comprehensive overview of the various entities commonly encountered
within an identity and access management framework. This includes the aggregate number of human identities,
assets, privilege IDs, currently active sessions, IAM privileges, roles/departments, and accessed assets.

10
Administrative Console

1.1.1 Widgets
The widget offers a comprehensive overview of identity and access management landscapes. As evidenced by
the table presented below, it displays the quantitative tally of each entity and activity.

11
Administrative Console

To understand the widgets, refer to the table below:

Widget Description

Total Human Identities It displays the number of active Human Identities in

the Converged Identity.

Business Assets It displays the number of active assets which can be a

web application, hardware device, router, etc.

Infrastructure Assets It displays the number of active assets such as

Windows RDP, SSH Linux, MS SQL, etc.

Total Privileged ID It displays the number of active human identities in

the Converged Identity.

Current Active Session It displays the number of sessions that are active in
the Converged Identity.

IAM Privileges It displays the total number of privileges which is

created in the Converged Identity.

Role/ Department It displays the total roles that are created in the
Converged Identity.

Assets Accessed It displays the total number of assets that are

accessed by the Human Identity in the Converged
Identity.

1.1.2 Charts
Charts enable an ARCON CI administrator to view the privileged activities comprehensively and in the form of
graphical representations that include:

• Human Identities Status

• Top 5 Role Membership
• Login Trend
• Top 5 Most Requested Assets
• Human Identity Onboarding Trend
• Top 5 Most Used Assets

Human Identities Status

The “Human Identities Status” chart is a valuable tool for administrators seeking to comprehend the status of
Human Identities dispersed throughout the access management environment. This tool presents the

12
Administrative Console

percentage of active, lockout, disabled, and dormant Human Identities. The data exhibited in the Human
Identities status chart enables an administrator to identify potential threats. For instance, a dormant or
"orphaned" privileged account may serve as a source of a data breach. It is crucial to disable such accounts and
take preventive measures promptly. It is noteworthy that dormant accounts expand the privileged access
threat vector. The Human Identity status tool also assists an administrator in comprehending the trend of
activity concerning privileged access. This, in turn, facilitates the decision-making process regarding how to
make better use of privileged access. An administrator may hover over any area of the chart to view the precise
count details. Please refer to the legends to comprehend the color representation in the pie chart.

Top 5 Role Membership

The "Top 5 Role Membership" presents the five most commonly assigned roles to Human Identities by the
administrator. By hovering over any point on the chart, one can access precise count details along with the
corresponding role name.

Login Trend

The “Login Trend” illustrates the monthly login pattern over the preceding six months. The purpose of the Login
Trend is to facilitate the monitoring and analysis of login activity and to detect any anomalous behavior that
may indicate a security breach. This involves the surveillance of Human Identity account activity, login
attempts, and other pertinent occurrences to identify any signs of unauthorized access, compromised
credentials, or other security risks.

13
Administrative Console

Top 5 Most Requested Assets

The "Top 5 Most Requested Assets" presents the five assets that are most frequently requested for access by
Human Identities. An examination of the top five most requested assets can provide valuable insights into the
security risks and priorities of a business. By identifying the assets that are most frequently requested by users,
security teams can make more informed decisions regarding risk assessment, vulnerability management, and
access control, thereby enhancing their effectiveness.

Human Identity Onboarding Trend

The "Human Identity Onboarding Trend" depicts the monthly count of Human Identities that have undergone
the onboarding process. In the realm of cyber security applications, Human Identity onboarding pertains to the
procedure of acquiring and orienting new Human Identities with the security policies, protocols, and optimal
practices of an organization. This constitutes a crucial element of any security program, as it guarantees that all
Human Identities are aware of their respective roles and obligations in safeguarding confidential information
and systems.

14
Administrative Console

Top 5 Most Used Assets

The "Top 5 Most Utilized Assets" presents a comprehensive overview of the five most frequently used assets
by end users. By examining this chart, a security team can acquire valuable insights into an organization's
security vulnerabilities and gain a deeper comprehension of the assets that are critical to the company's
operations. By focusing on the top five most utilized assets, security teams can identify potential vulnerabilities
and prioritize their efforts to safeguard these assets.

1.2 Asset Dashboard

The Asset dashboard presents comprehensive information about the assets present within an identity and
access management ecosystem, encompassing the aggregate count of business assets, infrastructure assets,
digital identities, and live assets.

15
Administrative Console

1.2.1 Widgets
The widget offers a comprehensive overview of identity and access management landscapes. The tabulated
data presented below illustrates the quantitative tally of every entity and activity.

To understand the widgets, refer to the table below:

Widget Description

Business Asset It displays the total number of active assets which can
be a web application, hardware device, router, etc.

16
Administrative Console

Widget Description

Infrastructure Asset It displays the total number of active assets such as

Windows RDP, SSH Linux, MS SQL, etc.

Digital Identity It displays the number of active privileged identities.

Live Asset It displays the total number of assets that are

accessed by the human identity.

1.2.2 Charts
Charts enable an ARCON CI administrator to view the privileged activities comprehensively and in the form of
graphical representations that include:

• Top 5 Most Used Assets

• Top 5 Provisioned Assets
• Asset Status
• Digital Identity Type

Top 5 Most Used Assets

The "Top 5 Most Utilized Assets" displays the five most frequently employed assets along with their respective
details. By hovering over any point on the chart, you can obtain precise numerical information. The color coding
in the pie chart can be comprehended by referring to the accompanying legend. The data is available for
download in SVG, PNG, and CSV formats.

Top 5 Provisioned Assets

The “Top 5 Provisioned Assets” presents a comprehensive list of applications that have garnered the highest
number of digital identities created. The chart allows for a detailed view of the exact count details upon

17
Administrative Console

hovering over any section. The color representation in the pie chart can be comprehended by referring to the
legends. The data can be procured in SVG, PNG, and CSV formats.

Asset Status

The “Asset Status” displays the aggregate number of assets and the corresponding percentage of their status. It
is possible to obtain precise details of the count by hovering over any part of the chart. The color coding in the
pie chart can be comprehended by referring to the legends.

Digital Identity Type

The "Type of Identities" presents the percentages and types of identities as mentioned below. To obtain precise
numerical information, you may hover over any area of the chart. The color coding of the pie chart is explained
in the accompanying legend.

• Named ID: This displays the personal account that is not shared with anyone.
• Shared ID: This displays the account that is shared between more than one human identity.
• API ID: This displays the account that is mainly used for API communication purposes.

18
Administrative Console

• Bot ID: This displays the account that is being used by BOT to perform a scheduled activity.
• System ID: This displays the account which is defaulted in the system.
• Asset ID: This displays the account created for Admin to perform administrative activity.
• Master ID: This displays the account with the highest privilege.
• Machine ID: This displays the account that is used for the infrastructure asset.

19
Administrative Console

2 Manage
A Converged Identity (CI) environment is never static. It is ever-evolving and dynamic. Therefore, effectively
managing identity and access management environments requires careful management of people and
processes.

Consider some typical frequent use cases in CI environments

• Creation of new identities and assets

• Assigning roles to identities
• Configuring roles to grant access to numerous asset groups
• Disabling identities from roles or transferring roles to other asset groups
• Modifying the details of the identities in bulk
• Mapping an identity to an asset or asset group

In all these instances, the manage menu helps an administrator to make desired changes in the administrative
console as per the group settings, which in turn, helps to control the identities. The menu function allows to
create, modify, or disable identities, assets, roles, and LOBs. This helps in streamlining the workflow and
ensures that all tasks are being done efficiently and effectively.

The Manage menu includes the following:

Menu Description

Human Identities This menu helps to create/modify/drop human

identities. In addition, you can also assign LOBs, and
roles, and define Two/Multi-Factor Authentication
(2FA/MFA) to human identity.

20
Administrative Console

Menu Description

IAM Privileges This menu helps to create/modify/drop the user's IAM

privileges. In addition, you can also assign LOBs, client
privileges, and administrator privileges to the IAM
privileges.

Role/Department This menu helps to create/modify/drop the roles. In

addition, you can also assign LOBs and asset groups to
the roles.

Assets This menu helps to create/modify/drop the assets. In

addition, you can also assign LOBs and asset groups.

Asset Groups This menu helps to create/modify/drop the asset

groups. In addition, you can also assign LOBs, roles,
and assets to asset groups.

Digital Identities This menu helps to create/modify/drop digital

identities. In addition, you can also assign LOBs, asset
groups, and human identities in particular digital
identities.

LOBs This menu helps to create/modify/drop the LOBs.

Filter

The Filter option is used to narrow down the records according to your search. Filters allow you to shortlist the
listed items based on your parameters. You need to implement a fail-proof filtering system for ease of use and
maximum conversion. Three types of filters are used across the Manage module.

Refer to the table to understand the different types of filters that are available in the Manage module and their
use:

21
Administrative Console

Filter Description

Advance Filter This filter is used to narrow the records based on the entities. For example,
you can filter based on entities such as LOB, role, domain, etc.

 There is a None option in the Role/Department filter for

filtering out those human identities who are not mapped to any
Role/Department.

Global Filter This is a global filter, and you can search for the keyword from here. For
example, you can enter keywords such as the name of the identities, roles,
domains, etc.

AG Grid Column This filter is a column filter that applies to the column level. Click this icon
to select filter categories such as contains, not contains, equals, etc. Then,
search for the keywords.

AG Grid Filter This filter enables you to search for both individual and multiple values,
that have to be separated by Commas. Even if you enter the input partially,
the filter will still accurately refine the necessary values.

Export as Excel

The Export as Excel button is used to export all the records on a particular page in an Excel format. When you
choose to export data to Excel, it makes a copy of the chosen data and stores it in a file that Excel can open.
When a report is exported to Excel, it is possible to manipulate the data in ways that are not always simple to do
within the application itself, such as sorting certain fields, rearranging fields, deleting fields, etc.

 While exporting, the downloaded file name will be with the word Active, Dormant, Lockout, Disabled,
Suspended, or Sabbatical for the respective Active, Dormant, Lockout, Disabled, Suspended, or
Sabbatical tab.

22
Administrative Console

Quick Access Buttons

The quick access buttons give the Admin quick access to modify or create human identities, roles, asset groups,
and LOBs at the same location. They can also help you be more productive by allowing you to do multiple tasks
at once. For example, if the admin uses quick access buttons to modify identity details, they can use quick
access buttons to create groups, assets, and LOB. This reduces your effort to get the details modified or created
in one place.

The quick access buttons appear on the left side of the Create or Modify screen:

Refer to the table to understand the different types of buttons that are available in the quick access buttons:

Quick Access Buttons Description

Create Human Identities This button enables the admin to create human identities.

23
Administrative Console

Quick Access Buttons Description

Create Roles This button enables the admin to create roles/departments and asset
groups.

Create Assets This button enables the admin to create assets.

Create Digital Identity This button enables the admin to create digital identities.

Create LOB This button enables the admin to create LOBs.

Customize Columns

You can customize the view of any records displayed in the Administrative Console. It helps you get the
relevant data as per your requirements. This not only helps in building engagement but also enhances clarity.
For example, human identities records are explained below:

Perform the below steps to get a customized view of the human identity details:

1. Click the Customize columns option on the right side of the records:

2. Enable or disable the columns as per your requirement. Based on the selection, you can see your
customized view of records.

2.1 Human Identity

Human identities have elevated rights to access sensitive information, data, and classified information. Insider
threats increase dramatically if these human identities are not controlled by policy enforcement. ARCON CI
provides adequate safeguards to protect human identities and control their access with Role-Based-Access-
Control (RBAC). The solution ensures that each human identity's access to assets is happening in a controlled

24
Administrative Console

environment but also helps to comply with the regulatory requirements that explicitly demand role-based
access to confidential information.

Human identities can be classified into two categories as Client and Admin.

• Client: A client identity is a human identity that does not have administrative privileges to the
administrative console but has access to target devices, applications (assets), and reports.
• Admin: An admin identity is a human identity with administrative rights to the administrative console. It
allows an admin to perform all kinds of activities in ARCON CI. Nevertheless, to ensure adequate
security, ARCON CI provides a mechanism by which an administrator can segregate the duties of all
admins in the identity and access management (IDAM) environment- a key step towards the access
principle.

While Logging into ARCON CI, the Admin/Client type of human identity shall select the respective domains
(AD Domain/ Local Domain) for authentication. The human identities authenticated from Active Directory shall
be called AD Domain human identities, whereas those authenticated from the local Domain are known as Local
Domain human identities.

• AD Domain Human Identity: A domain human identity is a human identity whose username and
password data are fetched from AD and authenticated against AD.
• Local Domain Human Identity (ARCOSAUTH): A local human identity is one whose username and
encrypted password are authenticated against ARCON Local Repository.

Use the following path to navigate to the Human Identities screen:

Administrative Console > Manage > Human Identities:

As shown in the Human Identities screen, you can view the list of existing human identities based on four
categories. Refer to the table below to understand different human identity categories and the columns
displayed on the Human Identities screen:

25
Administrative Console

Field Name Description

Human Identity Categories

Active It displays the list of active human identities. An active

human identity is one who has interacted with the
ARCON CI application within a certain period.

Dormant It displays the list of dormant human identities. A

dormant human identity is one who hasn’t interacted
with the CI application in a certain period.

Locked Out It displays the list of locked-out human identities. The

locked-out human identity list displays human
identities that attempted to log in with an invalid
password and exceeded the lockout attempts value
which is defined in Settings.

Disabled It displays the list of disabled human identities.

Suspended It displays the list of human identities that are

suspended for some time.

Sabbatical It displays the list of human identities that are on

leave for a long period.

Column Details

User Name It displays the unique user ID of the human identity.

Display Name (alias) It displays the display name of the human identity.

Domain It displays the domain name of the human identity.

Valid Till It displays the date from which the human identity will
be inactive to access the application.

Roles/Department It displays the role/department name that the human

identity belongs to.

Action You can modify the human identity details by clicking

the Modify button.

2.1.1 Creating New Human Identities

This section helps you create new Human Identities. There are two ways to create Human Identities:

• Manual Human Identities Creation to create a single Human Identity

• Bulk Human Identities Creation to create multiple Human Identities at a time

26
Administrative Console

2.1.2 Manual Human Identity Onboard

Creating Human Identity can help admins step out of themselves and recognize that different people have
different needs and expectations. This section explains the manual Human Identity creation process.

Perform the below steps to create a Human Identity:

1. Click the + icon at the bottom right corner of the Human Identities screen:

2. Two pop-up buttons will be displayed. Click the Create button to create a new Human Identity manually:

3. The Create Human Identity screen will be displayed. The Assign Tag section will be displayed based on
the LOB selection in the Assign section:

27
Administrative Console

4. There are four sections in the Human Identity screen, which are as follows:

Human Identity Details

Security
Assign
Custom Fields
Assign Tags
5. Once all the required details are entered, click the Create button. If the password is not entered as per
the password policy, it will prompt the password policy:

6. Re-enter the password to meet the password policy and then click Create.
7. The Human Identity will be created and will be listed in the Active Human Identities category list.

2.1.2.1 Human Identities Details

Human Identity Details require inserting basic information about Identity that needs to be collected while
creating identities. This information will be used to assign assets and monitor the identity’s activity. While
creating a new Identity manually, an administrator will get a tab called Identity Details to fill up the details of

28
Administrative Console

the Identity such as username, ID, domain name, identity type, email, mobile number, roles/departments, and
validity period:

Refer to the table below to understand the fields in the Identity Details section:

29
Administrative Console

Field Name Description

Domain Name Select the domain name from the drop-down to map
to the human identity. There are two types of
domains:
• Local Domain: The ARCOSAUTH is the local
domain set by default. By selecting this domain,
you will have to add the identity details
manually.
• AD Domains: These are the domains defined
from the client end that perform the cross-
verification through AD and fetch the
respective Identity’s data.

a. Select any active directory domain.

b. In the user ID field, specify the user ID
of the respective domain.
c. Click on the contact icon and it will
auto-populate all the Identity details
available in AD.

Identity Display Name Enter the name of the identity to be displayed in the
identity profile.

 This field will be auto-filled if the active

directory domain is selected.

Human Identity ID Enter the unique ID of the human identity. You can
use an employee ID or name to create a unique ID for
the local domain user, this Id will be used to log in to
CI.

 If the AD domain is selected, specify the ID of

the existing Identity of the respective domain
and click on the contact icon. It will auto-
populate all the Identity details available in
AD.

Password and Confirm Password Enter a password for the identity.

 If the AD domain is selected, the password of

the respective Identity will remain the same
as it is in the AD. Hence, the password field
will not be displayed.

30
Administrative Console

Field Name Description

Confirm Password Enter the password again to confirm that the

password matches the password in the password field.

Human Identity Type Select a user type as Client or Admin for this identity.

Email Enter the business email ID of the human identity.

 This field will be auto-filled if the active

directory domain is selected.

Mobile Enter the business mobile number of the human

identity.

 This field will be auto-filled if the active

directory domain is selected.

Role (Privileges) Select one or multiple roles from the drop-down to

assign certain access and privileges to the human
identity.
All the roles defined in the Identity role module will be
displayed in this drop-down.

Valid Till Select the date till when the Identity account will
remain active.

 In addition to the above mention fields, a few fields will be visible as shown below if configured in the
User Attribute section.

31
Administrative Console

2.1.2.2 Security

For any modern organization, passwords are no longer adequate protection against insider and third-party
attacks. Passwords are the weakest link in information technology. Around 80% of attacks on privileged
accounts happen due to privileged password abuse or misuse.

32
Administrative Console

Relying on passwords to ensure legitimate, privileged access to systems might have frightful consequences for
organizations. Data ex-filtration, account takeover, data breach, snooping of privileged accounts, and corporate
espionage, among other forms of cybercrime exist because the authentication mechanisms for privileged
access are weak.

Against this backdrop, Multi-factor Authentication (MFA) provides IT security and risk management teams
with adequate layers of protection. MFA is a secure strategic entry point to critical systems and classified
information. The MFA mechanism provided by the ARCON Converged Identities (CI) solution ensures multiple
steps for privilege identity verification before human identities are allowed access to the desired assets or
target devices.

The MFA mechanism not only reinforces the security posture of identity and access management
environments but also helps to comply with IT security standards and regulatory mandates that demand
enforcing MFA to access sensitive information and data.

ARCON Administrative Console allows an admin to set up a security configuration for a privileged human
identity with a multi-layered validation process.

Privileged human identity security can be ensured by the following mechanisms:

• Multi-factor authentication
• Endpoint-based access control
• Enabling the login duration of users

Multifactor Authentication

To secure the human identity accounts, more than one authentication step can be configured with the
administrative console. The following methods can be used to configure MFA for human identities:

33
Administrative Console

• Mobile OTP: While accessing the ARCON CI environment, the user must authenticate by entering the
generated OTP in the Two-Factor Authenticator application on a mobile phone. The application can be
ARCON Authenticator, Google Authenticator, Microsoft Authenticator, etc.
• Hardware Token: It is a small hardware device that must be used while accessing the ARCON CI
environment. A Hardware Token is a security token that may be a physical device that an authorized
user of computer services is given to ease authentication.
• Biometric - Finger Print: Biometric - Finger Print authentication compares a human identity's
fingerprint to a stored fingerprint record to validate a human identity. After being validated, the human
identity will get access to the ARCON CI.
• SMS OTP: A One-Time Password (OTP) is an automatically generated numeric or alphanumeric string of
characters that authenticates a human identity for a login session. To access ARCON CI, the human
identity must enter the generated SMS OTP on a registered mobile number.
• Voice Biometric: Biometric Voice authenticates the human identity by recognizing the voice of the
human identity (the human voice). After that, the human identity will get access to the ARCON CI.
• Email OTP: A One-Time Password (OTP) is an automatically generated numeric or alphanumeric string
of characters that authenticates a human identity for a login session. To access the ARCON CI, the
human identity must enter the generated Email OTP on a registered email ID.
• TOTP Authenticator: TOTP stands for Time-based One-Time Passwords and is a common form of two-
factor authentication (2FA). Unique numeric passwords are generated with a standardized algorithm
that uses the current time as input. The time-based passwords are available offline and provide user-
friendly, increased account security when used as a second factor.
• Facial Recognition: Face Recognition authentication is a technology that enables human identities to
access the ARCON CI using sensing technology that recognizes faces from a digital image database.

 While configuring Multifactor Authentication, more than one authentication type can be selected.

Enable Logon Period

In addition to MFA, an administrator can configure the enable logon period settings to secure privileged
accounts. This feature allows administrators to regulate privileged human identity access to systems for a
required set of periods each week. The feature enables an administrator to configure session lockout time so
that the privileged human identity can access ARCON CI within the configured lockout time. An administrator
can enable or disable the logon period by using the toggle options available below the MFA field.

34
Administrative Console

Refer to the following table to understand the more available toggle options:

Field Name Description

Enable Logon Period This is used to enable the number of days and hours
for the selected user to access the application.

 • If a human identity tries to login into the

ARCON CI application after the set login
period is expired, then the human
identity will receive an error message
displaying “Invalid User Name OR
Password”.
• Once the logon period is selected,
click Allow Logon, to enable the login
period and click Disable Logon to disable
the logon period.

35
Administrative Console

Field Name Description

Use Global Session Lock Out Time • This is used to set the ACMO session timeout
configuration to this human identity which is
already configured in the global configuration.

 The ACMO Session Time Out is configured in

the global configuration under ACMO.

• To set the session lock out time manually

disable the toggle button and specify the time
(in minutes).

Devoid Security This is used to disable lockout attempts for the

selected human identity.

Disable Logon This is used to disable the logon access for the
selected human identity.

Enable Endpoint Based Access This is used to enable endpoint-based access, which
allows access to the application through the specified
desktop or laptop only.

 If the Enable Endpoint Based

Access checkbox is selected, then you need
to enter the IP or MAC address, Processor, or
BIOS Serial ID details of the laptop or
desktop in the Endpoint Based Access
Setting tab.

Allow Clipboard through AGW This is used to Enable or Disable the human identity
by using the Copy-Paste Option through AGW.

Endpoint Based Access Control

Endpoint-based access control is an authentication method where an administrator will validate a privileged
human identity’s endpoint to grant access to systems. This approach not only provides an additional security
shield in the authentication process but also helps to comply with an organization’s internal IT policies and
security standards. Under this approach, ARCON CI binds the human identities login to a particular system’s IP
address, MAC address, Process ID, or BIOS Serial ID of a desktop or laptop. As a result, the human identities
will be able to log in to ARCON CI systems only through those endpoints to which they are entitled.

36
Administrative Console

Click the + icon to add a new endpoint. The following screen will be displayed:

Refer to the table below to understand the fields in the preceding screen:

37
Administrative Console

Field Name Description

Filter Type Select the type for endpoint configuration.

The valid values are:
• IP Address
• MAC Address
• Processor ID
• BIOS Serial ID

IP Range Enable the toggle button to specify the IP range.

 This field will be displayed only if the filter

type is selected as IP Address.

IP Address Enter the IP address.

 This field will be displayed only if the filter

type is selected as IP Address.

MAC Address Enter the MAC address.

 This field will be displayed only if the filter

type is selected as MAC address.

Processor ID Enter the Processor ID.

 This field will be displayed only if the filter

type is selected as Processor ID.

BIOS Serial ID Enter the BOIS Serial ID.

 This field will be displayed only if the filter

type is selected as BOIS Serial ID.

Enabled Enable/disable the configuration for the specified

desktop/laptop whose details are specified.

Action Click the HOME ADD button to add the Endpoint.

Click the Cancel button to drop the entry.

2.1.2.3 Assign

It is possible to configure a variety of account types with the required access, roles, and permissions. Built-in
local human identity accounts, domain human identity accounts, managed asset accounts, and virtual accounts

38
Administrative Console

are examples of common account types. These accounts are more susceptible to security exploitation since
they have more access to the infrastructure and more privileges than other accounts. You can allocate assets to
human identities with the appropriate security and compliance using ARCON CI. This section allows you to
assign the LOBs, roles/departments, and assets to the human identity.

Refer to the following table to understand the field-level description shown on the Assign screen:

Field Name Description

LOB It displays the lines of business (LOBs) that can be

assigned to the human identity. A product or a group
of related items that support a certain client
transaction or business need is referred to as LOB in
general.

 You need to select the All LOB option from

the top-right corner on the Admin Console
home screen to reflect all the LOBs in the
Assign section’s LOB drop-down. This will
help you to select different ROle/
Department from different LOBs.

Roles/Departments It displays the number of active roles/departments in

the Administrative Console.

Assets The Assets filter allows you to search a single service.

The Asset list displays the number of active assets in
the Administrative Console.

39
Administrative Console

 You can view the list of assets assigned to the particular role/department. Also, It is possible to select/
deselect the assets from the list if required.

Perform the below steps to assign the LOB, roles/departments, and assets to the human identity:

1. Select the LOB from the drop-down:

2. Select the Roles/Departments from the drop-down list:

3. Select the Assets that you want to map to the user:

40
Administrative Console

2.1.2.4 Custom Fields

This field name and the values in these drop-downs are bespoke and can be set according to an organization's
needs. For the first two fields (Description1 and Description2), you can create drop-downs by entering values
in the same settings and the last two fields (Description3 and Description4) are text fields to enter a single
value or write a description only.

Refer to the table below to understand the fields in the Custom Field:

Field Name Description

Description1 Enter values in Configure Human Identity Tag

in Settings to create a drop down for this field.

41
Administrative Console

Field Name Description

Description2 Enter values in Configure Human Identity Tag

in Settings to create a drop down for this field.

Description3 Enter a single value or description and this can be set

in the Configure Human Identity Tag in Settings.

Description4 Enter a single value or description and this can be set

in the Configure Human Identity Tag in Settings.

2.1.2.5 Assign Tags

This section explains the steps to assign tags to the identities. Tags created for the particular attribute will be
visible here.

 The Assign Tag section is displayed based on the LOB selection in the Assign section.

 The tags visible on the Assign Tags page are configured by the Tags Ordering procedure. Tags
Ordering is compulsory, while tags that are not configured in the Tag Ordering section are optional
tags.

Select the corresponding tag values for the tag names. Admin can select multiple tag values. These selected tag
values will be assigned to the asset:

2.1.3 Bulk Human Identities Creation

Creating Human Identities for onboarding in the CI application appears to be a straightforward task.
Nonetheless, an identity and access management environment for a typical mid-sized or large organization is
exceptionally large. Sometimes, an administrator must create privileged identities in bulk. An administrator
cannot find it practical to create bulk identities manually. It is time-consuming and fraught with the possibility
of human error. As privileged Human Identity accounts are gateways to critical information, any sort of human
error or mistake can prove to be catastrophic. To overcome this, ARCON administrators can use the bulk
import function. ARCON CI allows adding Human Identities in bulk using the bulk import function.

 • If the username already exists in the ARCON CI application, the Bulk Import Sheet verifies and
does not allow duplicate entries.
• With the help of the Bulk Import Sheet, the human identity can be mapped to Multiple LOBs
and multiple Roles/Departments.

Perform the below steps to import the identities in bulk:

1. Click the + icon at the bottom right corner of the Human Identities screen:

42
Administrative Console

2. Two pop-up buttons will be displayed. Click the Import File button to create multiple identities by importing
data:

 The Import data screen will be displayed.

43
Administrative Console

3. Click the Download Sample Template link to download the template and then save the file on your local
machine:

4. Enter the desired data in the left-aligned format into the downloaded Excel sample template and save it:

44
Administrative Console

5. Click the Browse button to browse for the updated template:

6. Select the updated template file and click the Open button to upload the template:

45
Administrative Console

7. After completing the upload, click the Import button to import the template and create new identities:

 A file imported status message will be displayed.

46
Administrative Console

8. The Import screen will be displayed with the Download Uploaded File button. Click the Download Uploaded
File button to check the status of the individual identities entered in the sample Excel sheet:

 If you find any error status, then update the human identities details accordingly and upload again.

9. Go to the Human Identities screen and refresh it to see the newly added identity list.

2.1.4 Modify Details of Human Identities

When employees switch departments/positions or when there are changes in corporate regulations and
procedures, it becomes necessary to update the human identities of employees. Keeping human identity
information up to date on a regular basis showcases the organization's commitment to precision and
professionalism in its operations. This, in turn, contributes to a well-structured and efficient work environment.
ARCON CI provides a secure method for making changes to human identity details while maintaining
compliance with security standards. This segment offers guidance on adjusting human identity particulars. The
Modify screen allows you to edit the specifics of a particular human identity. Additionally, this section outlines
the process for temporarily disabling human identities, as well as activating and duplicating human identity
properties, all while ensuring security compliance.

 The Administrator with Modify Identities privilege shall only be able to modify human identity details.

Perform the below steps to modify the human identity details:

1. Navigate to the Human Identities screen and click the Modify button:

47
Administrative Console

2. A Modify screen will be displayed similarly to the Create screen. Make the required changes in the
existing fields and click on the Modify button:

2.1.4.1 Changing Status of the Human Identities

Suppose a human identity is suspended or took a long leave; in such situations, it is imperative to update the
status of that human identity for security reasons. The same identity account can be activated after the
suspension or sabbatical duration is over.
Perform the below steps to update the status of the human identity:

1. Click the Modify button:

48
Administrative Console

2. Modify Identity screen is displayed. Go to the Human Identity Status section:

49
Administrative Console

3. Choose the new status from the Human Identity Status drop-down menu.
4. Click Modify to update the status.
5. To activate a suspended/sabbatical human identity, navigate to the Suspended/Sabbatical section and
then click the Activate button:

2.1.4.2 Disabling/Activating the Human Identities

Suppose a human identity is moved out of an organization; in such situations, it is imperative to disable this
human identity. Not disabling such an identity expands the security vulnerability and invites insider attacks or

50
Administrative Console

social engineering. It is important to note that ARCON CI does not allow deleting a human identity account. The
reason for this is that the IT auditor needs to know which human identity accounts were disabled and under
what conditions. Likewise, sometimes an admin must suspend a human identity for certain reasons. In such a
situation, an admin can disable the specific human identity account for the duration of the suspension.
However, the same identity account may be activated after the suspension duration is over.

Perform the below steps to disable/activate the human identity:

1. Click the Disable button on the Modify screen to temporarily drop the human identity. The human identity
list will move to the Disabled Human Identity list:

 Administrators with Drop Human Identity privileges will be able to disable a human identity.

2. To activate a disabled human identity, navigate to the Disabled section and then click the Activate button.

2.1.4.3 Multifactor Authentication Enable/disable

Implementing MFA in identity and access management environments can significantly reduce insider and third-
party attacks, including internal fraud. The risk of unauthorized access to systems can be mitigated as MFA
provides additional validation layers for proving the Identity is a legitimate human identity.

An admin must perform the following steps to enable/disable MFA:

1. Click the Modify arrow and select the Multi-Factor Authentication (MFA) option:

51
Administrative Console

2. Turn on/off the authentication type as required by enabling and disabling the toggle button:

2.1.4.4 Clone Human Identity

Sometimes an admin wants to duplicate a human identity profile with the same LOB, roles, assets, commands,
and process. By using a cloned human identity profile, an admin can save enough time to create a new human
identity profile. The Clone Human Identity function allows an administrator to copy a human identity profile to
another human identity. An administrator can duplicate everything from one human identity account to
another.

 The Administrator with Copy Human Identity Profile privilege shall only be able to copy a human
identity profile from one identity to another identity.

52
Administrative Console

Perform the below steps to clone the human identity profile:

1. Click the Modify arrow and select the Clone option:

2. Click the Existing Human Identity or New Human Identity radio button and then click the Next button:

a. Existing Human Identities

Select Existing Human Identities to clone the selected identities to an existing identity. Perform
the steps below to modify the existing identity entities:

i. A Clone Group screen will be displayed. Select the Identity(s) from the Assigned Human
Identity list for which you need to modify the entities:

53
Administrative Console

ii. Enable/disable the entities under Clone Role Options, which you need to clone.
iii. Select the Replace or Merge radio button based on the requirement.
Use Replace radio button to replace the existing human identity entities with the cloned
human identity entity. Use the Merge radio button to combine the cloned identity entities
with the existing entities of the identity(s).
iv. Click the Save button.
b. New Human Identity
Select New Human Identity to clone the selected Identity entities to a new Identity. Perform the
steps below to create a new Identity with the help of existing Identity entities.

i. Create Human Identity screen will be displayed with the cloned Identity entities:

54
Administrative Console

ii. Enter the required information on the above screen. Refer to the Create Human Identities
section to understand all the fields in this Create Human Identities screen.
iii. Fill in the required fields and then click the Create button to create a human identity:

55
Administrative Console

2.1.4.5 Bulk Update

The bulk update function enables an admin to update or modify the properties of the selected multiple human
identities with the same data at one click. After the selection of the required records, the modification options
are displayed at the top right corner of the human identities screen.

Bulk updates can be done with the following steps:

1. Select the check box in the grid header to select all the records or select the required records only as per
your requirement:

56
Administrative Console

2. Selection of the required record will automatically enable the modification options at the top right side
of the Human Identities screen:

Refer to the table to understand the different types of modification options that are available on the Human
Identities screen.

Options Description

Update Categories

Disable Select to disable the selected human identities.

Details Select to modify identity details for the selected human identities.

Security Select to enable the type of MFA (Multifactor Authentication) you require.

Assign Select to modify the identity's assigned details, such as LOB and Roles.

Custom Select to customize human identities.

Selection Categories

Select All Select all the records available on the screen. The Select All option will be
displayed after the selection of records.

De Select All Deselect all the records. If all the records are selected, then the De Select All
option is used to deselect all.

Clear Selection Deselect all the selected records. If multiple records are selected and you want to
deselect those, then the Clear Selection option is used to deselect all the selected
records.

 The modify pop-up options at the top right corner of the screen are similar to the modify options you
get by clicking on the Modify button.

3. Select the required option to update the details and then click on the Update button to update the changes. It
will update all the selected records with the same data:

57
Administrative Console

2.2 IAM Privilege

A privileged human identity has elevated rights to systems, giving the human identity all-powerful rights to
access confidential information, change system configurations, and modify information, among other privileges.

Therefore, fundamental concepts should always be adopted to ensure the principle of least privilege. For any
identity and access management environment to be secure and successful, an admin must enforce a rule that
ensures that the right person has the right access to the right resource at the right time for the right reasons.

The IAM Privilege is a functionality in ARCON CI that allows an admin to grant a set of privileges that may be
assigned to an individual identity or role.

Let us understand this by taking the example of two privileges, A and B.

• IAM Privilege A: It has two privileges, including the ability to create human identities and assets (but
cannot modify the existing identities/asset).
• IAM Privilege B: It has four privileges, including the ability to create identities, and assets, and modify
the created identities and assets.

An administrator can assign either IAM Privilege A or IAM Privilege B to an identity or privileges in order to
grant the appropriate rights.

Use the following path to navigate to the IAM Privilege screen:

Administrative Console > Manage > IAM Privilege:

58
Administrative Console

Refer to the table below to understand the columns displayed on the IAM Privilege screen:

Column Name Description

Privilege Name It displays the name of the privilege.

Description It displays information about the privilege.

Action It displays the action that can be performed on the

privilege, you can click Modify to update the
privileges.

Refer to the table below to understand the different sections on the IAM Privilege screen:

Section Name Description

Active It displays the list of active privileges that can be

assigned to any human identity.

In Active It displays the list of inactive privileges. Inactive

privileges are not visible while assigning the roles. This
can be re-activated anytime from the In Active
section.

2.2.1 Create IAM Privilege

The IAM Privilege screen allows you to create, edit, and delete the privileges of human identities. Each privilege
has a few access assigned to them. Privileges are special rights, advantages, or immunity granted or available
only to a particular person or group. In ARCON CI, there are two types of human identities. They are the
Client’s human identity and the Admin’s human identity. The Client’s human identities are those who have
access to only the client activity, whereas the Admin’s human identity has access to both the client and admin
activity.

59
Administrative Console

Perform the below steps to create an IAM Privilege:

1. Click the + icon at the bottom right corner of the IAM Privileges screen:

2. The Create Privilege screen will be displayed with four sections such as:

Privilege Details: This section comes with four fields to enter the privilege details such as:

Privilege Name: Enter a name for the privilege.

Description: Enter the information about the privilege.
LOB: Select the LOB(s) from the drop-down the privilege belongs to
Active Toggle: Enable or Disable the toggle to make the privilege active or inactive
respectively
Group Admin: Select the group from the drop-down the privilege belongs to
Client: This section helps to assign client privileges. Select the client privileges you want to assign
to the new privilege.
Admin: This section helps to assign admin privileges. Select the admin privileges you want to
assign to the new privilege.
Group Admin: This section helps to assign group admin privileges. Select the privileges you want
to assign from the group administrative privileges for the new role. The Group Admin section will
be visible after the selection of the Group Admin from the Group Admin drop-down available in
the Role Details section.

60
Administrative Console

3. Once all the required details are entered, click the Create button. If any privilege is not selected, it will
prompt you to select one privilege. It is mandatory to map a minimum of one privilege to create a
privilege.

61
Administrative Console

4. If all the entered details are good to proceed, one message “Are you sure want to save this privilege?“
will be displayed for your approval to create the privilege:

5. Click YES to complete the privilege creation process. The privilege will be created and visible on the IAM
Privilege screen.

2.2.2 Modify IAM Privilege

Sometimes it may be necessary to modify an IAM Privilege that is given to a specific human identity to carry out
security-related operations. By creating two IAM Privileges, the administrator may decide to divide up
different responsibilities that were previously handled by one individual with a single IAM Privilege. In this
situation, the administrator must alter the current privilege and transfer the extra rights to a new IAM
Privilege. Two IAM Privileges will be generated in this manner and can be given to two distinct identities.

This section helps you to modify the details of the IAM Privilege. You can modify the details of a particular IAM
Privilege using the Modify screen.

 The Administrator having Modify IAM Privilege privilege shall only be able to modify Privilege details.

62
Administrative Console

Perform the below steps to modify the IAM Privilege details:

1. Navigate to the IAM Privileges screen and click the Modify button:

2. A Modify screen appears similar to the create screen. Do the required changes in the existing fields and
click on the Modify button:

2.2.2.1 Disabling/Activating the IAM Privilege

The administrator sometimes needs to disable or activate IAM Privileges. When an IAM Privilege is not being
used, the administrator must disable it. If the administrator decides to disable an IAM Privilege, the IAM
Privilege will be suspended for a specified amount of time. The disabled IAM Privileges can also be activated as
needed.

Perform the below steps to disable/activate the privilege:

1. Navigate to the IAM Privileges screen and click the Modify button.
2. Click the Drop button to disable the privilege and the same will move to the InActive privileges list:

63
Administrative Console

3. To activate a disabled IAM Privilege, navigate to the InActive section and click the Activate button:

4. Navigate to the IAM Privileges screen to verify the selected privilege has been activated:

2.2.3 Client Privileges

Client Privileges are assigned to Client or Admin type of human identities to grant special rights for accessing
reports, dashboards, logs, and other applications. Client Manager privileges include API human identity
Registration, ARCOS Applications, ARCOS Dashboard, ARCOS Delegation, ARCOS File Vault, Client Manager
Log, Manager LOB/Profile, ARCON CI Menu, Password Manager, Report - Dashboard, Report - Group Reports,
Report - LOB Reports, Report - Logs, Report - Performance Reports, Report - Privilege Reports, Report -
Security Reports, Report - Asset Reports, Report - Human Identity Reports, Report - Vault Reports and Script
Manager.

Following is the list of Client Privileges:

Client Privileges Description Feature Navigation

API Human Identity API Human Identity Human Identity with this privilege can Client Manager >
Registration Registration register Human Identities to login into Manager >
API hosted in Client's environment. Application Setting

ARCON CI Session Monitoring Human Identity with this privilege can Client Manager >
Applications configure IP Addresses to monitor files Manager > Session
and log Human Identity activities using Monitoring
File Watcher and Smart Session
Monitoring.

File Vault Human Identity with this privilege will be Client Manager > My
able to upload, download, view, or delete Access > Preferences
files in the vault. > My Vault

64
Administrative Console

Client Privileges Description Feature Navigation

AD Bridging Human Identities with this privilege will Client Manager >
be able to view the AD Bridging App in Manager
ACMO

Human Identity Human Identity with this privilege will Client Manager >
Governance Portal only be able to view and access Human Manager
Identity Governance Portal

Auto- Onboarding The Administrator/ Human Identity with Client Manager >
this privilege will only be able to auto- Manager
onboard and deboard Human Identity
and Assets from ARCON CI.

CI Logs Human Identities with this privilege will Client Manager >
only be able to view the CI Logs in Manager
ACMO

Application Gateway Human Identities with this privilege will Client Manager >
Asset only be able to view and use Application Manager
Gateway Asset.

ARCON CI Client Manager Human Identities with this privilege can Client Manager >
Configuration Privileges- View All view ALL LOB Options. Reports,
LOB
Settings > Scheduler
>Schedule Reports,
Client Manager >
Reports >
Dashboard,
Client Manager >
Dashboard

ARCON CI Dashboard Human Identities with this privilege can Client Manager >
Dashboard view useful graphical information about Dashboard
the various actions performed in ARCON
CI and can view pinned reports.

ARCON CI Delegation Human Identities with this privilege can Client Manager > My
Delegation delegate their Asset Access, Asset Access > Preferences
Password, or Asset Ticket approval rights > Delegation
to another Human Identity.

Client Manager Log View Asset Access Human Identities with this privilege will Client Manager >
Log be able to view details of Manager > Access
activity performed by Human Identities Logs
on Assets.

65
Administrative Console

Client Privileges Description Feature Navigation

View Asset Access Human Identities with this privilege will Client Manager >
Log Details be able to view details of Manager > Access
activity performed by Human Identities Logs > Details
on Assets through a video log.

Manager LOB/ View Asset Access Human Identities with this privilege will Client Manager > My
Profile Logs With Details be able to view various activities Access > My Activity
performed by him on Assets through a
video log.

ARCON CI Menu Manager Menu Client Human Identities with this Client Manager >
Display privilege will only be able to view the Manager
Manager menu in Client Manager.

Password Manager Support View Asset Administrators with this privilege along Asset Manager >
Password with Password Change Process Approver Manage > Password
privilege (Asset's Privileges) and Group Manager > Password
Admin Privileges can authorize password Change
change process as Authorising Human
And
Identities 2.
Asset Manager >
And
Manage > Human
Administrator with this privilege can Identities and Assets
authorize password view process as > Manage Assets >
Authorizing Human Identities 2. View Password

Report - Dashboard ARCOS Live
Human Identities with this privilege will Client Manager >
be able to view the count and details of Reports > Dashboard
Human Identities logging into the > ARCOS Live
application, the Assets accessed by the
Human Identities, and critical and
restricted commands fired by the Human
Identities.

ARCOS PerfMonIT Human Identities with this privilege will Client Manager >
be able to view the percentage of CPU, Reports > Dashboard
RAM, and Disk Utilization of Application > ARCOS PerfMonIT
Asset, Vault Asset, and Gateway Asset in
ARCON CI and the status of all the
Assets installed on these Assets.

Enterprise Password Human Identities with this privilege will Client Manager >
be able to view Password Rotation Reports > Dashboard
Frequency, Password Policy Compliance > Enterprise
Status, Password Security Status, Password
Password Change Success- Failure Rate,
and Upcoming Password Review.

Live Asset Sessions Human Identities with this privilege will Client Manager >
be able to view a list of live sessions Reports > Dashboard
taken through ARCON CI. > Live Asset Sessions

66
Administrative Console

Client Privileges Description Feature Navigation

Human Identities Human Identities with this privilege will Client Manager >
Access & Usage be able to view the count of a number of Reports > Dashboard
times critical Assets have been accessed, > Human Identities
the same displayed in a time-based Access & Usage
manner and Asset-type wise, and the
Assets which are highly accessed.

Report - Group Assets In Asset Group Human Identities with this privilege will Client Manager >
Reports be able to view details of all the Assets Reports > Group
created in an Asset Group irrespective of Reports > Assets In
the LOBs. The details displayed in this Asset Group
report are based on the IP Address of the
Asset.

Asset Group Report Human Identities with this privilege will Client Manager >
be able to view all the Asset groups Reports > Group
created in ARCON CI. Reports > Asset
Group Report

Assets In Asset Group Human Identities with this privilege will Client Manager >
be able to view details of all the Assets Reports > Group
created in an Asset Group irrespective of Reports > Assets In
the LOBs. The details displayed in this Asset Group
report are based on the Asset Username
of Asset.

Role/Department Human Identities with this privilege will Client Manager >
Report be able to view all the Roles/ Reports > Group
Departments created in ARCON CI. Reports > Role/
Department Report

Human Identities In Human Identities with this privilege will Client Manager >
Roles/Department be able to view details of all the Human Reports > Group
Identities created in a Role/Department Reports > Human
irrespective of the LOB’s. Identities In Roles/
Department

Report - LOB Active Assets Group Human Identities with this privilege will Client Manager >
Reports Wise Report be able to view active Assets under a Reports > LOB
particular Asset Group. Reports > Active
Assets Group Wise
Report

Asset Count Report Human Identities with this privilege will Client Manager >
be able to view a graphical Reports > LOB
representation of LOB-wise status of Reports > Asset
unique IP addresses and Assets and Count Report
status of Assets LOB-wise.

67
Administrative Console

Client Privileges Description Feature Navigation

Object Status Report Human Identities with this privilege will Client Manager >
be able to view a graphical Reports > LOB
representation of the LOB-wise mapping Reports > Object
of objects and the status of Human Status Report
Identities and Assets LOB-wise.

Active Assets Report Human Identities with this privilege will Client Manager >
be able to view details of all Assets LOB- Reports > LOB
wise which are active in ARCON CI. Reports > Active
Assets Report

Active Human Human Identities with this privilege will Client Manager >
Identities Report be able to view details of all Human Reports > LOB
Identities LOB-wise who are active in Reports > Active
ARCON CI. Human Identities
Report

Inactive Assets Human Identities with this privilege will Client Manager >
Report be able to view details of all Assets, which Reports > LOB
are inactive in ARCON CI. Reports > Inactive
Assets Report

LOB Details Report Human Identities with this privilege will Client Manager >
be able to view a detailed description of Reports > LOB
all the LOB created in ARCON CI Reports > LOB
Details Report

Report - Logs Asset Request Human Identities with this privilege will Client Manager >
Workflow Logs be able to view details of all the Asset Reports > Logs
access requests raised by Human > Asset Request
Identities. Workflow Logs

Ticket Request Human Identities with this privilege will Client Manager >
Workflow Logs be able to view details of all the ticket Reports > Logs
requests raised by Human Identities in a > Ticket Request
LOB. Workflow Logs

Log Review Report Human Identities with this privilege will Client Manager >
be able to view details of all the Human Reports > Logs > Log
Identities who have accessed or viewed Review Report
the logs generated in ARCON CI.

Approval Delegation Human Identities with this privilege will Client Manager >
Report be able to view logs of delegation passed Reports > Logs
to/by, based on any particular LOB. > Approval
Delegation Report

Asset Access Log Human Identities with this privilege will Client Manager >
be able to view details of all the Assets Reports > Logs
accessed by the Human Identities. > Asset Access Log

68
Administrative Console

Client Privileges Description Feature Navigation

Session Activity Log Human Identities with this privilege will Client Manager >
be able to view the reason why the Reports > Logs
current Human Identities switched to > Session Activity
another Human Identities in ongoing Log
session.

Asset Password Human Identities with this privilege will Client Manager >
Request Workflow be able to view details of all the Asset Reports > Logs
Logs password requests raised by Human > Asset Password
Identities. Request Workflow
Logs

Day Wise Summary Human Identities with this privilege will Client Manager >
Report be able to view the date and time-wise Reports > Logs > Day
count of activities performed on Asset. Wise Summary
Report

Session Wise Human Identities with this privilege will Client Manager >
Summary Report be able to view session-wise count of Reports > Logs
activities performed on Asset along with > Session Wise
details of Asset. It displays details such as Summary Report
the count of image logs, critical
commands executed on Asset, and
restricted commands and restricted
processes attempted to execute on
Asset.

My Vault Logs Human Identities with this privilege will Client Manager >
be able to view a list of all the activities Reports > Logs > My
performed in the File Vault. It displays Vault Logs
details such as filename, extension, size,
status, added by, added on, shared on,
shared with, File Available till, Deleted
by, Deleted on, and Recorded on.

SIEM Command Logs Human Identities with this privilege will Client Manager >
Report be able to view command logs fetched Reports > Logs >
from SIEM Asset. It displays logs of SIEM Command Logs
commands executed on Linux assets. Report

APEM Logs Human Identities with this privilege will Client Manager >
be able to view logs of actions performed Reports > Logs >
via the APEM tool. Actions such as APEM Logs
opening the APEM application, reading
files, and viewing passwords are
captured in APEM logs.

69
Administrative Console

Client Privileges Description Feature Navigation

Report - New ARCON Human Identities with this privilege will Client Manager >
Performance DeskInsight Devices be able to view details of desktops Reports >
Reports integrated into ARCON CI. Performance
Reports > New
ARCON DeskInsight
Devices

MS SQL Connection Human Identities with this privilege will Client Manager >
Report be able to view details of all the Human Reports >
Identities connected to the MS SQL Performance
(Microsoft Sequel) instance on the Reports > MS SQL
ARCON CI database Asset. Connection Report

Report - Privilege Client Manager Human Identities with this privilege will Client Manager >
Reports Privilege Report be able to view the count of client Reports > Privilege
manager privileges and the Reports > Client
privileges assigned to Human Identities. Manager Privilege
Report

Group Admin Human Identities with this privilege will Client Manager >
Privilege Report be able to view the count of group admin Reports > Privilege
privileges and the privileges assigned to Reports > Group
Admin Human Identities. Admin Privilege
Report

Asset Human Identities with this privilege will Client Manager >
Manager Privilege be able to view the count of Asset Reports > Privilege
Report Manager privileges and the privileges Reports > Asset
assigned to Admin Human Identities. Manager Privilege
Report

Human Identities & Human Identities with this privilege will Client Manager >
Asset Privileges - be able to view the count of command Reports > Privilege
Windows RDP privileges and the list of privileges Reports > Human
assigned to Client or Admin Human Identities & Asset
Identities, which are mapped to Windows Privileges - Windows
RDP (Remote Desktop Protocol) Asset RDP
type.

Report - Security Critical Commands Human Identities with this privilege will Client Manager >
Reports Executed Report be able to view details of all the critical Reports > Security
commands executed on Assets. Reports > Critical
Commands Executed
Report

Restricted Commands Human Identities with this privilege will Client Manager >
Executed Report be able to view details of all the Reports > Security
restricted commands executed by Reports > Restricted
Human Identities. Commands Executed
Report

70
Administrative Console

Client Privileges Description Feature Navigation

High Usage (in hrs) Human Identities with this privilege will Client Manager >
Assets Report be able to view the count of Assets that Reports > Security
are highly accessed. Reports > High
Usage (in hrs) Assets
Report

Invalid Login Human Identities with this privilege will Client Manager >
Attempts Report be able to view the count/number of Reports > Security
invalid login attempts made by Human Reports > Invalid
Identities. Login Attempts
Report

Low Usage (in days) Human Identities with this privilege will Client Manager >
Assets Report be able to view the count/number of Reports > Security
Assets that are accessed rarely. Reports > Low Usage
(in days) Assets
Report

Multiple Desktop Human Identities with this privilege will Client Manager >
Logon Report be able to view details of desktop IP used Reports > Security
by Human Identities to login into ARCON Reports > Multiple
CI. Desktop Logon
Report

Multiple Human Human Identities with this privilege will Client Manager >
Identities Logon be able to view details of Human Reports > Security
Report Identities who have logged into ARCON Reports > Multiple
CI from different IPs/desktops. Human Identities
Logon Report

Network Segment Human Identities with this privilege will Client Manager >
Wise Logon Report be able to view details of all the Human Reports > Security
Identities who have logged into ARCON Reports > Network
CI through any network device Segment Wise Logon
configured in Network Segments in Report
Default Configuration.

Asset Accessed - Human Identities with this privilege will Client Manager >
Multiple Times be able to view details of Assets accessed Reports > Security
Report multiple times by Human Identities. Reports > Asset
Accessed - Multiple
Times Report

Human Identities Human Identities with this privilege will Client Manager >
Asset Accessed - be able to view the number of times Reports > Security
Multiple Times Human Identities have accessed Assets Reports > Human
Report between the defined range. Identities Asset
Accessed - Multiple
Times Report

71
Administrative Console

Client Privileges Description Feature Navigation

Report - Asset Multiple Asset Human Identities with this privilege will Client Manager >
Reports Reference No. Report be able to view details of reference Reports > Asset
numbers provided by the Human Reports > Multiple
Identities before accessing any Asset. Asset Reference No.
Report

Unique Assets IP Human Identities with this privilege will Client Manager >
Address Report be able to view details of all the Assets Reports > Asset
having unique IP addresses. Reports > Unique
Assets IP Address
Report

Active Assets Report Human Identities with this privilege will Client Manager >
be able to view details of Assets that are Reports > Asset
active in ARCON CI, irrespective of the Reports > Active
LOB’s. Assets Report

Asset Accessed Human Identities with this privilege will Client Manager >
Summary Report be able to view a monthly summary Reports > Asset
reports of all the Assets that are Reports > Asset
accessed by the Human Identities. Accessed Summary
Report

Active Sessions Human Identities with this privilege will Client Manager >
Report be able to view details of all the Asset Reports > Asset
sessions that are currently active in Reports > Active
ARCON CI. Sessions Report

Scheduled Password Human Identities with this privilege will Client Manager >
Change Assets be able to view details of all the Assets Reports > Asset
that are scheduled for the password Reports > Scheduled
change process. Password Change
Assets

Asset Accessed Human Identities with this privilege will Client Manager >
Summary Days Wise be able to view the total count of the Reports > Asset
Report Assets accessed on daily basis. Reports > Asset
Accessed Summary
Days Wise Report

Password Envelope Human Identities with this privilege will Client Manager >
Print Report be able to view details of Human Reports > Asset
Identities who have printed password Reports > Password
envelopes and those who have verified Envelope Print
the process. Report

Asset Dependency Human Identities with this privilege will Client Manager >
Report be able to view details of all the Assets Reports > Asset
that have dependent Assets. Reports > Asset
Dependency Report

72
Administrative Console

Client Privileges Description Feature Navigation

Assets in Domain Human Identities with this privilege will Client Manager >
be able to view details of all the Assets in Reports > Asset
a domain irrespective of the LOB’s. The Reports > Assets in
details displayed in this report are based Domain
on the IP Address of the Asset.

Assets in Domain Human Identities with this privilege will Client Manager >
be able to view details of all the Assets in Reports > Asset
a domain irrespective of the LOB’s. The Reports > Assets in
details displayed in this report are based Domain
on Asset Username.

Asset Group wise Human Identities with this privilege will Client Manager >
Asset Type Report be able to view Asset Types of Assets Reports > Asset
assigned to Asset Groups. Reports > Asset
Group wise Asset
Type Report

Asset Creation Human Identities with this privilege will Client Manager >
Deletion Summary be able to view all the created and Reports > Asset
Report deleted assets. Reports > Asset
Creation Deletion
Summary Report

Asset Timeline Report Human Identities with this privilege will Client Manager >
be able to view the timelines of all the Reports > Asset
assets. Reports > Asset
Timeline Report

Asset Creation Human Identities with this privilege will Client Manager >
Deletion Details be able to view all the details of the Reports > Asset
Report created and deleted assets. Reports > Asset
Creation Deletion
Details Report

Report - Human Idle Human Identities Human Identities with this privilege will Client Manager >
Identities Reports Report be able to view details of all the Human Reports > Human
Identities that are idle for the selected Identities Reports
LOB. > Idle Human
Identities Report

Human Identities & Human Identities with this privilege will Client Manager >
Asset Mapping be able to view LOB-wise Human Reports > Human
Report Identities and Asset mapping details. Identities Reports
> Human Identities &
Asset Mapping
Report

73
Administrative Console

Client Privileges Description Feature Navigation

Human Identities Last Human Identities with this privilege will Client Manager >
Logon Report be able to view Human Identities’ last Reports > Human
logon details into the ARCON CI Identities Reports
application. > Human Identities
Last Logon Report

Human Identities Human Identities with this privilege will Client Manager >
Biometric Auth be able to view details of Human Reports > Human
Report Identities who have configured only the Identities Reports
bio-metric authorization to make the > Human Identities
login process more secure. Biometric Auth
Report

Human Identities Human Identities with this privilege will Client Manager >
Biometric Auth be able to view details of Human Reports > Human
Report - All LOB Identities who have configured only the Identities Reports
bio-metric authorization to make the > Human Identities
login process more secure for all LOBs. Biometric Auth
Report - All LOB

Human Identities Human Identities with this privilege will Client Manager >
Mobile OTP Auth be able to view details of Human Reports > Human
Report Identities who have configured mobile Identities Reports
authorization, to make the login process > Human Identities
more secure. Mobile OTP Auth
Report

Human Identities Human Identities with this privilege will Client Manager >
Hardware Auth be able to view details of the Human Reports > Human
Report Identities who have configured Identities Reports
Hardware Token authorization, to make > Human Identities
the login process more secure. Hardware Auth
Report

Human Identities Human Identities with this privilege will Client Manager >
SMS OTP Auth be able to view details of the Human Reports > Human
Report Identities who have configured SMS OTP Identities Reports
authorization, to make the login process > Human Identities
more secure. SMS OTP Auth
Report

Active Human Human Identities with this privilege will Client Manager >
Identities Report be able to view details of all Human Reports > Human
Identities who are active in ARCON CI Identities Reports
irrespective of the LOB’s. > Active Human
Identities Report

Inactive Human Human Identities with this privilege will Client Manager >
Identities Report be able to view details of all Human Reports > Human
Identities who are inactive in ARCON CI Identities Reports
irrespective of the LOB’s. > Inactive Human
Identities Report

74
Administrative Console

Client Privileges Description Feature Navigation

Dual Factor Auth Human Identities with this privilege will Client Manager >
Configuration Report be able to view details of Human Reports > Human
Identities who have configured the dual Identities Reports
factor authorization to make the login > Dual Factor Auth
process more secure. Configuration Report

Locked Out Human Human Identities with this privilege will Client Manager >
Identities Report be able to view details of Human Reports > Human
Identities who have tried to log in using Identities Reports
invalid password and exceeded the value > Locked Out Human
configured in lockout attempts in Identities Report
Application Configuration (Default
Configuration).

Dormant Human Human Identities with this privilege will Client Manager >
Identities Report be able to view details of Human Reports > Human
Identities who have not used their Identities Reports
account for the configured number of > Dormant Human
dormancy days in Application Identities Report
Configuration (Default Configuration).

Last Asset Accessed Human Identities with this privilege will Client Manager >
Report be able to view details of the last Asset Reports > Human
accessed by Human Identities. Identities Reports
> Last Asset
Accessed Report

Consolidated Human Human Identities with this privilege will Client Manager >
Identities & Asset be able to view the total count of all the Reports > Human
Mapping Report Assets mapped to Human Identities. Identities Reports
> Consolidated
Human Identities &
Asset Mapping
Report

Human Identities Human Identities with this privilege will Client Manager >
Dormant in next 5- be able to view details of Human Reports > Human
day Report Identities whose accounts will be Identities Reports
dormant in the next 5 days. > Human Identities
Dormant in the next
5 day Report

Human Identities Human Identities with this privilege will Client Manager >
Creation Deletion be able to view summery of Human Reports > Human
Summary Report Identities creation and deletion. Identities Reports
> Human Identities
Creation Deletion
Summary Report

75
Administrative Console

Client Privileges Description Feature Navigation

Report - Vault Asset Password Human Identities with this privilege will Client Manager >
Reports Envelope Print Status be able to view details of all the Assets Reports > Vault
Report for which the password envelope has Reports > Asset
been generated. Password Envelope
Print Status Report

Restore Asset Human Identities with this privilege will Client Manager >
Password Option be able to view the list of Human Reports > Vault
Used Identities who used the Restore Asset Reports > Restore
Password option. Asset Password
Option Used

Asset Password Age Human Identities with this privilege will Client Manager >
Report be able to view the age of the Asset Reports > Vault
password i.e. for the number of days the Reports > Asset
password of the Asset is active in Password Age
ARCON CI. Report

Asset Password Human Identities with this privilege will Client Manager >
Change Failed (Asset be able to view details of all the Assets Reports > Vault
Unavailable) Report whose password change has failed due to Reports > Asset
Asset downtime. Password Change
Failed (Asset
Unavailable) Report

Asset Password Human Identities with this privilege will Client Manager >
Changed Status be able to view details of all the Assets Reports > Vault
Report whose passwords have been successfully Reports > Asset
changed since the Asset was created. Password Changed
Status Report

Asset Password Human Identities with this privilege will Client Manager >
Expires In 5 Days be able to view details of those Assets Reports > Vault
Report whose passwords will be expired in 5 Reports > Asset
days. Password Expires In
5 Days Report

Asset Password Human Identities with this privilege will Client Manager >
Manually Changed be able to view details of all the Assets Reports > Vault
Report whose passwords are changed manually. Reports > Asset
Password Manually
Changed Report

Asset Password Human Identities with this privilege will Client Manager >
Never Changed be able to view details of all the Assets Reports > Vault
Report whose passwords are never changed Reports > Asset
both manually or through the password Password Never
change process. Changed Report

76
Administrative Console

Client Privileges Description Feature Navigation

Asset Password Human Identities with this privilege will Client Manager >
Check-Out Report be able to view details of the Human Reports > Vault
Identities requested to view the Asset Reports > Asset
password for a desired number of hours. Password Check Out
Report

Asset Password Human Identities with this privilege will Client Manager >
Changed Success- be able to view the password change Reports > Vault
Failed Report status for the Assets. Reports > Asset
Password Changed
Success-Failed
Report

Asset Password Human Identities with this privilege will Client Manager >
Security Status be able to view details of all the Assets Reports > Vault
whose passwords are in the open or Reports > Asset
closed state. Password Security
Status

Asset Password Human Identities with this privilege will Client Manager >
Vaulting Summary be able to view the LOB-wise summary of Reports > Vault
Report all the Assets whose passwords have Reports > Asset
been changed. Password Vaulting
Summary Report

Current Password Human Identities with this privilege will Client Manager >
Status Report be able to view the current status of the Reports > Vault
Asset password and other password Reports > Current
change details. Password Status
Report

SPC not Configured Human Identities with this privilege will Client Manager >
Report be able to view details of Assets for Reports > Vault
whom SPC has not been configured. Reports > SPC not
Configured Report

SPC Success and Human Identities with this privilege will Client Manager >
Failed Report be able to view details of Asset password Reports > Vault
changes through SPC Asset. Reports > SPC
Success and Failed
Report

Human Identities Human Identities with this privilege will Client Manager >
Extracting Password be able to view details of Human Reports > Vault
Envelope Identities, who have printed Password Reports > Human
Envelopes. Identities Extracting
Password Envelope

77
Administrative Console

Client Privileges Description Feature Navigation

Asset Reconcile Human Identities with this privilege will Client Manager >
Status Report be able to view the status of the assets’ Reports > Vault
reconcilation. Reports > Asset
Reconcile Status
Report

Mobile OTP Auth Human Identities with this privilege will Client Manager >
Status Report be able to view the status of the mobile Reports > Vault
OTP configuration process. Reports > Mobile
OTP Auth Status
Report

Assets Scheduled for Human Identities with this privilege will Client Manager >
SPC be able to view details of Assets for Reports > Vault
whom SPC has been scheduled. Reports > Assets
Scheduled for SPC

Asset Password Human Identities with this privilege will Client Manager >
Never Changed be able to view details of all the Assets Reports > Vault
Report - All LOB whose passwords are never changed Reports > Asset
both manually or through the password Password Never
change process for all LOBs. Changed Report - All
LOB

Asset Password Human Identities with this privilege will Client Manager >
Changed Status be able to view details of all the Assets Reports > Vault
Report - All LOB whose passwords have been successfully Reports > Asset
changed since the Asset was created for Password Changed
all LOBs. Status Report - All
LOB

Notifications_Asset Asset Password
Change Scheduled
Human Identities with this privilege will Client Manager >
be notified before the configured number Notifications
of days in Settings Asset Password
Change Scheduled Days (number of
days). For example, if the configured
value is set to 5, then Human Identities
will be notified 5 days before password
expiry.

Asset Expiry Due Human Identities with this privilege will Client Manager >
be notified before the configured number Notifications
of days in Settings Asset Expiry Days
(number of days). For example, if the
configured value is set to 5, then Human
Identities will be notified 5 days before
Asset expiry.

Script Manager Create New Script Human Identities with this privilege will Client Manager >
be able to create a new script. Manager > Script
Manager > Add New
Script

78
Administrative Console

Client Privileges Description Feature Navigation

Edit Script Human Identities with this privilege will Client Manager >
be able to edit an existing script. Manager > Script
Manager > Edit
Script

Run Script Human Identities with this privilege will Client Manager >
be able to run a script. Manager > Script
Manager > Run
Script

About Edit Contact Human Identities with this privilege will Client Manager >
be able to Edit/Add contact details on the About
ACMO about page.

2.2.4 Admin Privileges

Admin Privileges are assigned to Admin type of Human Identities to grant special rights for Human Identities
management, Asset management, group management, password management, accessing logs, and other
applications. Asset privileges include Application Password Change, Application Password Change - HP
SiteScope, ARCOS Configuration, Command Profiler, Log Viewer, Manage Group, Manage LOB / Profile,
Manage Asset s, Manage Tab, Manage Human Identities, Password Manager, and Tools Tab.

Following is the list of Admin Privileges:

Admin Privilege Description Feature Navigation

Application HP SiteScope Administrator with this Asset Manager > Tools > Application
Password Change privilege can change the Password Change > HP SiteScope
configuration file process.

Application Configuration - Administrator with this Asset Manager > Tools > Application
Password Change - Add Asset privilege can add Assets to Password Change > HP SiteScope >
HP SiteScope the configuration list. Configuration

Configuration - Administrator with this Asset Manager > Tools > Application
Remove Asset privilege can remove Assets Password Change > HP SiteScope >
from the configuration list. Configuration

Change Administrator with this Asset Manager > Tools > Application
Configuration File privilege can change the Password Change > HP SiteScope >
Configuration file process. Change Password - Configuration File

ARCON CI IP / MAC Filter Administrator with this Asset Manager > Tools > IP / MAC
Configuration privilege can configure all Filter
the IP addresses, MAC
addresses, Processor IDs,
and BIOS Serial ID which
has been blocked or allowed
for desktop-level access.

79
Administrative Console

Admin Privilege Description Feature Navigation

Alert And Administrator with this ACMO > Manager > Settings > Alert &
Notification privilege can configure Notification > Alert and
Configuration alerts and Human Identities Notification Configuration
who will receive an alert
notifications.

Scheduler Master Administrator with this ACMO > Manager > Settings >
privilege can configure a Scheduler > Scheduler Master
scheduler to send reports
and password envelopes
through email.

Schedule Reports Administrator with this ACMO > Manager > Settings >
privilege can configure Scheduler > Schedule Reports and
reports to be sent through Logs
email and saved on a
preferred path.

ARCOS Workflow Administrator with this ACMO > Manager > Settings >
Approval Matrix privilege can Workflow > Admin Activities >
configure approval levels Workflow Approval Matrix
for each transaction or
operation performed by
Administrator.

Human Identities Administrator with this ACMO > Manager > Settings >
Request Approval privilege can configure Workflow > Raise Request > Human
Workflow approval levels for the Identities Request Approval Workflow
request raised by the
Human Identities for Asset
access, Asset password,
Asset ticket, and critical
command.

Default Administrators with this ACMO > Manager > Settings

Configuration privilege and in addition
having configuration
privileges under Default
Configuration such
as Application
Configuration, and Domain
Configuration, can create or
modify the respective
configuration.

80
Administrative Console

Admin Privilege Description Feature Navigation

LOB / Profile Administrator with this ACMO > Manager > Settings
Default privilege can map different
Configuration LOBs to a particular Asset,
initiate scheduled password
change processes, help to
retain logs, and apply
command profiles to the
Asset s mapped under a
particular Role/
Department.

Asset Administrator with this
Classification privilege can define the
classification for an Asset
such as critical, data, or
antivirus Asset.
ACMO > Manager > Settings > Asset
> Asset Modifications > Asset
Classification

Asset Critical Administrator with this ACMO > Manager > Settings > Asset >
Commands privilege can define a Asset Security > Asset Critical
critical command for an Commands
Asset .

ARCOS Asset Administrator with this ACMO > Manager > Settings >
Master privilege can add or modify General > ARCOS Asset Master
Assets such as application
Assets, database Assets,
gateway Assets, and DR
Assets.

Application Administrator with this ACMO > Manager > Settings > Session
Configuration privilege can enable the > Time Control > Application
Administrator to design Configuration
local Human Identities
account policy and manage
Human Identities' login
according to the policy.

Domain Administrators with this ACMO > Manager > Settings >
Configuration privilege can configure Domain > Configure > Domain
different domains. Configuration

Asset Reference / Administrators with this ACMO > Manager > Settings > Ticket
Call Log privilege can enable a > Asset Type > Asset Reference/Call
confirmation message box, Log
which prompts for the
ticket number and the
reason for accessing a
particular Asset in Client
Manager.

81
Administrative Console

Admin Privilege Description Feature Navigation

Log Manager Administrators with this ACMO > Manager > Settings > Log >
Asset privilege can configure Log Capture > Log Manager Asset
Manager Asset.

VPN Assets Administrators with this ACMO > Manager > Settings >
privilege can configure VPN Network/Connection > Gateway
Assets. > VPN Assets

Asset Reference Administrators with this ACMO > Manager > Settings
Template privilege can configure > Ticket > Template > Asset Reference
templates that prompt Template
Human Identities before
accessing Asset from Client
Manager.

Advanced Utility Administrators with this
privilege can convert the
font of the Asset Host
Name and Asset Domain
Name to uppercase.
ACMO > Manager > Settings > Asset
> Asset Modifications > Advanced
Utility

Hardware Token - Administrators with this ACMO > Manager > Settings
Radius Assets privilege can configure > Group > 2FA > Hardware Token –
values for authentication of Radius Assets
an RSA portal.

Password Administrators with this ACMO > Manager > Settings

Dictionary privilege can > Password > Password Change
configure default > Password Dictionary
passwords.

SMTP Administrators with this ACMO > Manager > Settings > Alert &
Configuration privilege can configure Notifications > Configure > SMTP
email settings to send alerts Configuration
and notifications to
approvers. Also, Admin can
configure IMAP Settings for
the approver to reply
through email for approving
or rejecting the raised
request.

ARCOS Message Administrators with this ACMO > Manager > Settings > Alert &
Board privilege can configure Notifications > ARCON CI Message
messages to be displayed on Board
pages after or before login.

Dual Factor IP Administrators with this ACMO > Manager > Settings
Range privilege can define the > Group > 2FA > Dual Factor IP Range
range of IP Addresses to be
configured for the ‘Dual
Factor type’.

82
Administrative Console

Admin Privilege Description Feature Navigation

SMS Gateway Administrators with this ACMO > Manager > Settings > Alert &
Configuration privilege can configure SMS Notifications > Configure > SMS
Gateway Asset details. Gateway Configuration

Asset Monitoring Administrators with this ACMO > Manager > Settings
System privilege can configure > API > Asset Creation Validator
details to validate > Asset Monitoring System
whether the Asset or the
Asset is already monitored
by some monitoring system.

Human Identities Administrators with this ACMO > Manager > Settings
Door Access privilege can enable and > Group > 2FA > Human Identities
Authentication configure values Door Access Authentication
for applications to
authenticate or check the
Human Identities’ physical
presence within the
premise.

Password Change Administrators with this ACMO > Manager > Settings
Defaults privilege can configure > Password > Password Change
settings of password change > Password Change Defaults
for different operating
systems and Asset types
such as Windows, Linux,
and Oracle.

Voice Biometric Administrators with this ACMO > Manager > Settings
Authentication privilege can configure web > Group > 2FA > Voice Bio Metric
Assets for authentication Configuration
before logging into Client
Manager.

ARCOS Staging Administrators with this ACMO > Manager > Settings > Log >
Log Asset privilege can configure Capture > ARCON CI Staging Log
Asset details where logs will Asset
be stored before they are
transferred to Database
Asset.

Web API Administrators with this ACMO > Manager > Settings > API >
Configuration privilege can configure a API Configure > Web API
number of configuration Configuration
types such as URL,
description, method, API ID,
username, and password.

83
Administrative Console

Admin Privilege Description Feature Navigation

Network Administrators with this ACMO > Manager > Settings >
Segments privilege can configure a Group > Machine Control > Network
range of IP Addresses. The Segments
Network Segment Wise
Logon report
displays details based on
this configuration.

Settings Administrators with this ACMO > Manager > Settings

privilege can configure
critical configurations
which affect the application
at the Global level.

Schedule Administrator with this ACMO > Manager > Settings > Log >
Password privilege can configure Scheduler > Schedule Password
Envelope password envelopes to be Envelope
sent through email.

LOB-wise Global Administrator with this ACMO > Manager > Settings > LOB
Configuration privilege can configure
values to automate Human
Identities to Asset mapping
when they are added to
their respective Human
Identities and Asset groups.

ARCOS Asset Administrator with this ACMO > Manager > Settings >
Configuration privilege can configure General > ARCON CI Asset
Asset details like UAT, Configuration
Production, and Application
Asset which are displayed in
About (Client Manager).

ARCON CI Web Administrator with this ACMO > Manager > Settings > API >
API Registration privilege can configure Registered Machines > Web API
machine details through Registration
which Human Identities can
view the password of Asset.

API Reference Administrator with this ACMO > Manager > Settings > API >
Mapping privilege can enable 3rd Party API Notifier
ARCON API to notify Third > API Reference Mapping
Party API about Asset
password change in ARCON
CI.

84
Administrative Console

Admin Privilege Description Feature Navigation

Outside ARCON Administrator with this ACMO > Manager > Settings > Asset >
CI Access privilege can enable Asset Security
Configuration monitoring of Assets
accessed outside ARCON
CI and configure actions
such as sending an alert or
blocking access.

Generic Scheduler Administrator with this ACMO > Manager > Settings
Settings privilege can > Password > Generic Scheduler
configure critical Setting
configurations which will be
used by ARCON CI Asset s
and executable files.

Custom Administrator with this ACMO > Manager > Settings

Commands privilege can configure > Password > Password
Configuration custom commands required Change > Custom Command
for password change. Configuration

Command Profiler Command Profiler Administrator with this ACMO > Manager > Settings > Group
privilege can create, modify, > Apply Command Profile
or delete Elevate and
Blacklist profiles.

Log Viewer View Command Administrator with this ACMO > Manager > Session
Log privilege can view logs of Monitoring > Command Logs
the commands fired after
connecting to the Asset.

View Audit Log Administrator with this ACMO > Manager > CI Logs > Audit
privilege can view details Logs
for the activities performed
in the Asset Manager.

View Human Administrator with this ACMO > Manager > CI Logs > Human
Identities Access privilege can view login and Identities Access Logs
Log logout details of the Human
Identities who has accessed
the ARCON CI application.

View Asset Access Administrator with this ACMO > Manager > Session
Log privilege can view detailed Monitoring > Asset Access Logs
logs of the Asset s accessed
by the Human Identities in
the ARCON CI application.

85
Administrative Console

Admin Privilege Description Feature Navigation

View Process Log Administrator with this ACMO > Manager > Session
privilege can view details of Monitoring > Process Logs
the processes executed on
Windows Asset when an
Asset is accessed through
ARCON CI.

View Asset Administrator with this ACMO > Manager > CI Logs > Asset
Password Status privilege can view details of Password Status
Log the Asset password status
for the Asset s in ARCON
CI.

Download Video Administrator with this
Log privilege can download
video logs of Command
logs, Process Logs, and
Asset Logs.
ACMO > Manager > Session
Monitoring > Process Logs (or
Command Logs or Asset Logs) > Video
Log

View Application Administrator with this Asset Manager > Manage

Logs privilege can view error logs > Application Logs
of the Client Manager
application.

Real-Time Session Administrator with this ACMO > Manager > General > Real
Monitoring privilege can monitor real- Time Session Monitoring - Is Enabled
time sessions.

Human Identities Administrator with this ACMO > Manager > Session
Activity Log privilege can view SSM and Monitoring > Human Identities
File Watcher text and video Activity Log
logs.

View Envelope Administrators with this ACMO > Manager > CI Logs > Process
Log privilege can view the print Logs
password envelope logs

Manage Group Add Group Administrator with this ACMO > Manager > Administrative
privilege can create Human Console > Manage > Role/
Identities and Asset groups. Departments/Asset Groups

Modify Group Administrator with this ACMO > Manager > Administrative
privilege can modify Human Console > Manage > Role/
Identities and Asset groups. Departments/Asset Groups

Drop Group Administrator with this ACMO > Manager > Administrative
privilege can delete Human Console > Manage > Human Identities
Identities and Asset groups.

86
Administrative Console

Admin Privilege Description Feature Navigation

Assign Asset Administrator with this ACMO > Manager > Administrative
Group To Role/ privilege can perform Console > Manage > Human Identities
Department Human Identities to Asset
group mapping.

Revoke Asset Administrator with this ACMO > Manager > Administrative
Group From Role/ privilege can revoke Human Console > Manage > Human Identities
Department Identities to Asset group
mapping.

Read Only Access Administrator with this ACMO > Manager > Administrative
privilege can view details Console > Manage > Role/
displayed under Role/ Departments/Asset Groups
Departments/Asset Groups.

Manage LOB / Add New LOB Administrator with this ACMO > Manager > Administrative
Profile privilege can create new Console > Manage > LOBs
LOB and view all the LOBs
in Select LOB/
Profile dropdown
on the Administrative
Console Home Page.

Modify LOB Administrator with this ACMO > Manager > Administrative
privilege can modify the Console > Manage > LOBs
LOB name, description,
address, and Report Header
of the existing LOB.

Assign LOB To Administrator with this ACMO > Manager > Administrative
Asset Group privilege can map Asset Console > Manage > LOBs
Group to a particular LOB.

Revoke LOB From Administrator with this ACMO > Manager > Administrative
Asset Group privilege can remove Asset Console > Manage > LOBs
groups from a particular
LOB.

Assign LOB To Administrator with this ACMO > Manager > Administrative
Role/Department privilege can map Role/ Console > Manage > LOBs
Departments to LOB.

Revoke LOB From Administrator with this ACMO > Manager > Administrative
Role/Department privilege can remove Roles/ Console > Manage > LOBs
Departments from a
particular LOB.

Assign LOB Administrator with this ACMO > Manager > Administrative
To Asset privilege can map Asset s to Console > Manage > LOBs
a particular LOB.

87
Administrative Console

Admin Privilege Description Feature Navigation

Revoke LOB From Administrator with this ACMO > Manager > Administrative
Asset privilege can remove Asset Console > Manage > LOBs
s from a particular LOB.

Assign LOB To Administrator with this ACMO > Manager > Administrative
Human Identities privilege can map Human Console > Manage > LOBs
Identities to a particular
LOB.

Revoke LOB From Administrator with this ACMO > Manager > Administrative
Human Identities privilege can remove Console > Manage > LOBs
Human Identities from a
particular LOB.

Manage Asset s Add Asset Administrator with this ACMO > Manager > Administrative
privilege can create Asset s. Console > Manage > Asset

Modify Asset Administrator with this ACMO > Manager > Administrative
privilege can modify Asset s. Console > Manage > Asset

Drop Asset Administrator with this ACMO > Manager > Administrative
privilege can disable or Console > Manage > Asset
delete Asset s.

Assign Asset To Administrator with this ACMO > Manager > Administrative
Asset Group privilege can map Asset s to Console > Manage > Asset
a particular Asset Group.

Revoke Asset Administrator with this ACMO > Manager > Administrative
From Asset Group privilege can remove Asset Console > Manage > Asset
s mapped to Asset Group.

Assign Asset To Administrator with this ACMO > Manager > Administrative
Human Identities privilege can map Asset s to Console > Manage > Asset
particular Human Identities.

Revoke Asset Administrator with this ACMO > Manager > Administrative
From Human privilege can remove Asset Console > Manage > Asset
Identities s from particular Human
Identities.

Windows Administrator with this Administrative Console > Manage >

Connection Asset privilege can add ARCON CI Windows Connection Password
Windows Asset to a Asset Dependency > Windows Asset s
created in ARCON CI, so
if the password is changed
for a particular Asset with
Password Manager then the
password of the dependent
Asset is also changed.

88
Administrative Console

Admin Privilege Description Feature Navigation

Windows Administrator with this Administrative Console > Manage >

Connection privilege can add DCOM Windows Connection Password
DCOM Asset to an Asset created in Dependency > Windows DCOM
ARCON CI, so if the
password is changed for a
particular Asset with
Password Manager then the
password of the DCOM
Asset is also changed.

Windows Administrator with this Administrative Console > Manage >

Connection Task privilege can add Windows Windows Connection Password
Asset to a Asset created in Dependency > Windows Task
ARCON CI, so if the
password is changed for a
particular Asset with
Password Manager then the
password of the dependent
task is also changed.

Read Only Access Administrator with this ACMO > Manager > Administrative
privilege can view details Console > Manage > Asset
displayed under Asset.

Bulk /update Administrators with this ACMO > Manager > Administrative
Asset s privilege can perform a bulk Console > Manage > Asset
update of Asset s

Manage Tab ARCON CI Administrator with this Asset Manager > Manage > ARCON CI
Workflow Tracker privilege can view workflow Workflow Tracker
approval matrix logs,
Human Identities request
approval overriding
workflow logs, and ticket
request workflow logs.

Manage Human Add Human Administrator with this ACMO > Manager > Administrative
Identities Identities privilege can create Human Console > Manage > Human Identities
Identities.

Modify Human Administrator with this ACMO > Manager > Administrative
Identities privilege can modify Human Console > Manage > Human Identities
Identities details.

Drop Human Administrator with this ACMO > Manager > Administrative
Identities privilege can disable Human Console > Manage > Human Identities
Identities.

Assign Role/ Administrator with this ACMO > Manager > Administrative
Department privilege can map Human Console > Manage > Human Identities
Identities to a particular
Role/Department.

89
Administrative Console

Admin Privilege Description Feature Navigation

Revoke Role/ Administrator with this ACMO > Manager > Administrative
Department privilege can remove Console > Manage > Human Identities
Human Identities mapped
to Roles/Departments.

Admin Privileges Administrator with this ACMO > Manager > Administrative
privilege can edit privileges. Console > Manage > Human Identities

Change Human Administrator with this
Identities privilege can configure
Restricted restricted commands, add
Commands critical commands for
approval, apply
Configuration Commands,
Blacklist profiles, and
Elevate profiles to Human
Identities and Asset
mapping.
Asset Manager > Manage > Human
Identities and Assets> Manage
Commands
And
Asset Manager > Manage > Human
Identities and Assets> Manage
Processes

Human Identities The Administrator ACMO > Manager > Human Identities
Access having Human Identities Access Governance
Governance Access Governance
Reviewer Reviewer privilege shall be
able to review the assets
mapped to the Human
Identities

Copy Human Administrator with this ACMO > Manager > Administrative
Identities Profile privilege can copy entities Console > Manage > Human Identities
such as LOB, Role/
Department, Asset s,
Commands, or Processes
assigned to one Human
Identities to another
Human Identities.

Read Only Access Administrator with this ACMO > Manager > Administrative
privilege can view details Console > Manage > Human Identities
displayed under Human
Identities

Edit Human The Administrator with this ACMO > Manager > Administrative
Identities Settings privilege shall only be able Console > Manage > Human Identities
to edit Human Identities
settings.

90
Administrative Console

Admin Privilege Description Feature Navigation

Password Manager Change Password Administrator with this
privilege can change the
password of an Asset .
Asset Manager > Manage > Password
Manager > Password Change
And
Asset Manager > Manage > Human
Identities and Asset s > Manage Asset
s > Change Password Manually

View Asset Administrator with this Asset Manager > Manage > Human
Password privilege can view the Identities and Asset s > Manage Asset
password of an Asset . s > View Password

Generate Asset Administrator with this Asset Manager > Manage > Password
Password privilege can print password Manager > Print Password Envelope
Envelope envelopes with Envelope
Status as Generated.

Print Asset Administrator with this Asset Manager > Manage > Password
Password privilege can print password Manager > Print Password Envelope >
Envelope envelopes in PDF or Pin Print Envelope(s)
Mailer format.

Reprint Asset Administrator with this Asset Manager > Manage > Password
Password privilege can print password Manager > Print Password Envelope >
Envelope envelopes with Envelope Print Envelope(s)
Status as Printed, First
And
Reprint, Second
Reprint, Third Asset Manager > Manage > Password
Reprint, Fourth Manager > Print Password Envelope >
Reprint, Fifth Reprint, Sixth Password Envelope(s) For APEM Tool
Reprint, Seventh
Reprint, Eighth
Reprint, Ninth Reprint, and
Tenth Reprint.

Verify Reprint Administrator with this
Asset Password privilege will be displayed as
Envelope approvers in the dropdown
list to authenticate the
password printing process.
Asset Manager > Manage > Password
Manager > Print Password Envelope >
Print Envelope(s)
And
Asset Manager > Manage > Password
Manager > Print Password Envelope >
Password Envelope(s) For APEM Tool

Change Password Administrator with this Asset Manager > Manage > Password
Policy privilege can set constraints Manager > Password Policy Editor
for a password policy.

91
Administrative Console

Admin Privilege Description Feature Navigation

Show Password Administrator with this
Change History privilege can view the
detailed history of the
changed passwords for an
Asset .
Asset Manager > Manage > Human
Identities and Asset s > Manage
Commands > Manage Asset s > Show
Password Change History

Password Change Administrator with this Asset Manager > Manage > Password
Process Approver privilege can authorize the Manager > Password Change
password change process.

Windows Administrator with this Asset Manager > Manage > Windows
Connection privilege can map all the Connection Password Dependency
Password different Windows assets,
Dependency Windows DCOM, and
Windows tasks that are
dependent on any Asset of a
particular Assets.

Tools Tab Windows Utility Administrator with this Asset Manager > Tools > Windows
privilege can view versions Utility
of ARCON CI PWD Asset.

Import Administrator with this Asset Manager > Tools > Import
privilege can import Human
Identities and Asset s to the
ARCON CI database.

Password Administrator with this Asset Manager > Tools > Password
Reconciliation privilege can compare Reconciliation
entries in the ARCON CI
repository and the target
system.

ARCON CI Object Administrator with this Asset Manager > Tools > ARCON CI
Counter privilege can view and Object Counter
monitor different entities in
ARCON CI.

Privileged Human Administrator with this Asset Manager > Tools > Privileged
Identities privilege can view Human Human Identities Discovery &
Discovery & Identities created on Asset. Reconciliation
Reconciliation

HSM Device HSM Device Administrators with this ACMO > Manager > Settings >
Configuration Configuration privilege can configure HSM Password > HSM Device
Devices in ARCON CI Configuration

92
Administrative Console

2.2.5 Group Admin Privileges

Group Admin Privileges are assigned to Server Group Admins to grant special rights for assigning assets,
viewing logs, and reviewing User access. Group Admin privileges include Group Log Viewer, Manage Assets,
and Manage User Request.

Following is the list of Group Admin Privileges:

Group Admin Privileges Description Feature Navigation

Group View Command Group Admin with this privilege can view Command Logs ACMO > Manager >
Log Log and Process Logs. Session Monitoring >
Viewer Command Logs
 You should also be assigned View Command Log And
and View Process Log privileges under Admin
ACMO > Manager >
Privileges.
Session Monitoring
> Process Logs

View Asset Group Admin with this privilege can view Asset Access ACMO > Manager >
Access Log Logs. Session Monitoring
> Asset Access Logs
 You should also be assigned the View Asset
Access Log privilege under Admin Privileges.

Manage Assign Asset To Group Admin with this privilege can map Assets to a Server Manager >
Assets Human Identity particular Human Identity. Manage > Human
Identity and Assets >
Map Human
Identities/Assets
And
Server Manager >
Manage > Human
Identity and Assets >
Group Admin - Map
Assets

93
Administrative Console

Group Admin Privileges Description Feature Navigation

Revoke Asset Group Admin with this privilege can remove Assets from a Server Manager >
From User particular User. Manage > Human
Identity and Assets >
Map Human
Identities/Assets
And
Server Manager >
Manage > Human
Identity and Assets >
Group Admin - Map
Assets

Change User Group Admin with this privilege can configure restricted Server Manager >
Restricted commands, add critical commands for approval, and apply Manage > Human
Command Configuration Commands to Human Identity and Identity and Assets >
Asset mapping. Manage Commands

Change Group Admin with this privilege can change the password Server Manager >
Password of an Asset. Manage > Password
Manager > Password
 Group Admin shall be assigned Change Password Change
privilege only if the toggle value for Only Server And
Group Admin Can Perform Password Change - Is
Server Manager >
Enabled in Settings.
Manage > Human
Identity and Assets >
Manage Assets >
Change Password
Manually

Manage Asset Access Group Admin with this privilege can approve Asset Access Workflow Manager
Human Approver Request.
And
Identity
Request  The requested Asset access should be assigned to Client Manager
> Server Manager >
Approver.
Asset Access
Request

2.3 Role/Department and Asset Group

Human identities and assets to form roles/departments and asset groups allow administrators to effectively
manage the identity and access management environment. By implementing such an architecture, all
administrators need to do is apply group settings or permissions to control all human identities in roles/
departments and assets in asset groups.

94
Administrative Console

Let us delve deeper. For a human identity to access an asset, the human identity in ARCON CI must be part of at
least one role/department, and the role must be mapped to at least one asset group. The use of role/
department permissions rather than individual settings automatically provides more control over
administrative activities, ensures IT efficiency, and makes troubleshooting simpler.

Consider this scenario: Suppose an administrator decides to provide a role with direct access to privileges.
Now, to modify each of the human identity rights, if they transfer to another department, an admin will have to
go through the tedious process of going through all files and folders and making changes.

Roles, on the other hand, make it simple to shift human identity around if they change roles. It is simple to shift
the identity to a new role that matches the human identity activity.

If there is a new human identity, the same applies. Find a role/department that requires the same permissions
and add the human identity to that role/department rather than going through each folder one by one to grant
access. By simply adding or removing a human identity from the role/department, it is now simpler to grant or
remove human identity permissions. Administrators need to be aware of what this role/department stands for
and how it might impact network security.

 The Administrator with the Add Role/Department or Asset Group privilege shall only be able to
create a Role/Department or Asset Group.

Perform the below steps to navigate to the Role/Department screen:

Administrative Console > Manage > Role/Department:

Refer to the table below to understand the columns displayed on the Role/Department screen:

Column Name Description

Role/Department It displays the name of the role/department.

Group Description It displays information about this role/department.

95
Administrative Console

Column Name Description

Human Identities It displays the list of Identities assigned to the role/

department.

Asset Group It displays the name of the asset group that is assigned
to this role/department.

LOBs It displays the name of the LOBs assigned to the role/

department.

Created On It displays the date and time when the role/

department was created.

Created By It displays the username of the person who created

the role/department.

Action It displays the Modify button to update the properties

of the role/department.

Perform the below steps to navigate to the Asset Groups screen:

Administrative Console > Manage > Asset Groups:

Refer to the table below to understand the columns displayed on the Asset Groups screen:

Column Name Description

Asset Group It displays the name of the asset group.

Group Description It displays information about the asset group.

Created By It displays the username of the person who created

the asset group.

96
Administrative Console

Column Name Description

Modified On It displays the date and time when the asset group was
recently modified.

Role/Department It displays the list of roles assigned to the asset group.

LOBs It displays the name of the LOBs assigned to the asset

group.

Action It displays the Modify button to update the properties

of the asset group.

2.3.1 Creating a Role/Asset Group

This section helps you create a Role/Asset Group. There are two ways to create a role/asset group:

• Creating Role/Department or Asset Group Using Create Button

• Creating Role/Department or Asset Group Using Import File

2.3.2 Creating Role/Department Or Asset Group Using Create Button

Role/Department, which includes grouping human identities and asset group includes a few assets together
and granting the required accesses to the group as a whole - rather than to each identity/asset. In ARCON CI,
creating a role/department or asset group is simple. Select the identities/assets you want to be part of the role/
department or asset group and give them access. It's still crucial to form a new role/department first and then
provide the appropriate group rights rather than doing so individually, even if the role/department or asset
group consists of new identities/assets.

This section allows you to create roles/departments and asset groups using the Create button.

Perform the below steps to create roles/departments and asset groups with the Create button:

1. Click the + icon at the bottom right corner of the Role/Department or Asset Group screen:

2. Two pop-up buttons will be displayed. Click the Create button to create a Role/Department or Asset
Group manually:

97
Administrative Console

3. The Create Role/Department or Create Asset Group screen will be displayed:

There are 2 sections in the Create Role/Department or Create Asset Group, which are as follows:

98
Administrative Console

• Role/Department Management or Asset Group Management

• Assign

Role/Department Management Or Asset Group Management

Refer to the table below to understand the fields in the Role/Department Management or Asset Group
Management section:

Field Description

Role/Department or Asset Group Enter the Role/Department name for identities or

assets. The group name is used to find out the group
from the group list.

Description Enter the description for the role/department or asset

group. The description field is used to enter a few
details about the role/department or asset group.

LOBs Select the LOB(s) from the drop-down. The available

LOBs will be visible in the drop-down list.

Assign

An admin can assign assets to an asset group or human identities to a role/department through the assign
function. Assigning a human identity to a role/department will allow the human identity to get all the access
mapped to that role/department. Similarly, assigning an asset to an asset group will allow the asset to be
accessed by the role/department that is mapped to that asset group.

 Enabling Auto-Map Assets:

Whenever a new human identity is created, a role/department will be assigned to that respective
human identity. The asset of an asset group that is mapped to the assigned role/department will be
auto-mapped to the created human identities.

 Enabling Auto-Map Human Identities:

Whenever a new asset is created, an asset group will be assigned to that respective asset. The human
identities of the roles/departments that are mapped to the assigned asset group will be auto-mapped
to the created asset.

 The Human Identities/Assets search field allows you to search for both individual and multiple Human
Identities/Assets, that have to be separated by Commas. Even if you enter the user/service name
partially, the filter will still accurately refine the necessary values.

Perform the below steps to assign assets to roles/departments:

99
Administrative Console

1. Enable or Disable the AutoMap Assets toggle to active or inactive the automap feature of the assets and
similarly, Enable or Disable the Birth Rights toggle to active or inactive the birthright feature of the
assets:

2. Select Asset Groups from the drop-down list and then select the Human Identities that you want to
assign to the Roles/Department:

3. Click Create to complete the Role/Department creation process:

100
Administrative Console

Perform the below steps to assign identities to asset groups:

1. Enable or Disable the AutoMap Human Identities toggle to active or inactive the automap feature of the
identities:

101
Administrative Console

2. Select the Roles/Departments from the drop-down list and select the Assets that you want to assign to
the Asset Group:

102
Administrative Console

3. Click Create to complete the Asset group creation process:

103
Administrative Console

2.3.2.1 Assign Tags While Creating Asset Group

This section explains the steps to assign tags to Asset Group. Tags created for the particular attribute will be
visible here.

 The tags visible on the Assign Tags page are configured by the Tags Ordering procedure. Tags
Ordering is compulsory, while tags that are not configured in the Tag Ordering section are optional
tags.

Select the corresponding tag values for the tag names. Admin can select multiple tag values. These selected tag
values will be assigned to the Asset Group:

2.3.3 Creating Role/Department Or Asset Group Using Import File

Creating roles/departments or Asset Groups, altering their permissions, and deleting them appear to be
straightforward tasks. Nevertheless, large-scale execution, creating roles/departments and asset groups in
bulk, always leads to mistakes. Furthermore, poorly executed complicated activities could result in data
breaches and security vulnerabilities.

Let us consider this example. A role has been transferred to a new department. This means, from a security
perspective, those identities that are currently present in a particular role must be transferred to another role.
By not transferring those identities to a new role/department, organizations risk exposing data to malicious
insiders.

Threats emanating from inappropriate management of bulk roles/departments and asset groups include:

• Having an excessive number of admin

• Existence of dormant accounts
• Assigning responsibilities to non-administrative accounts

ARCON CI’s creating role/department or asset groups in bulk using the import file function saves an
administrator significant time and enhances security. The imported roles/departments or asset groups will be
displayed under the Role/Department or Asset Group screen in the Administrative Console.

 • Mapping of roles/departments is mandatory while creating service groups.

• Mapping of service groups isn’t mandatory while creating roles/departments.

104
Administrative Console

Perform the below steps to create multiple roles/departments or asset groups in bulk with the Import File
button:

1. Click the + icon at the bottom right corner of the Role/Department or Asset Groups screen:

2. Two pop-up buttons will be displayed. Click the Import File button to create multiple roles/departments
or asset groups in bulk:

3. The Import data screen will be displayed. Click the Download Sample Template link to download the
template and then save the file on your local machine:

4. Enter the desired data in the left-aligned format into the downloaded Excel sample template and save it:

105
Administrative Console

5. Click the Browse button to browse for the updated template:

6. Select the updated template file and click the Open button to upload the template:

106
Administrative Console

7. After completing the upload, click the Import button to import the template and create multiple roles/
departments or asset groups:

8. A status message will be displayed:

107
Administrative Console

9. The Import screen is displayed with the Download Uploaded File button. Click the Download Uploaded
File button to check the status of the individual role/department or asset group entered in the sample
Excel sheet:

10. If you find any error status, then update the details accordingly and upload again.
11. Go to the Role/Department or Asset Groups screen and refresh it to see the newly added asset list.

2.3.4 Modify Details of Role/Department Or Asset Group

As stated earlier, an identity and access management environment is never static. Privileged identities’ roles/
departments keep changing. Therefore, an administrator is often required to make updates to details about
identities and assets assigned to roles/departments and asset groups.

Consider the scenario: A group of identities has been moved to a new LOB and the existing assets to which this
role/department is mapped are disabled. Now, if the role/department details are not modified, the data
intended for them will be at risk of being compromised. The same logic applies to modifying the details of asset
groups.

The selection of records also enables the below selection options:

• Select All: This option helps to select all the records available on the screen. Select All appears after the
selection of records.
• De Select All: This option helps to deselect all the records. If all the records are selected, then the De
Select All option is used to deselect all.
• Clear Selection: This option helps to deselect all the selected records. If multiple records are selected
and you want to deselect those, then the Clear Selection option is used to deselect all the selected
records.

You can modify the details of a particular role/department or asset group using Modify button.

108
Administrative Console

 The Administrator having Modify Role/Department or Modify Asset Group privilege shall only be
able to modify Role/Department or Asset Group details.

Perform the below steps to modify the role/department or asset group details:

1. Navigate to the Role/Department or Asset Group screen and click the Modify button:

2. Modify screen appears that is similar to the Create screen. Make the required changes in the existing
fields and click on the Modify button:

109
Administrative Console

2.3.4.1 Deleting The Role/Department or Asset Group

The administrator sometimes needs to delete the role/department or asset group.

Perform the below steps to delete the role/department or asset group:

1. Navigate to the Role/Department or Asset Group screen and click the Modify button:

2. Modify screen appears that is similar to the Create screen. Click the Drop button to delete the role/
department or asset group:

110
Administrative Console

2.3.4.2 Transferring Role/Department or Asset Group

Selection of the required record will automatically enable the Transfer Role/Department or Transfer Asset
Group option at the top right corner of the Role/Department or Asset Group screen. That helps the admin to
transfer the selected role/department or asset group data to another role/department or asset group
respectively.

Perform the below steps to transfer the data by using the Transfer Role/Department or Asset Group pop-up
option:

1. Select the check box in the grid to select the required record:

2. Selection of the required record will automatically enable the Transfer Role/Department or Transfer
Asset Group option at the top right side of the Role/Department or Asset Group screen:

111
Administrative Console

3. Click the Transfer Role/Department or Transfer Asset Group option to get the Transfer Role/
Department or Transfer Asset Group screen:

4. Select the target role/department or asset group from the Transfer Role/Department or Transfer Asset
Group drop-down menu to transfer the data from the selected group:

5. Click the Transfer button to transfer the data:

112
Administrative Console

2.4 Assets
An asset is an instance of the server. In ARCON CI, the routers, firewalls, switches, and databases are some of
the assets created to connect to the target server. These assets need to be mapped to identities. The identities
mapped to the assets will have the privilege to connect to the target server using these assets.

For example, Suppose there are four human identities: Admin, Client, ABC, and XYZ on a Windows server. Each
human identity may have a unique requirement for assets to perform on the server. Hence, the Administrator
will create assets for each of the identities. These assets are then grouped and mapped to each of the identities
which helps the Administrator to manage the assets which are mapped to the identities. Thereby, also helping
the Administrator in the identity-wise audit trail performed in ARCON CI.

 The Administrators with the Read Only Access privilege (under Manage Assets) can view details
displayed under Manage Assets and Map Roles/Assets.

Use the following path to navigate the Assets screen:

Administrative Console > Manage > Assets:

Refer to the table below to understand the different sections on the Asset screen:

113
Administrative Console

Section Name Description

Active The active section displays the list of assets whose

valid date is greater than the present date.

Disabled The disabled section displays the list of assets whose

valid date is less than the present date.

There are two types of assets in ARCON CI, such as business assets and infrastructure assets.

Business Assets

A business asset is a software program that helps businesses automate and optimize their various processes
and operations to increase efficiency and productivity. This can be web applications, hardware devices, routers,
etc.

Refer to the table below to understand the columns displayed on the Business Assets screen:

Column Name Description

Asset Name It displays the name/type of the asset.

Alias Name It displays the user-friendly name of the asset.

User Name It displays the username of the asset.

LOBs It displays the assigned LOB.

Asset Group It displays the name of the asset group.

SSO Method It displays the name of the single sign-on method used
to access the asset.

App Type It displays the type of application.

Action It displays the Modify button to update the properties

of the asset.

Infrastructure Assets

An infrastructure asset is a collection of various assets such as operating systems, network devices, security
devices, and database instances. This can be Windows RDP, SSH Linux, MS SQL, etc.

114
Administrative Console

Refer to the table below to understand the columns displayed on the Infrastructure Assets screen.

Column Name Description

Asset Name It displays the name/type of the asset.

Alias Name It displays the name of the asset.

IP/DNS It displays the IP/DNS address of the server.

Host Name It displays the hostname of the server.

Domain Name It displays the domain name of the server.

DB Instance It displays the name of the database environment.

LOBs It displays the assigned LOB.

Asset Group It displays the name of the asset group.

Asset Type It displays the type of asset.

Action It displays the Modify button to update the properties

of the asset.

2.4.1 Onboarding a New Asset

There are two ways to create assets:

• Manual Assets Onboard to onboard a single asset

Infrastructure Asset Manual Onboard

Business Asset Manual Onboard
• Bulk Assets Onboard to onboard multiple assets at a time

2.4.2 Infrastructure Asset Manual Onboard

The administrator must build the asset before mapping an asset or asset group to an identity or role/
department. Creating assets and mapping to the end user in ARCON CI helps protect organizations against
cyber threats by monitoring, detecting, and preventing unauthorized privileged access to critical resources or
assets.

This section explains the steps to creating assets. The administrators are responsible for managing assets.

115
Administrative Console

 The administrator with Onboard Assets privileges will only be able to onboard assets.

Perform the below steps to onboard an asset:

1. Navigate to the Infrastructure Asset screen, Manage > Assets > Infrastructure Assets.
2. Click the + icon at the bottom right corner of the Assets screen:

3. Two pop-up buttons will be displayed. Click the Create button to onboard a new asset manually:

4. The Onboard Asset screen will be displayed:

116
Administrative Console

5. Choose the asset category from the Asset Category drop-down. You will find different asset type drop-
down lists as per the asset category selection.
6. Choose the asset type from the Asset Type drop-down:

117
Administrative Console

7. Click the Next button to proceed further:

8. You will find different sections to fill in the details. They are as follows:

118
Administrative Console

Asset Details
Connection Details
Credentials
Single Sign-on Configuration
Digital Identity Life Cycle Management
Reconciliation
Entitlement
Assign
Custom Fields
Customized Connectors
Advanced
Vault Configuration
Assign Tags
9. Fill in the above details and select the status type as Live from the status drop-down to activate the
asset:

119
Administrative Console

10. Click Create to complete the asset creation process.

2.4.2.1 Infrastructure Asset Details

Asset details define the Asset Category, Asset Type, Asset Name, Alias Name, Asset Logo, Version, Action,
Business Owner, and Technical Owner. This section allows you to specify the connection details of the asset.

120
Administrative Console

Refer to the table below to understand the fields in the Connection Details section:

Field Description

Asset Category By default, it will be auto-filled by fetching the data

from the previous screen. There are two types of assets
in the ARCON Converged Identity, as follows:
• Business Asset: A business asset is a software
program that helps businesses to automate and
optimize their various processes and operations
to increase efficiency and productivity. This can
be web applications, hardware devices, routers,
etc.
• Infrastructure Asset: An infrastructure asset is a
collection of various assets such as operating
systems, network devices, security devices, and
database instances. This can be Windows RDP,
SSH Linux, MS SQL, etc.

121
Administrative Console

Field Description

Asset Type Select the type of asset from the drop-down list. The
Asset Type field value will be fetched from the previous
screen data. This can be operating systems, network
devices, security devices, and database instances.

Add Application from the ARCON Market Place Select the application from ARCON market place.

Asset Name Select the connector from the drop down.

The connector uploaded in the local app store or
downloaded from a marketplace into the local app
store will be visible in the drop-down to onboard an
asset.

Alias Name Enter a friendly name for the application.

Asset Logo Select a suitable logo for the asset.

Version Select the version number of the asset from the drop-
down. The drop-down values will come from the
connector that is uploaded to the local app store and
the asset that is selected.

Action Select the action that you would like to perform for the
asset. There are a few types of action items available
here Single Sign-on, Digital Identity LifeCycle
Management, Identity Governance, and Vault.
Selection of the performance type will enable the same
section in the asset creation screen to fill in details.

Business Owner Select the name of the business owner or vertical head
from the drop-down. You can define a maximum of five
business owners.

Technical Owner Select the name of the technical owner from the drop-
down. You can define a maximum of five technical
owners.

2.4.2.2 Infrastructure Asset Connection Details

The Connection Details helps to fill in all the details of the infrastructure asset such as the hostname, IP
address, domain name, and port number. This section comes up while onboarding infrastructure assets.

122
Administrative Console

Refer to the table below to understand the fields displayed on the Connection Details screen:

Fields Name Description

Host Name Enter a hostname for the application

IP Address/DNS Enter the IP Address/DNS of the application.

Domain Name Enter the domain name for the application.

Port Enter the port number for the application.

2.4.2.3 Infrastructure Asset Credentials

This section allows you to specify the credentials to the asset. You have the option of retrieving credentials
from the ARCON vaults or other vaults on the market, or you may choose to manually construct credentials by
choosing the Custom option from the User Credential Store drop-down.

123
Administrative Console

Refer to the table below to understand the fields in the Credentials section:

124
Administrative Console

Field Description

Use Credential Store Select the appropriate type of credential from the
drop-down. Selection of the ARCON Vault will enable
you to set a Single Custody password and the
selection of the Custom (create manually) type will
enable you to set either using Single Custody or Split
Custody password.

User Name Enter the user name if you choose the Custom type of
credential store.

Custody • Select the appropriate radio button as per

requirement. There are two types of processes
to set the password.

Single Custody- In this option, the

Admin (Owner1 himself) assigns the
password for the asset.
Split Custody- In this option, there are
two owners of the password. Owner1 is
the Admin who wants to onboard the
asset with (First Half /Second Half) of
the password and fills in the name of the
second owner who will enter the other
half of the password. The asset will be
onboarded only when both owners
enter their part of passwords.

 • The Split Custody radio button can be

selected only if the Store Passwords in
Split Custody configuration is Enabled
from Settings.
• The second owner receives an alert on
ACMO and an email after the first owner
has entered his part of the password for
the asset. After the second owner enters
the other part the asset is created,
depending on the workflow.

Password Enter a password for the asset.

Confirm Password Enter the password again to confirm that the

password matches the previous password.

125
Administrative Console

Field Description

Other Owner Select the second owner, who will enter the other half
of the password.
This field will be enabled only if the Split Custody
password is selected.

Publish to Workspace Enable this toggle to use this credential for single sign-
on purposes.
If the toggle is turned on the asset will be interactive
and can be used for single sign-on.
If the toggle is turned off the asset will be non-
interactive and can’t be used for single sign-on.

2.4.2.4 Infrastructure Asset Single Sign-On Configuration

This section will only be displayed when the Single Sign-On is selected

as Action from the Application Information section. The Single Sign-on section allows you to set the kind of
single sign-on method you want to use. Single Sign-On (SSO) is a session and user authentication service that
permits users to use one set of login credentials. For example, a Username and Password to access multiple
applications. SSO can be used by enterprises, small and midsize organizations, and individuals to ease the
management of multiple credentials.

With ARCON Single Sign-On (SSO), multiple applications and assets can be accessed with one set of
credentials. By using this solution, users don't have to sign on to each app separately and remember multiple
credentials. The single sign-on methods that are available in the connector will be visible on the screen. Based
on the selection of the single sign-on method, different fields will be displayed to fill in details.
2.4.2.4.1 Single Sign-on Screen While Onboarding Infrastructure Asset:

While onboarding infrastructure assets a few different fields are displayed:

 By default, the SSO application will be displayed based on the connector uploaded in the Local App
store and any user provisioned on the asset will get all the uploaded SSO Applications. This SSO
application can be seen based on the combination of Selected Asset Type, selected Asset, and its
Version. All this can be found in the Local Appstore. for example. Asset Type is Operating System,
Asset is Windows and version is 2022 then the SSO application can be RDP, FTP, FileZilla, etc.

126
Administrative Console

Refer to the table below to understand the fields in the Single Sign-on section while onboarding infrastructure
assets.

Fields Name Description

Add Additional Application from ARCON Select an application from the ARCON market place.
Market Place

Application Name It will show the application name that you upload from the ARCON
market place.

Description 1 Enter the required description (OS Version) for the asset (if
needed).

Description 2 Enter the required description (Server Description) for the asset (if
needed).

127
Administrative Console

Fields Name Description

Description 3 Enter the required description (Location of Server) for the asset (if
needed).

Parameter Enter a parameter for the asset.

Port Enter a port number for the application.

Is Active It allows you to upload the application with an active or inactive

status.

Publish to Workspace If the toggle is turned on, the asset will be interactive and can be
used for single sign-on.
If the toggle is turned off, the asset will be noninteractive and can’t
be used for single sign-on.

Application Identity Credentials
Select a particular person or party to set the credential.
• User Set UserName and Password: When this option is
selected, the application access is given to the respective
user in such a way that whenever the user accesses the
respective application for the first time via SSO Launchpad,
the application will prompt the user to set the username and
password.
• Admin Set UserName and Password: When this option is
selected, the administrator will set the username and
password of the respective application user in the Manage
Identities module. Post that, the user will directly be able to
access the respective application via SSO Launchpad.
• Admin Set UserName and User Set Password: When this
option is selected, the administrator will set the username of
the respective application user in the Manage Identities
module. Whenever the user accesses the respective
application for the first time via SSO Launchpad, the
application will prompt the user with the set password
screen
• Directory(Use Directory UserName and Password): When
this option is selected, the administrator will set the
username and password as Directory.

2.4.2.5 Infrastructure Asset Digital Identity LifeCycle Management

This section will only be displayed when the Digital Identity LifeCycle Management is assigned as selected from
the Application Information section. The Life Cycle Management section allows setting the provision of assets.
Digital Identity LifeCycle Management manages the establishment of the asset, onboarding, privileges,

128
Administrative Console

modification, and deboarding. This technology and protocols are used throughout the lifecycle, including for
registration, credential issuance, authentication, and management.

In this process, the user can be privileged for certain activities and also can be privileged by the administrator
user. The modification can be done to manage the asset life cycle.

Refer to the table below to understand the fields in the Life Cycle Management section:

Field Description

Provision Identity Turn on this toggle to create a named account with the help of
the ARCON provision engine. If the toggle is off, the auto
provision will not happen and you will not be able to create a
named id in the asset. If you enable the toggle, you can create a
named account with the help of the ARCON provision engine.

129
Administrative Console

Field Description

Method Select the method for performing Joiner, Mover, and Leaver
events on the asset. The methods are based on the assets and
connectors.

Application URL Enter the application URL as per your system.

Application Identity Credentials Select a particular person or party to set the credential. This
field will be auto-filled if the Application Identity Credentials are
selected while filling in the Single Sign-On details.

Login Elements

User name Select a particular tag to use as a user name.

User Attributes Enter the user attributes from the drop-down values.

ARCON IAM Policy Select a particular password policy.

Application Attributes Enter the name of the application attribute. This allows you to
map the IAM attributes to Active Directory attributes.

Unique / Mandatory Attribute Select this checkbox to make the attribute Unique and
mandatory. Unique and Mandatory Attribute will be used for
automapping of Accounts, and Application Identity to CI users.

Application Attributes Enter the name of the application attribute. This allows you to
map the attributes to Active Directory attributes.

Mapping Status Select the type of mappings, such as User Profile Attribute,
Expression, and Custom App Attribute.

User Profile Attribute This allows you to enter the attributes

that are available in the application
database.

Expression In this, the administrator can configure

regular expression.

Not Mapped By default, all the attributes will display

the mapping status as “Not Mapped“.
Choose the appropriate status from the
drop-down.

Values Enter the value to identify the attribute that will be used to map
a specific application attribute. The drop-down contains all the
created attributes in the attribute module.

Custom App Value Select the custom value from the drop-down.

Operations This allows setting the functionality of attributes, such as

Create, Modify, and Both.

130
Administrative Console

Field Description

Create This will set the functionality of an

attribute in such a way that the
attribute will be used for creation
purposes only.

Modify This will set the functionality of an

attribute in such a way that the
attribute will be used for modification
purposes only.

Both This will set the functionality of an

attribute in such a way that the
attribute will be used for both creation
and modification purposes.

Add This allows you to add a specific attribute to the Attribute

Mapping screen.

Remove This allows you to remove a specific attribute from the Attribute
Mapping screen.

Grace Period This allows you to establish a predetermined time period for
assets. When a user is disabled in the IAM, the digital identity of
the asset will be allocated to the manager or another person for
the specified duration of time.

To configure the Digital Identity LifeCycle Management perform the steps below:

1. Expand the Digital Identity LifeCycle Management Configuration section. The following screen will be
displayed:

2. Select the preferable method from the Method drop-down and enter the Application URL.

a. SCIM: The System for Cross-domain Identity Management (SCIM) specification manages user
IDs in cloud-based services and applications.

131
Administrative Console

b. ARCON Secure Authentication: The ARCON Secure Authentication module manages user IDs
with multiple options to set credentials.
c. Rest API: The REST API framework helps you to manage identities.
d. ODBC: The (ODBC) Open Database Connectivity is a standard application programming
interface for accessing database management systems to manage identities.
3. Select the preferable credential type from the Application Identity Credential drop-down. The Login
Elements options will be available if you select the ARCON Set Username Password value from the
Application Identity Credential drop-down.

4. Enter a username and select a password policy from the drop-down.

5. The connector should have some application attributes. Click Add to add attributes and click Remove to
delete the attribute:

132
Administrative Console

6. Enter the Application Attributes name and select the Mapping Status from the drop-down.
7. Select the attribute values from the Values drop-down and select the custom value from the Custom
App Value drop-down.
8. Select the operation type from the Operations drop-down.
9. Enter the Grace Period value:

2.4.2.6 Infrastructure Asset Reconciliation

The Reconciliation section allows setting a date and frequency for the synchronization of the asset. The
Reconciliation module helps to schedule the synchronization engine and, based on the configuration, syncs user
account data from the target application to the ARCON IAM application:

133
Administrative Console

Perform the below steps to set the reconciliation period:

1. Choose the start date from the date picker available in the Start Date field. The selection of the Start
Date field will enable the Execution Frequency field
2. Choose the execution frequency from the Execution Frequency field.
3. Selection of Hourly or Daily from the Execution Frequency drop-down will enable one more field to
configure the exact frequency:

2.4.2.7 Infrastructure Asset Entitlement

The Entitlement section allows you to give different types of roles/departments/entitlements to access the
application such as administrators, users, guests, backup operators, remote desktop users, etc. You can either
upload prefilled data or select a specific mapping attribute and enter the entitlement manually. It displays the
user role/department/entitlement of a particular target asset. ARCON Synchronization engine will fetch the
Entitlement of a particular asset to the CI application.

134
Administrative Console

Refer to the table below to understand the different columns displayed on the Entitlement screen:

Field Name Description

Browse This Will allow you to upload prefilled data in CSV

format and the module will fetch the user role/
department/entitlement from the target asset to the
ARCON system. This upload is not mandatory.

 Even the ARCON synchronization engine can

synchronize the user entitlements from the
target asset to the ARCON system.

Download SampleTemplate This Will allow you to download the sample template
to fill in the desired data.

View/Modify This Will allow you to view and modify the existing
entitlements.

Updating Entitlement

Perform the below steps to update Entitlement:

1. If you want to upload the entitlement data manually, then click Download Sample Template to
download the sample template to fill in the desired data, and then click Browse to upload the updated
file.
2. The Rule Name screen will be displayed:

135
Administrative Console

Refer to the table below to understand the fields in the Rule Name screen:

Fields Name Description

Sr No This field displays the serial number of the list.

Entitlements This field displays the Entitlement names.

Description This field displays the Entitlement descriptions.

Privilege This field allows the administrator to mark Entitlement as a privilege

which helps in Identifying Privileges Assets.

Default This field allows the administrators to mark Default Entitlement which
can be used for Provisioning.

Mapping This field displays the Ruleset button that helps the administrators set
rules for the Entitlement for provisioning User accounts on the asset.
Ruleset can be configured using role/department/entitlement or User
profile Attributes (Supports RBAC and ABAC)

Delete This field allows you to remove the Entitlement from the list.

3. Click Ruleset to open the ruleset screen:

136
Administrative Console

4. Click the + icon to add more rules and click the Delete icon to delete/reset the existing rule:

Refer to the table below to understand the fields in the rule pop-up screen:

Fields Name Description

Parameter Select the parameter that can be role/department/entitlement or

user profile attributes.

Attribute Select the attribute values. Based on the parameter selection, the
attribute field gets modified.

Condition Select to set conditions for the entitlement. The condition drop-down
provides a few conditions, such as Equal, Not Equal, Include, Not
Include, Greater Than, Less Than, etc. Choose the appropriate
condition.

Value Select the role/department/entitlement. Based on the parameter and

attribute selection, the Value field gets filtered. Choose the
appropriate role/department/entitlement from the dropdowns.

137
Administrative Console

Fields Name Description

Conditional Grouping This field appears if you add two or multiple rules. This will allow you
to choose to configure two options, such as And and Or. If you
choose the And option the rule will be configured for the entitlement
if both rules match. If you choose the Or option the rule will be
configured for the entitlement if either rule matches.

5. Click Save to save the configured rule:

6. Click View/Modify to view or modify the existing entitlements.

2.4.2.8 Infrastructure Asset Assign Of Assets

The assign section allows you to define LOB, asset group, and human identities for the asset. In this you can
onboard the asset in particular LOBs and asset groups, and you can choose the users to whom you want to give
access to the asset.

138
Administrative Console

Refer to the table below to understand the fields in the Assign section:

Field Description

LOB Select the LOB from the dropdown to assign it to the

asset.

Asset Group Select the asset group from the dropdown to assign it
to the asset.

Human Identities Select the identities that you need to assign to the
asset.

 The human identities list appears based on

the selected LOB and Asset Group.

2.4.2.9 Infrastructure Asset Custom Fields Of Assets

The field name is bespoke and can be set according to an organization's needs by the administrative human
identity.

139
Administrative Console

Refer to the table below to understand the fields in the Custom Fields section:

Field Description

Server Type Enter the type of server you want to configure with.

User Display Name Enter the username of the asset.

User Description Enter the description or comment if any.

Description 1 Enter the required description 1 (OS Version) for the

asset (if needed).

Description 2 Enter the required description 2 (Server Description)

for the asset (if needed).

Description 3 Enter the required description 3 (Location of

Server) for the asset (if needed).

Parameter Enter the parameter of the asset (if applicable).

 • Refer to configurations tag documents/or

click Config tags Description for more
details.
• ARCON supports multi-sessions for SSH
assets.

140
Administrative Console

2.4.2.10 Infrastructure Asset Customized Connectors

The Customized Connectors section allows you to enable and onboard a customized connector for the asset.

Perform the below steps to add customized connectors:

1. Drag and drop your connector file or click the Browse button to upload the connector file. You can also
enter the script in the script section:

2. Add a description of the customized connector in the text box:

141
Administrative Console

2.4.2.11 Infrastructure Asset Advanced

The Advanced section allows you to define a few settings related to the assets.

142
Administrative Console

Refer to the table below to understand the fields in the Advanced section:

Field Description

Valid Till Select the end date. This is the date from which the
asset will be inactive for identities.

User Lock To Console/Supporting Asset Used for SSH Linux assets to log in to root and allow
change of passwords.

143
Administrative Console

Field Description

Server Options

Use Credentials This is enabled if you select the asset Type as MS SQL
RM - RDP, to login to the server using the RDP
credentials

Named Asset Enable this to allow the server to have named assets.
Named assets to allow AD users to have their own
privileged servers get assigned to them.

Logs

Disable Video Log This configuration will check whether the images are
to be captured during the session or not. If it is not
enabled, then it will capture images. If it is enabled,
then it will not capture images.

Smart Session Monitoring Logs
This configuration will check whether the Session
Monitoring logs are to be captured or not for an asset.
If it is enabled, then it will capture the Session
Monitoring logs. If it is not enabled, then it will not
capture the Session Monitoring logs.

Metadata Log This configuration will check whether the Metadata

logs are to be captured or not for an asset. If it is
enabled, then it will capture the Metadata logs. If it is
not enabled, then it will not capture the Metadata
logs.

Asset Configuration

Criticality Level Select the criticality level of the asset. There are four
types of criticality levels such as None, Low, Medium,
and High.

 If the criticality level is high, the MFA gets

enabled automatically in the background.

 This criticality level shall be considered while

displaying reports.

144
Administrative Console

Field Description

Asset Classification Select the Asset Classification.

 • The value displayed here is the value that

is configured in Settings → Assets →
Asset Modifications → Asset
Classification.
• This classification level shall be
considered while displaying reports.

DMZ Gateway Select the DMZ Gateway from the dropdown

Session Lockout Time (Minute) This option will set the duration after which an idle
session should be locked out. Specify the time after
which the session will be locked out if idle.

Auto Discovery Enable this to activate the Auto-Discovery of users on

a particular server.

User Asset For Windows Process
This configuration will check whether the asset can be
used for Windows Process Elevation. If it is
enabled, use the asset for Windows Process Elevation.
If it is not enabled, then it will not use the asset for
Windows Process Elevation.

User Asset for Remote Assist Elevation
This configuration will check whether the asset can be
used for Remote Assist Elevation. If the value is 1, use
the asset for Remote Assist Elevation. If the value is 0,
then it will not use the asset for Remote Assist
Elevation.

2.4.2.12 Infrastructure Asset Vault Configuration

The Vault Configuration section allows you to define the vault-related settings. In this module, you can set the
rotation of passwords.

2.4.2.13 Infrastructure Asset Assign Tags

This section explains the steps to assign tags to infrastructure assets. Tags created for the particular attribute
will be visible here.

145
Administrative Console

 The tags visible on the Assign Tags page are configured by the Tags Ordering procedure. Tags
Ordering is compulsory, while tags that are not configured in the Tag Ordering section are optional
tags.

Select the corresponding tag values for the tag names. Admin can select multiple tag values. These selected tag
values will be assigned to the asset:

2.4.3 Business Asset Manual Onboard

The administrator must build the asset before mapping an asset or asset group to an identity or role/
department. Creating assets and mapping to the end user in ARCON CI helps protect organizations against
cyber threats by monitoring, detecting, and preventing unauthorized privileged access to critical resources or
assets.

This section explains the steps to creating assets. The administrators are responsible for managing assets.

 The administrator with Onboard Assets privileges will only be able to onboard assets.

Perform the below steps to onboard an asset:

1. Navigate to the Business Asset screen, Manage > Assets > Business Assets.
2. Click the + icon at the bottom right corner of the Assets screen:

3. Two pop-up buttons will be displayed. Click the Create button to onboard a new asset manually:

146
Administrative Console

4. The Onboard Asset screen will be displayed:

5. Choose the asset category from the Asset Category drop-down. You will find different asset type drop-
down lists as per the asset category selection.
6. Choose the asset type from the Asset Type drop-down:

147
Administrative Console

7. Click the Next button to proceed further:

8. You will find different sections to fill in the details. They are as follows:

148
Administrative Console

Asset Details
Credentials
Single Sign-on Configuration
Digital Identity Life Cycle Management
Identity Governance
Reconciliation
Entitlement
Assign
Custom Fields
Advanced
Vault Configuration
Assign Tags
9. Fill in the above details and select the status type as Live from the status drop-down to activate the
asset:

149
Administrative Console

10. Click Create to complete the asset creation process.

2.4.3.1 Business Asset Details

Asset details define the Asset Category, Asset Type, Asset Name, Alias Name, Asset Logo, Version, Action,
Business Owner, and Technical Owner. This section allows you to specify the connection details of the asset.

150
Administrative Console

Refer to the table below to understand the fields in the Connection Details section:

Field Name Description

Asset Category Select the category of an asset from the drop-down list.
There are two types of assets in the ARCON
Converged Identity as follows:
• Business Asset: A business asset is a software
program that helps businesses automate and
optimize their various processes and operations
to increase efficiency and productivity. These
assets can be web applications, hardware
devices, routers,
etc.
• Infrastructure Asset: An infrastructure asset is a
collection of various assets such as operating
systems, network devices, security devices, and
database instances. These assets can be
Windows RDP, SSH Linux or MS SQL, etc.

Asset Type Select the type of asset from the drop-down list. The
Asset Type field value will be fetched from the previous
screen data. This can be web applications, hardware
devices, routers, etc.

151
Administrative Console

Field Name Description

Add Application from the ARCON Market Place Click the Add button to choose the application
available in the ARCON market.

Asset Name Select the application from the ARCON market to

make the asset name visible in this field.

Alias Name Enter the friendly name for the application.

Asset Logo Click Browse to find and set a suitable logo for the
asset. The default logo will be available for assets in the
connector.

Version Select the version number of the asset from the drop-
down. The drop-down values will come from the
connector that is uploaded to the local app store and
the asset that is selected.

Action Select the action that you would like to perform for the
asset. There are three types of action items available
here Single Sign-on, Digital Identity LifeCycle
Management, and Identity Governance. Selection of
the performance type will enable the same section in
the asset creation screen to fill in details.

Business Owner Select the name of the business owner or vertical head
from the drop-down. You can define a maximum of five
business owners.

Technical Owner Select the name of the technical owner from the drop-
down. You can define a maximum of five technical
owners.

2.4.3.2 Business Asset Credentials

This section allows you to specify the credentials to the asset. You have the option of retrieving credentials
from the ARCON vaults or other vaults on the market, or you may choose to manually construct credentials by
choosing the Custom option from the User Credential Store drop-down.

152
Administrative Console

Refer to the table below to understand the fields in the Credentials section:

Field Description

Use Credential Store Select the appropriate type of credential from the
drop-down. Selection of the ARCON Vault will enable
you to set a Single Custody password and the
selection of the Custom (create manually) type will
enable you to set either using Single Custody or Split
Custody password.

User Name Enter the user name. This is enabled if you choose the
Custom type of credential store.

153
Administrative Console

Field Description

Custody • Select the appropriate radio button as per

requirement. There are two types of processes
to set the password.

Single Custody- In this option, the

Admin (Owner1) assigns the password
for the asset.

Password Enter the password for the asset.

Confirm Password Enter the password again to confirm that the

password matches the previous password.

Other Owner Select the second owner, who will enter the other half
of the password.
This field will be enabled only if the Split Custody
password is selected.

Publish to Workspace The credential can be used for single sign-on

purposes.
If the toggle is turned on the asset will be interactive
and can be used for single sign-on.
If the toggle is turned off the asset will be
noninteractive and can’t be used for single sign-on.

2.4.3.3 Business Asset Single Sign-on

This section will only appear when the Single Sign-On is assigned as Action from the Application Information
section. The Single Sign-on section allows you to set the kind of single sign-on method you want to use. Single
Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login
credentials. For example, a Username and Password to access multiple applications. SSO can be used by
enterprises, small and midsize organizations, and individuals to ease the management of multiple credentials.

With ARCON Single Sign-On (SSO), multiple applications and assets can be accessed with one set of
credentials. By using this solution, users don't have to sign on to each app separately and remember multiple
credentials. The single sign-on methods that are available in the connector will be visible on the screen. Based
on the selection of the single sign-on method, different fields will appear to fill in details.

154
Administrative Console

2.4.3.3.1 Single Sign-on Screen While Onboarding Business Assets:

Selection of the Application Identity Credential field will enable a few more fields to fill in the Login Elements
details.

Refer to the table below to understand the fields in the Single Sign-on section while onboarding business assets.

Fields Name Description

Method of Single Sign-on Select the type of single sign-on method. The single
sign-on methods that are available in the connector
will be visible on the screen.

Application Identity Credentials Select a particular person or party to set the

credential.

User name Set a particular tag to use as a user name.

155
Administrative Console

Fields Name Description

User Attributes Set a particular attribute to use as a user name. For

example, if you select email ID as a user attribute,
then the email ID will be used as the user name for the
asset.

ARCON IAM Policy Select a particular password policy.

Once the Credentials are configured, the Single Sign-On for the application needs to be configured.

1. Expand the Single Sign-On Configuration section. The following screen will be displayed:

2. Select the SSO method from the Method of Single Sign-On drop-down. There are four types of SSO
methods:

a. ARCON Secure Authentication:

b. SAML:
c. OAUTH:
d. OIDC:
3. Select the appropriate SSO method and configure it accordingly. Refer to each SSO method to
understand the detailed field-level information.

2.4.3.3.1.1 ARCON Secure Authentication

By selecting ARCON Secure Authentication as the SSO method, the following screen will be displayed:

156
Administrative Console

From the Application URL field, the administrator will need to specify the application URL, which will be used
for single sign-on, and select the Application Identity Credential type from the drop-down. There are eight
application identity credential types are available:

• Admin Set UserName and Password: When this option is selected, the administrator will set the
username and password of the respective application user in the Manage Identities module. Post that,
the user will directly be able to access the respective application via SSO Launchpad.
• Admin Set UserName and User Set Password: When this option is selected, the administrator will set
the username of the respective application user in the Manage Identities module. Whenever the user
accesses the respective application for the first time via SSO Launchpad, the application will prompt the
user with the set password screen.
• Admin Set UserName and ARCON AutoGenerate Password: When this option is selected, the
administrator will set the username of the respective application user in the Manage Identities module.
For password, the administrator will need to select the password policy from the ARCON IAM Policy
dropdown. All the password policies defined for the respective LOB will be displayed in this dropdown.

157
Administrative Console

• ARCON Set UserName and ARCON AutoGenerate Password: When this option is selected, the
administrator will need to select the User Name type as User Profile Attribute from the dropdown.

The User Attributes field will be displayed as shown in the above screen. From the User Attributes field,
the administrator can select one attribute from the dropdown based on which, the username of the
respective user will be created by ARCON. All the attributes created in the Attributes module will be
listed in this dropdown.
For password, the administrator will need to select the password policy from the ARCON IAM Policy
dropdown. All the password policies defined for the respective LOB will be displayed in this dropdown.

• ARCON Set UserName and User Set Password: When this option is selected, the administrator will
need to select the User Name type as User Profile Attribute from the dropdown.

158
Administrative Console

The User Attributes field will be displayed as shown in the above screen. From the User Attributes field,
the administrator can select one attribute from the dropdown based on which, the username of the
respective user will be created by ARCON. All the attributes created in the Attributes module will be
listed in this dropdown.
Whenever the user accesses the respective application for the first time via SSO Launchpad, the
application will prompt the user with the set password screen.
• Directory (User Directory UserName and Password): When this option is selected, the SSO launchpad
will authenticate the user based on the AD credentials.

 This option will fetch the AD credentials of the respective users if the domain has been configured by
the administrator.

2.4.3.4 Business Asset Digital Identity Life Cycle Management

This section will only appear when the Digital Identity LifeCycle Management is assigned as Action from the
Application Information section. The Digital Identity Life Cycle Management section allows setting the
provision identity. Digital Identity Life Cycle Management manages the establishment of the user's digital
identity, onboarding, privileges, modification, and deboarding. This technology and protocols are used
throughout the lifecycle including for registration, credential issuance, authentication, and management.

In this process, the user can be privileged for certain activities and also can be privileged by the administrator
user. The modification can be done to manage the asset life cycle.

159
Administrative Console

Refer to the table below to understand the fields in the Life Cycle Management section:

Field Description

Provision Identity Turn on this toggle to create a named account with the help of
the ARCON provision engine. If the toggle is off, the auto
provision will not happen and you will not be able to create a
named id in the asset. If you enable the toggle, you can create a
named account with the help of the ARCON provision engine.

Method Select the method for performing Joiner, Mover, and Leaver
events on the asset. The methods are based on the assets and
connectors.

Application URL Enter the application URL as per your system.

160
Administrative Console

Field Description

Application Identity Credentials Select a particular person or party to set the credential. This
field will be auto-filled if the Application Identity Credentials are
selected while filling in the Single Sign-On details.

Login Elements

User name Select a particular tag to use as a user name.

User Attributes Enter the user attributes from the drop-down values.

ARCON IAM Policy Select a particular password policy.

Application Attributes Enter the name of the application attribute. This allows you to
map the IAM attributes to Active Directory attributes.

Unique / Mandatory Attribute Select this checkbox to make the attribute Unique and
mandatory. Unique and Mandatory Attribute will be used for
automapping of Accounts, and Application Identity to CI users.

Application Attributes Enter the name of the application attribute. This allows you to
map the attributes to Active Directory attributes.

Mapping Status Select the type of mappings, such as User Profile Attribute,
Expression, and Custom App Attribute.

User Profile Attribute This allows you to enter the attributes

that are available in the application
database.

Expression In this, the administrator can configure

regular expression.

Not Mapped By default, all the attributes will display

the mapping status as “Not Mapped“.
Choose the appropriate status from the
drop-down.

Values Enter the value to identify the attribute that will be used to map
a specific application attribute. The drop-down contains all the
created attributes in the attribute module.

Custom App Value Select the custom value from the drop-down.

Operations This allows setting the functionality of attributes, such as

Create, Modify, and Both.

Create This will set the functionality of an

attribute in such a way that the
attribute will be used for creation
purposes only.

161
Administrative Console

Field Description

Modify This will set the functionality of an

attribute in such a way that the
attribute will be used for modification
purposes only.

Both This will set the functionality of an

attribute in such a way that the
attribute will be used for both creation
and modification purposes.

Add This allows you to add a specific attribute to the Attribute

Mapping screen.

Remove This allows you to remove a specific attribute from the Attribute
Mapping screen.

Grace Period This allows you to establish a predetermined time period for
assets. When a user is disabled in the IAM, the digital identity of
the asset will be allocated to the manager or another person for
the specified duration of time.

To configure the Digital Identity LifeCycle Management perform the steps below:

1. Expand the Digital Identity LifeCycle Management Configuration section. The following screen will be
displayed:

2. Select the preferable method from the Method drop-down and enter the Application URL.

a. SCIM: The System for Cross-domain Identity Management (SCIM) specification manages user
IDs in cloud-based services and applications.
b. ARCON Secure Authentication: The ARCON Secure Authentication module manages user IDs
with multiple options to set credentials.
c. Rest API: The REST API framework helps you to manage identities.

162
Administrative Console

d. ODBC: The (ODBC) Open Database Connectivity is a standard application programming

interface for accessing database management systems to manage identities.
3. Select the preferable credential type from the Application Identity Credential drop-down. The Login
Elements options will be available if you select the ARCON Set Username Password value from the
Application Identity Credential drop-down.

4. Enter a username and select a password policy from the drop-down.

5. The connector should have some application attributes. Click Add to add attributes and click Remove to
delete the attribute:

163
Administrative Console

6. Enter the Application Attributes name and select the Mapping Status from the drop-down.
7. Select the attribute values from the Values drop-down and select the custom value from the Custom
App Value drop-down.
8. Select the operation type from the Operations drop-down.
9. Enter the Grace Period value:

2.4.3.5 Business Asset Identity Governance

This section will only appear when the Identity Governance is assigned as Action from the Application
Information section. The Identity Governance section allows setting the identity governance. In identity
governance, the whole digital identity lifecycle and end-user entitlements are managed, thus enhancing the
digital experience of enterprises. This allows administrators to perform access certification and review activity
in a much faster and more efficient manner.

164
Administrative Console

Identity Governance helps to implement a proactive approach that safely controls the information of the
employees, partners, and clients and provides authentication and authorization to system-approved identities.

Some application doesn't provide de-provisioning APIs, in that case, you will not be able to provision or de-
provision with the help of the same method. That’s why ARCON provides an Identity Governance section
where you can do your de-provision activity.

 All the fields visible on the Identity Governance screen except the Use Digital Identity LifeCycle
Management Configuration toggle are the same as the Digital Identity LifeCycle Management screen.

Refer to the table below to understand the fields in the Identity Governance section:

165
Administrative Console

Field Description

Method Select the method of digital governance from the

drop-down. There are multiple methods of identity
governance similar to the Digital Identity LifeCycle
Management as follows:
• SCIM: The System for Cross-domain Identity
Management (SCIM) specification manages
user IDs in cloud-based services and
applications.
• ARCON Secure Authentication: The ARCON
Secure Authentication module manages user
IDs with multiple options to set credentials.
• Rest API: The REST API framework helps you
to manage identities.
• ODBC: The (ODBC) Open Database
Connectivity is a standard application
programming interface for accessing database
management systems to manage identities.

Use Digital Identity LifeCycle Management Turn on this toggle to fetch the data and auto-fill from
Configuration the Digital Identity LifeCycle Management section.

Other Attributes Enter attributes if the application needs any other

attributes to run.

Attribute Mapping This section allows you to map application profile

attributes for provisioning users into assets.

Unique / Mandatory Attribute Select this checkbox to make the attribute Unique and
mandatory. Unique and Mandatory Attribute will be
used for automapping of Accounts, and Application
Identity to CI users.

Application Attributes Enter the name of the application attribute. This

allows you to map the attributes to Active Directory
attributes.

166
Administrative Console

Field Description

Mapping Status Select the type of mappings, such as User Profile

Attribute, Expression, and Custom App Attribute.
• User Profile Attribute: This allows you to enter
the attributes that are available in the
application database.
• Expression: In this, the administrator can
configure regular expression.
• Not Mapped: By default, all the attributes will
display the mapping status as “Not Mapped“.
Choose the appropriate status from the drop-
down.

Custom App Values Select the custom value from the drop-down.

Values Enter the value to identify the attribute that will be

used to map a specific application attribute. The drop-
down contains all the created attributes in the
attribute module.

Operations This allows setting the functionality of attributes, such

as Create, Modify, and Both.
• Create: This will set the functionality of an
attribute in such a way that the attribute will
be used for creation purposes only.
• Modify: This will set the functionality of an
attribute in such a way that the attribute will
be used for modification purposes only.
• Both: This will set the functionality of an
attribute in such a way that the attribute will
be used for both creation and modification
purposes.

Add This allows you to add a specific attribute to the

Attribute Mapping screen.

Remove This allows you to remove a specific attribute from the

Attribute Mapping screen.

2.4.3.6 Business Asset Reconciliation

The Reconciliation section allows setting a date and frequency for the synchronization of the asset. The
Reconciliation module helps to schedule the synchronization engine and, based on the configuration, syncs user
account data from the target application to the ARCON IAM application:

167
Administrative Console

Perform the below steps to set the reconciliation period:

1. Choose the start date from the date picker available in the Start Date field. The selection of the Start
Date field will enable the Execution Frequency field
2. Choose the execution frequency from the Execution Frequency field.
3. Selection of Hourly or Daily from the Execution Frequency drop-down will enable one more field to
configure the exact frequency:

2.4.3.7 Business Asset Entitlement

The Entitlement section allows you to give different types of roles/departments/entitlements to access the
application such as administrators, users, guests, backup operators, remote desktop users, etc. You can either
upload prefilled data or select a specific mapping attribute and enter the entitlement manually. It displays the
user role/department/entitlement of a particular target asset. ARCON Synchronization engine will fetch the
Entitlement of a particular asset to the CI application.

168
Administrative Console

Refer to the table below to understand the different columns displayed on the Entitlement screen:

Field Name Description

Browse This Will allow you to upload prefilled data in CSV

format and the module will fetch the user role/
department/entitlement from the target asset to the
ARCON system. This upload is not mandatory.

 Even the ARCON synchronization engine can

synchronize the user entitlements from the
target asset to the ARCON system.

Download SampleTemplate This Will allow you to download the sample template
to fill in the desired data.

View/Modify This Will allow you to view and modify the existing
entitlements.

Updating Entitlement

Perform the below steps to update Entitlement:

1. If you want to upload the entitlement data manually, then click Download Sample Template to
download the sample template to fill in the desired data, and then click Browse to upload the updated
file.
2. The Rule Name screen will be displayed:

169
Administrative Console

Refer to the table below to understand the fields in the Rule Name screen:

Fields Name Description

Sr No This field displays the serial number of the list.

Entitlements This field displays the Entitlement names.

Description This field displays the Entitlement descriptions.

Privilege This field allows the administrator to mark Entitlement as a privilege

which helps in Identifying Privileges Assets.

Default This field allows the administrators to mark Default Entitlement which
can be used for Provisioning.

Mapping This field displays the Ruleset button that helps the administrators set
rules for the Entitlement for provisioning User accounts on the asset.
Ruleset can be configured using role/department/entitlement or User
profile Attributes (Supports RBAC and ABAC)

Delete This field allows you to remove the Entitlement from the list.

3. Click Ruleset to open the ruleset screen:

170
Administrative Console

4. Click the + icon to add more rules and click the Delete icon to delete/reset the existing rule:

Refer to the table below to understand the fields in the rule pop-up screen:

Fields Name Description

Parameter Select the parameter that can be role/department/entitlement or

user profile attributes.

Attribute Select the attribute values. Based on the parameter selection, the
attribute field gets modified.

Condition Select to set conditions for the entitlement. The condition drop-down
provides a few conditions, such as Equal, Not Equal, Include, Not
Include, Greater Than, Less Than, etc. Choose the appropriate
condition.

Value Select the role/department/entitlement. Based on the parameter and

attribute selection, the Value field gets filtered. Choose the
appropriate role/department/entitlement from the dropdowns.

171
Administrative Console

Fields Name Description

Conditional Grouping This field appears if you add two or multiple rules. This will allow you
to choose to configure two options, such as And and Or. If you
choose the And option the rule will be configured for the entitlement
if both rules match. If you choose the Or option the rule will be
configured for the entitlement if either rule matches.

5. Click Save to save the configured rule:

6. Click View/Modify to view or modify the existing entitlements:

2.4.3.8 Business Asset Assign

The assign section allows you to define LOB, asset group, and human identities for the asset. In this you you can
onboard the asset in particular LOBs and asset groups, and you can choose the users to whom you want to give
access to the asset.

172
Administrative Console

Refer to the table below to understand the fields in the Assign section:

Field Description

LOB Select the LOB from the dropdown to assign it to the

asset.

Asset Group Select the asset group from the dropdown to assign it
to the asset.

Human Identities Select the identities that you need to assign to the
asset.

 The human identities list appears based on

the selected LOB and Asset Group.

2.4.3.9 Business Asset Custom Fields

The field name is bespoke and can be set according to an organization's needs by the administrative human
identity.

Refer to the table below to understand the fields in the Custom Fields section:

173
Administrative Console

Field Description

Description 1 Enter the required description 1 (OS Version) for the

asset (if needed).

Description 2 Enter the required description 2 (Server Description)

for the asset (if needed).

Description 3 Enter the required description 3 (Location of

Server) for the asset (if needed).

Parameter Enter the parameter of the asset (if applicable).

 • Refer to configurations tag documents/or

click Config tags Description for more
details.
• ARCON supports multi-sessions for SSH
assets.

2.4.3.10 Business Asset Advanced

The Advanced section allows you to define a few settings related to the assets.

Refer to the table below to understand the fields in the Advanced section:

Field Description

Application Valid Till Select the end date. This is the date from which the
asset will be inactive for identities.

Logs

174
Administrative Console

Field Description

Disable Video Log This configuration will check whether the images are
to be captured during the session or not. If it is not
enabled, then it will capture images. If it is enabled,
then it will not capture images.

Text Log This configuration will check whether the text logs are
to be captured or not for an asset. If it is enabled, then
it will capture the text logs. If it is not enabled, then it
will not capture the text logs.

Asset Configuration

Criticality Level Select the criticality level of the asset. There are four
types of criticality levels such as, None, Low, Medium,
and High.

 If the criticality level is high, the MFA gets

enabled automatically in the background.

 This criticality level shall be considered while

displaying reports.

Session Lockout Time (Minute) This option will set the duration after which an idle
session should be locked out. Specify the time after
which the session will be locked out if idle.

2.4.3.11 Business Asset Vault Configuration

The Vault Configuration section allows you to define the vault-related settings. In this module, you can set the
rotation of passwords.

2.4.3.12 Business Asset Assign Tags

This section explains the steps to assign tags to business assets. Tags created for the particular attribute will be
visible here.

 The tags visible on the Assign Tags page are configured by the Tags Ordering procedure. Tags
Ordering is compulsory, while tags that are not configured in the Tag Ordering section are optional
tags.

175
Administrative Console

Select the corresponding tag values for the tag names. Admin can select multiple tag values. These selected tag
values will be assigned to the asset:

2.4.4 Bulk Assets Creation

Onboarding assets seems to be a simple process. It takes a long time to complete these operations on a large
scale, and mistakes are inevitable and may result in a security gap. The import file feature in the asset screen is
used for importing new assets in ARCON CI. The bulk way of asset creation is efficient. By downloading a
template spreadsheet, making changes to the line items while offline, and then uploading the revised
spreadsheet back into the software, you can save time while utilizing this tool. The asset onboarding process
will be absurdly simple if the bulk asset creation process is used. These created assets will be reflected under
the Assets screen in the Administrative Console.

Perform the below steps to import the assets in bulk:

1. Click the + icon at the Assets screen's bottom right corner:

2. Two pop-up buttons will be displayed. Click the Import File button to create multiple assets by
importing data:

3. The Import data screen will be displayed. Click the Download Sample Template link to download the
template and then save the file on your local machine:

176
Administrative Console

4. Enter the desired data in the left-aligned format into the downloaded Excel sample template and save it:

5. Enter the Tag Names and Tag Values in the bracket and Save the Excel:

6. Click the Browse button to browse for the updated template:

7. Select the updated template file and click the Open button to upload the template:

177
Administrative Console

8. After completing the upload, click the Import button to import the template and onboard new assets:

9. A file imported status message will be displayed:

10. The Import screen will be displayed with the Download Uploaded File button. Click the Download
Uploaded File button to check the status of the individual assets entered in the sample Excel sheet:

178
Administrative Console

11. If you find any error status, update the details accordingly and upload again.
12. Go to the Assets screen and refresh it to see the newly onboarded asset list.

2.4.5 Modify Details of Asset

The assets that are allocated to a role or mapped to an asset group may occasionally need to be updated by the
administrator. Think of a situation where an asset is shut down; in this case, the admin must drop that asset.
Similarly, asset details change becomes necessary if the admin needs to update a few details for security
reasons.

This section helps you to modify the details of assets. You can modify the details of a particular asset using
the Modify screen. Also, it describes the steps involved in deleting an asset permanently, disabling an asset
temporarily, and activating the asset.

 The Administrator with Modify Asset privilege shall only be able to modify asset details.

Perform the below steps to modify the asset details:

1. Navigate to the Asset screen (Manage > Asset > Business/Infrastructure Asset) and select the LOB
name from the Global LOB selection. This will fetch all assets related to the selected LOB:

2. Click the Modify button:

179
Administrative Console

3. A Modify screen will be displayed similar to the onboard screen. Do the required changes in the existing
fields and then click the Modify button:

180
Administrative Console

2.4.5.1 Deleting / Disabling / Activating the Asset

The administrator sometimes needs to drop the suspended assets, delete the unused assets, or activate the
dropped assets.

 Administrators with Drop Assets privileges will be able to disable an asset.

Perform the below steps to delete/ disable/ activate the asset:

1. Click the Drop button in the Modify screen to temporarily disable the asset:

2. A confirmation message will be displayed, click YES to drop the asset:

3. Click the Permanently Delete Asset if you want to delete the asset permanently; otherwise, select
Disable Asset to temporarily disable an asset:

181
Administrative Console

 • The Disable Asset option will disable the asset temporarily. Disabled assets can be reactivated.
• The Permanently Delete Asset option will delete the assets permanently from the
Administrative Console. It can not be reactivated.

4. To activate a disabled asset, navigate to the Disabled section and click the Activate button:

2.5 Digital Identities

A digital identity is the data that computers utilize to represent an external agent, such as a person, business,
program, or object. Digital identities enable automatic access to computer-based services and the ability for
computers to mediate interpersonal interactions.
The requirement for several logins to access various assets is replaced with a digital identity. Your digital
identity allows you to authenticate yourself online for work and reuse it as needed.

Use the following path to navigate to the Digital Identities screen:

Administrative Console > Manage > Digital Identities:

182
Administrative Console

As shown in the Digital Identities screen, you can view the list of existing digital identities. Refer to the table

below to understand the different columns displayed on the screen:

Field Name Description

Digital Identities Categories

Active This section displays the list of active assets. An active

asset is one which has interacted with the ARCON CI
application within a certain period.

Disabled This section displays the list of disabled assets. A

disabled asset is one which is disabled by the admin
because of security reasons.

Assets Type

Business Assets This section displays the list of business assets which
can be a web application, hardware device, router, etc.

Infrastructure Assets This section displays the list of infrastructure assets

such as Windows RDP, SSH Linux or MS SQL, etc.

The Digital Identities screen has two tabs such as Business Assets and Infrastructure Assets.

Business Assets Screen:

183
Administrative Console

Refer to the table below to understand the different columns displayed on the Business Assets tab:

Field Name Description

Asset Name It displays the name of the business asset.

User Name It displays the username/user ID of the business asset.

LOBs It displays the assigned LOBs.

Asset Group It displays the name of the asset group.

Asset Type It displays the name of the type of asset which can be
a web application, hardware device, router, etc.

Alias Name It displays the alias/another name of the asset.

Action It displays the action item to see the detail of the

asset. You can see the detail of the asset, create new
assets, and modify the existing assets.

Infrastructure Assets Screen:

184
Administrative Console

Refer to the table below to understand the different columns displayed on the Infrastructure Assets tab:

Field Name Description

Asset Name It displays the name of the infrastructure asset.

User Name It displays the username/user ID of the infrastructure

asset.

IP/DNS It displays the IP address of the infrastructure asset.

Host Name It displays the hostname of the infrastructure asset.

Domain Name It displays the domain name of the infrastructure

asset.

DB Instance It displays the database environment of the

infrastructure asset.

LOBs It displays the assigned LOBs.

Asset Group It displays the name of the asset group.

Asset Type It displays the name of the type of asset such as

Windows RDP, SSH Linux or MS SQL, etc.

Alias Name It displays the alias/another name of the asset.

Action It displays the action item to see the detail of the

asset. You can see the detail of the asset, create new
assets, and modify the existing assets.

2.5.1 Onboarding New Digital Identities

There are two ways to onboard Digital Identities:

• Manual Onboard to onboard a single digital identity

Infrastructure Asset Digital Identity Manual Onboard

185
Administrative Console

Business Asset Digital Identity Manual Onboard

• Bulk Onboard to onboard multiple digital identities at a time

2.5.2 Infrastructure Asset Digital Identities Manual Onboard

Creating Digital Identity can help admins step out of themselves and recognize that different people have
different needs and expectations. This section explains the manual Digital Identity creation process.

Perform the below steps to create a Digital Identity:

1. Go to the Infrastructure Asset tab in the Digital Identities screen and click Details to open the digital
identity creation screen:

2. Click the + icon at the bottom right corner of the Digital Identities screen:

3. Two pop-up buttons will be displayed. Click the Create button to create a new Digital Identity manually:

186
Administrative Console

4. The Create Digital Identity screen will be displayed:

5. There are two sections Identity and Mapping to associate a digital identity. But, there are five sections
to create a digital identity, which are as follows:

Identity
Credentials
Mapping
Asset Form
Entitlements
Advanced
Assign Tags

187
Administrative Console

6. Once all the required details are entered, click the Create button. If the password is not entered as per
the password policy, it will prompt the password policy:

7. Re-enter the password to meet the password policy and then click the Create button.
8. The Digital Identity will be created and will be listed in the Active Digital Identities category list.

2.5.2.1 Infrastructure Asset Digital Identity Details

Digital Identity Details require inserting basic information about the digital identity that needs to be collected
while creating identities. This information will be used to assign assets and monitor the identity activity. While
creating a new digital identity manually, an administrator will get a tab called Identity to fill up the details of the
digital identity.

Refer to the table below to understand the fields in the Identity section:

Field Name Description

What action would you like to perform
Select the type of action you would like to perform
between identity creation and identity associate. If
you choose to create an identity, you need to fill in
another field called Mapping. But, if you choose to
create an identity, you will get four more fields to fill in
(refer to Digital Identities Manual Creation).

188
Administrative Console

Field Name Description

Identity Category Select an identity category between personal and

shared.

 If the identity category is Personal type then

the identity can be mapped to a single human
identity.
If the identity category is Shared type then
the identity can be mapped to multiple
human identities.

App Name (Alias) Enter an application name.

189
Administrative Console

Field Name Description

Identity Type Select the identity type from the drop-down.

• Personal Identity Accounts:

Named ID: A Identity Account assigned

to an individual human identity with a
specific name or identifier.
BOT ID: A Identity Account created for
automated processes or bots.
API ID: A Identity Account created for
application programming interface (API)
access.
System ID: A Identity Account created
to provide system-level access.
Identity ID: A Identity Account created
for a specific Identity or application.
Machine ID: A Identity Account created
for machine-level access.
• Shared Identity Accounts:

Shared ID: A common Identity Account

used by multiple human identities to
access shared resources.
System ID: A Identity Account created
to provide system-level access to shared
resources.
Identity ID: A Identity Account created
for a specific shared Identity or
application.
Master ID: A Identity Account that
manages other Identity Accounts and
controls access to shared resources.
BOT ID: A Identity Account created for
automated processes or bots.
API ID: A Identity Account created for
application programming interface (API)
access.
Machine ID: A Identity Account created
for machine-level access to shared
resources.

IsPrivilege Turn on this toggle to make this a privileged identity.

190
Administrative Console

2.5.2.2 Infrastructure Asset Digital Identity Credentials

This section allows you to specify the credentials to the digital identities.

191
Administrative Console

Refer to the table below to understand the fields in the Credentials section:

Field Description

Use Credential Store Select the appropriate type of credential from the
drop-down. Selection of the ARCON Vault will enable
you to set a Single Custody password and the
selection of the Custom type will enable you to set
either using Single Custody or Split Custody
password.

User Name Enter the user name. This field is enabled only if you
select the Custom type of credential store.

192
Administrative Console

Field Description

Custody • There are two types of processes to set the

password.

Single Custody- In this option, the

Admin (Owner1) assigns the password
for the digital identity.
Split Custody- In this option, there are
two owners of the password. Owner1 is
the Admin who wants to onboard the
digital identity with (the first/second
half) of the password and fills in the
name of the second owner who will
enter the other half of the password.
The digital identity will be onboarded
only when both owners enter their part
of passwords.

 • The Split Custody radio button can be

selected only if Store Passwords in Split
Custody configuration is Enabled from
Settings.
• The second owner receives an alert on
ACMO and an email after the first owner
has entered his part of the password for
the digital identity. After the second
owner enters the other part the digital
identity is created, depending on the
workflow.

Password Enter the password for the digital identity.

Confirm Password Enter the password again to confirm that the

password matches the previous password.

Other Owner Select the second owner, who will enter the other half
of the password.
This field will be enabled only if the Split Custody
password is selected.

193
Administrative Console

Field Description

Publish to Workspace If the toggle is turned on the digital identity will be

interactive and can be used for single sign-on.
If the toggle is turned off the service will be non-
interactive and can’t be used for single sign-on.

2.5.2.3 Infrastructure Asset Digital Identity Mapping

It is possible to configure a variety of account types with the required access, roles, and permissions. Digital
identity accounts are more susceptible to security exploitation since they have more access to the
infrastructure and more privileges. You can allocate assets to digital identities with the appropriate security
and compliance using ARCON CI. This section allows you to assign the LOBs, asset groups, and human
identities to the digital identity.

 In the Digital Identity detail screen, If the Digital Identity category is Personal type then you can map a
single Human Identity to the Digital Identity. And if the Digital Identity category is a Shared type then
you can map multiple Human Identities to the Digital Identities.

Perform the below steps to assign the LOB, asset group, and human identities to the digital identity:

1. Select the LOB from the LOB dropdown list.

2. Select the Asset Group from the Asset Group dropdown list:

Refer to the following table to understand the field-level description shown on the Mapping screen:

Field Name Description

LOB Select the LOB from the dropdown to assign it to the

digital identity.

Asset Group Select the asset group from the dropdown to assign it
to the digital identity.

194
Administrative Console

Field Name Description

Human Identities Select the identities that you need to assign to the
digital identity.

 The human identities list appears based on

the selected LOBs.

2.5.2.4 Infrastructure Asset Digital Identity Asset Form

The Asset Form of digital identity provides a means to capture and store essential details about an individual's
identity, allowing for efficient and secure access to various online services. Typically, the asset form includes
several key pieces of the digital identity, such as name, email, username, and password.

Refer to the table below to understand the fields in the Asset Form section:

Field Mane Description

Name Enter a name for the digital identity.

Email Enter the email address dedicated to the particular

identity.

User Name Enter the user name of the digital identity.

Password Enter the password of the digital identity.

2.5.2.5 Infrastructure Asset Digital Identity Entitlements

The Entitlement section allows you to give different types of rights to digital identities such as View Only,
Create, Edit, Delete, Approve, and Admin.

195
Administrative Console

• View Only: The View Only option will enable the digital identity to view the data only.
• Create: The Create option will enable the digital identity to create or enter new data into the target
asset.
• Edit: The Edit option will enable the digital identity to edit or modify the asset data.
• Delete: The Delete option will enable the digital identity to delete the data.
• Approve: The Approve option will enable the digital identity to perform approval activity.
• Admin: The Admin option will enable the digital identity to perform all the admin activities.

Select the appropriate entitlement from the Entitlements drop-down.

2.5.2.6 Infrastructure Asset Digital Identity Advanced

The Advanced section allows you to define a few settings related to digital identity.

Refer to the table below to understand the fields in the Advanced section:

Field Description

Application Valid Till Select the end date. This is the date from which the
digital identity will be inactive.

196
Administrative Console

Field Description

Logs

Video Log This configuration will check whether the images are
to be captured during the session or not. If it is not
enabled, then it will not capture images. If it is
enabled, then it will capture images.

Text Log This configuration will check whether the text logs are
to be captured or not for digital identity. If it is
enabled, then it will capture the text logs. If it is not
enabled, then it will not capture the text logs.

Application Configuration

Criticality Level Select the criticality level of the digital identity.

 This criticality level shall be considered while

displaying reports.

Session Lockout Time (Minute) This option will set the duration after which an idle
session should be locked out. Specify the time after
which the session will be locked out if idle.

2.5.2.7 Infrastructure Asset Digital Identity Assign Tags

This section explains the steps to assign tags to digital identities. Tags created for the particular attribute will
be visible here.

 The tags visible on the Assign Tags page are configured by the Tags Ordering procedure. Tags
Ordering is compulsory, while tags that are not configured in the Tag Ordering section are optional
tags.

Select the corresponding tag values for the tag names. Admin can select multiple tag values. These selected tag
values will be assigned to the digital identity:

197
Administrative Console

2.5.3 Business Asset Digital Identities Manual Onboard

Creating Digital Identity can help admins step out of themselves and recognize that different people have
different needs and expectations. This section explains the manual Digital Identity creation process.

Perform the below steps to create a Digital Identity:

1. Go to the Business Assets tab in the Digital Identities screen and click the Details:

2. Click the + icon at the bottom right corner of the Digital Identities screen:

3. Two pop-up buttons will be displayed. Click the Create button to create a new Digital Identity manually:

4. The Create Digital Identity screen will be displayed:

198
Administrative Console

5. There are different sections to create a digital identity, which are as follows:

Identity
Credentials
Mapping
Asset Form
Entitlements
Advanced
Assign Tags
6. Once all the required details are entered, click the Create button. If the password is not entered as per
the password policy, it will prompt the password policy:

7. Re-enter the password to meet the password policy and then click the Create button.
8. The Digital Identity will be created and will be listed in the Active Digital Identities category list.

2.5.3.1 Business Asset Digital Identity Details

Digital Identity Details require inserting basic information about the digital identity that needs to be collected
while creating identities. This information will be used to assign assets and monitor the identity activity. While
creating a new digital identity manually, an administrator will get a tab called Identity to fill up the details of the
digital identity.

199
Administrative Console

Refer to the table below to understand the fields in the Identity section:

Field Name Description

What action would you like to perform
select the type of action you would like to perform
between identity creation and identity associate. If
you choose to create an identity, you need to fill in
another field called Mapping. But, if you choose to
create an identity, you will get four more fields to fill in
(refer to Digital Identities Manual Creation).

Identity Category Select an identity category between personal and

shared.

 If the identity category is Personal type then

the identity can be mapped to a single human
identity.
If the identity category is Shared type then
the identity can be mapped to multiple
human identities.

App Name (Alias) Enter an application name.

200
Administrative Console

Field Name Description

Identity Type Select the identity type from the drop-down.

• Personal Identity Accounts:

Named ID: A Identity Account assigned

to an individual human identity with a
specific name or identifier.
BOT ID: A Identity Account created for
automated processes or bots.
API ID: A Identity Account created for
application programming interface (API)
access.
System ID: A Identity Account created
to provide system-level access.
Identity ID: A Identity Account created
for a specific Identity or application.
Machine ID: A Identity Account created
for machine-level access.
• Shared Identity Accounts:

Shared ID: A common Identity Account

used by multiple human identities to
access shared resources.
System ID: A Identity Account created
to provide system-level access to shared
resources.
Identity ID: A Identity Account created
for a specific shared Identity or
application.
Master ID: A Identity Account that
manages other Identity Accounts and
controls access to shared resources.
BOT ID: A Identity Account created for
automated processes or bots.
API ID: A Identity Account created for
application programming interface (API)
access.
Machine ID: A Identity Account created
for machine-level access to shared
resources.

201
Administrative Console

Field Name Description

IsPrivilege Turn on this toggle to declare whether the identity is

privileged or not. If you want to make the identity
privileged, then switch on the toggle.

Digital Identity Select the digital identity.

2.5.3.2 Business Asset Digital Identity Credentials

This section allows you to specify the credentials to the digital identities.

202
Administrative Console

Refer to the table below to understand the fields in the Credentials section:

Field Description

Use Credential Store Select the appropriate type of credential from the
drop-down. Selection of the ARCON Vault will enable
you to set a Single Custody password and the
selection of the Custom type will enable you to set
either using Single Custody or Split Custody
password.

User Name Enter the user name if you choose the Custom type of
credential store.

203
Administrative Console

Field Description

Custody • There are two types of processes to set the

password.

Single Custody- In this option, the

Admin (Owner1 himself) assigns the
password for the digital identity.
Split Custody- In this option, there are
two owners of the password. Owner1 is
the Admin who wants to onboard the
digital identity with (the first/second
half) of the password and fills in the
name of the second owner who will
enter the other half of the password.
The digital identity will be onboarded
only when both owners enter their part
of passwords.

 • The Split Custody radio button can be

selected only if Store Passwords in Split
Custody configuration is Enabled from
Settings.
• The second owner receives an alert on
ACMO and an email after the first owner
has entered the part of the password for
the digital identity. After the second
owner enters the other part the digital
identity is created, depending on the
workflow.

Password Enter the password for the digital identity.

Confirm Password Enter the password again to confirm that the

password matches the previous password.

Other Owner Select the second owner, who will enter the other half
of the password.
This field will be enabled only if the Split Custody
password is selected.

204
Administrative Console

Field Description

Publish to Workspace If the toggle is turned on the digital identity will be

interactive and can be used for single sign-on.
If the toggle is turned off the service will be non-
interactive and can’t be used for single sign-on.

2.5.3.3 Business Asset Digital Identity Mapping

It is possible to configure a variety of account types with the required access, roles, and permissions. Digital
identity accounts are more susceptible to security exploitation since they have more access to the assets and
more privileges. You can allocate assets to digital identities with the appropriate security and compliance using
ARCON CI. This section allows you to assign the LOBs, asset groups, and human identities to the digital
identity.

 In the Digital Identity detail screen, If the Digital Identity category is Personal type then you can map a
single Human Identity to the Digital Identity. And if the Digital Identity category is a Shared type then
you can map multiple Human Identities to the Digital Identities.

Perform the below steps to assign the LOB, asset group, and human identities to the digital identity:

1. Select the LOB from the LOB dropdown list.

2. Select the Asset Group from the Asset Group dropdown list:

Refer to the following table to understand the field-level description shown on the Mapping screen:

Field Name Description

LOB Select the LOB from the dropdown to assign it to the

digital identity.

Asset Group Select the asset group from the dropdown to assign it
to the digital identity.

205
Administrative Console

Field Name Description

Human Identities Select the identities that you need to assign to the
digital identity.

 The human identities list appears based on

the selected LOBs.

2.5.3.4 Business Asset Digital Identity Asset Form

The Asset Form of digital identity provides a means to capture and store essential details about an individual's
identity, allowing for efficient and secure access to various online services. Typically, the asset form includes
several key pieces of the digital identity, such as name, email, username, and password.

Refer to the table below to understand the fields in the Asset Form section:

Field Mane Description

Name Enter a name for the digital identity.

Email Enter the email address dedicated to the particular

identity.

User Name Enter the user name of the digital identity.

Password Enter the password of the digital identity.

2.5.3.5 Business Asset Digital Identity Entitlements

The Entitlement section allows you to give different types of rights to digital identities such as View Only,
Create, Edit, Delete, Approve, and Admin.

206
Administrative Console

• View Only: The View Only option will enable the digital identity to view the data only.
• Create: The Create option will enable the digital identity to create or enter new data into the target
asset.
• Edit: The Edit option will enable the digital identity to edit or modify the asset data.
• Delete: The Delete option will enable the digital identity to delete the data.
• Approve: The Approve option will enable the digital identity to perform approval activity.
• Admin: The Admin option will enable the digital identity to perform all the admin activities.

Select the appropriate entitlement from the Entitlements drop-down.

2.5.3.6 Business Asset Digital Identity Advanced

The Advanced section allows you to define a few settings related to digital identity.

Refer to the table below to understand the fields in the Advanced section:

Field Description

Application Valid Till Select the end date. This is the date from which the
digital identity will be inactive.

207
Administrative Console

Field Description

Logs

Video Log This configuration will check whether the images are
to be captured during the session or not. If it is not
enabled, then it will not capture images. If it is
enabled, then it will capture images.

Text Log This configuration will check whether the text logs are
to be captured or not for digital identity. If it is
enabled, then it will capture the text logs. If it is not
enabled, then it will not capture the text logs.

Application Configuration

Criticality Level Select the criticality level of the digital identity.

 This criticality level shall be considered while

displaying reports.

Session Lockout Time (Minute) This option will set the duration after which an idle
session should be locked out. Specify the time after
which the session will be locked out if idle.

2.5.3.7 Business Asset Digital Identity Assign Tags

This section explains the steps to assign tags to digital identities. Tags created for the particular attribute will
be visible here.

 The tags visible on the Assign Tags page are configured by the Tags Ordering procedure. Tags
Ordering is compulsory, while tags that are not configured in the Tag Ordering section are optional
tags.

Select the corresponding tag values for the tag names. Admin can select multiple tag values. These selected tag
values will be assigned to the digital identity:

208
Administrative Console

2.5.4 Associate Digital Identities

Authentication, authorization, accountability, personalized experiences, compliance, the prevention of identity
theft, and threat detection all depend on the association of digital identity with human identity. Cyber security
software can improve security measures, safeguard sensitive data, and give users a safer and more
individualized online experience by creating this connection. This section explains the manual Digital Identity
association process.

Perform the below steps to associate a Digital Identity:

1. Go to the respective tab (Business Assets or Infrastructure Asset) in the Digital Identities screen and
click the Details of the category that you want to associate a digital identity:

2. Click the + icon at the bottom right corner of the Digital Identities screen:

3. Two pop-up buttons will be displayed. Click the Create button to associate a Digital Identity manually:

4. The Create Digital Identity screen will be displayed:

209
Administrative Console

5. Choose the Associate Identity option from the What action would you like to perform drop-down:

6. Mentioned below are the sections that appear to fill in to associate a digital identity:

Identity
Mapping
Assign Tags
7. Once all the required details are entered, click the Create button:

210
Administrative Console

8. The Digital Identity will be associated with the respective Role/Department.

2.5.4.1 Associate Digital Identity Details

Digital Identity Details require inserting basic information about the digital identity that needs to be collected
while creating identities. This information will be used to assign assets and monitor the identity activity. While
creating a new digital identity manually, an administrator will get a tab called Identity to fill up the details of the
digital identity.

211
Administrative Console

Refer to the table below to understand the fields in the Identity section:

Field Name Description

What action would you like to perform
Select the type of action you would like to perform
between identity creation and identity associate. If
you choose to create an identity, you need to fill in
another field called Mapping. But, if you choose to
create an identity, you will get four more fields to fill in
(refer to Digital Identities Manual Creation).

Identity Category Select an identity category between personal and

shared.

 If the identity category is Personal type then

the identity can be mapped to a single human
identity.
If the identity category is Shared type then
the identity can be mapped to multiple
human identities.

App Name (Alias) Enter an application name.

Identity Type Select the identity type from the drop-down.

IsPrivilege Turn on this toggle to fetch either the privileged

identity or the unprivileged identity. (Defined based
on the assigned Entitlement/Role/Group)

212
Administrative Console

Field Name Description

Digital Identity As per the value of the above field, all the fetched
digital identities will be displayed here.

2.5.4.2 Associate Digital Identity Mapping

It is possible to configure a variety of account types with the required access, roles, and permissions. Digital
identity accounts are more susceptible to security exploitation since they have more access to the assets and
more privileges. You can allocate assets to digital identities with the appropriate security and compliance using
ARCON CI. This section allows you to assign the LOBs, asset groups, and human identities to the digital
identity.

 In the Digital Identity detail screen, If the Digital Identity category is Personal type then you can map a
single Human Identity to the Digital Identity. And if the Digital Identity category is a Shared type then
you can map multiple Human Identities to the Digital Identities.

Perform the below steps to assign the LOB, asset group, and human identities to the digital identity:

1. Select the LOB from the LOB dropdown list.

2. Select the Asset Group from the Asset Group dropdown list:

Refer to the following table to understand the field-level description shown on the Mapping screen:

Field Name Description

LOB Select the LOB from the dropdown to assign it to the

digital identity.

Asset Group Select the asset group from the dropdown to assign it
to the digital identity.

Human Identities Select the identities that you need to assign to the
digital identity.

 The human identities list appears based on

the selected LOBs.

213
Administrative Console

2.5.4.3 Associate Digital Identity Assign Tags

This section explains the steps to assign tags to digital identities. Tags created for the particular attribute will
be visible here.

 The tags visible on the Assign Tags page are configured by the Tags Ordering procedure. Tags
Ordering is compulsory, while tags that are not configured in the Tag Ordering section are optional
tags.

Select the corresponding tag values for the tag names. Admin can select multiple tag values. These selected tag
values will be assigned to the digital identity.

2.5.5 Bulk Digital Identities Creation

Creating Digital Identities for onboarding in the CI application appears to be a straightforward task.
Nonetheless, an identity and access management environment for a typical midsized or large organization is
huge. Sometimes, an administrator must create identities in bulk. An administrator cannot find it practical to
onboard huge numbers of identities manually. It is time-consuming and fraught with the possibility of Digital
error. To overcome this, ARCON administrators can use the bulk import function. ARCON CI allows adding
digital identities in bulk using the bulk import function.

Perform the below steps to import the identities in bulk:

1. Go to the respective tab (Business Assets or Infrastructure Asset) in the Digital Identities screen and
click the Details of the category to create a digital identity:

2. Click the + icon at the bottom right corner of the Digital Identities screen:

214
Administrative Console

3. Two pop-up buttons will be displayed. Click the Import File button to create multiple identities by
importing data:

4. The Import data screen will be displayed, click the Download Sample Template link to download the
template and then save the file on your local machine:

5. Enter the desired data in the left-aligned format into the downloaded Excel sample template and save it.
6. Click the Browse button to browse for the updated template:

215
Administrative Console

7. After completing the upload, click the Import button to import the template and create new identities:

8. A file imported status message will be displayed:

9. The Import screen will be displayed with the Download Uploaded File button. Click the Download
Uploaded File button to check the status of the individual identities entered in the sample Excel sheet:

216
Administrative Console

10. If you find any error status, then update the Digital identities details accordingly and upload again.
11. Go to the Digital Identities screen and refresh it to see the newly added identity list.

2.5.6 Modify Details of Digital Identities

When an identity's information needs to be updated because of a change in job type or position, a change in
corporate regulations and procedures, or any other situation. To avoid this situation without jeopardizing
security compliances, ARCON CI offers a method to alter digital identity details. This section allows you to
modify the details of a digital identity. You can modify the details of a particular digital identity using
the Modify screen. Also, this section describes the steps involved in disabling the digital identities temporarily
and activating and copying the properties of the digital identities.

 The Administrator having Modify Identities privilege shall only be able to modify Identity details.

Perform the below steps to modify the Identities details:

1. Go to the respective tab (Business Assets or Infrastructure Asset) in the Digital Identities screen and
click the Details of the category to modify a digital identity:

2. Navigate to the Digital Identities screen and click the Modify button:

217
Administrative Console

3. A Modify screen will be displayed similar to the Create screen. Make the required changes in the
existing fields and click on the Modify button:

2.5.6.1 Disabling/Activating the Digital Identities

Suppose a privileged Identity is no longer a privileged Identity or moves out of an organization; in such
situations, it is imperative to disable this Identity. Not disabling such an Identity expands the security
vulnerability and invites insider attacks or social engineering. It is important to note that ARCON CI does not
allow deleting an Identity account. The reason for this is that the IT auditor needs to know which Identity
accounts were disabled and under what conditions. Likewise, sometimes an admin must suspend an Identity for
certain reasons. In such a situation, an admin can disable the specific Digital Identity account for the duration of
the suspension. However, the same Identity account may be activated after the suspension duration is over.

Perform the below steps to disable/activate the Identity:

1. Click the Disable button on the Modify screen to temporarily drop the Identity. The Identity list will move
to the Disabled Identity list:

218
Administrative Console

 Administrators having Drop Identity privileges will be able to disable an Identity.

2. To activate a disabled Identity, navigate to the Disabled section and then click the Activate button:

2.6 LOBs
Line of Business (LOB) is a general classification of operations used by an organization. A business describes the
set of products or assets that are grouped under one department or team, based on factors planned by the
organization. ARCON CI helps to segregate different human identities and assets. For example, a company may
have a dedicated team working independently, which can be segregated as a part of the LOB. Therefore,
different human identities and assets are segregated under one particular department/LOB. The LOB concept
is true to support multi-tenancy. LOB becomes the root for all the entities (Human Identities, Assets, Role/
Department, and Asset Group) when integrated into ARCON CI. These entities are then mapped to their
respective LOBs.

219
Administrative Console

 The Administrator who is assigned privileges listed in Manage LOB/Profile can perform respective
actions in LOB/Profile Master & Manager.

Use the following path to navigate to the LOBs screen:

Administrative Console > Manage > LOBs:

Refer to the table below to understand the columns displayed on the LOBs screen:

Column Name Description

LOB Name It displays the name of the LOB.

Short Name It displays the short name defined for the LOB.

LOB Address It displays the location of the LOB.

Report Header It displays the header name for the LOB report.

Created By It displays the username of the person who created

the LOB.

Created On It displays the date and time when the LOB was
created.

Action It displays the Modify button to update the properties

of the LOB.

2.6.1 Create LOB

In order to map the necessary assets to the appropriate business unit’s human identities, the administrator
must create LOBs in the ARCON CI. This section explains the steps to create a LOB (Line Of Business).

 Administrators who have been assigned the Add New LOB privilege will be able to create new LOBs
and view all the LOBs in the Select LOB/Profile dropdown on the Administrative Console home
screen, whereas Administrators who have not been assigned the Add New LOB privilege will be able
to view only those LOBs which are mapped to them.

220
Administrative Console

Perform the below steps to create a LOB:

1. Click the + icon provided at the bottom right corner of the LOBs screen:

2. The Create LOB screen appears:

Refer to the table below to understand the fields in the Create LOB screen:

Field Description

LOB Name Enter a name for the LOB. The LOB name should be
unique.

221
Administrative Console

Field Description

Short Name Enter a short name for the LOB. The field is
mandatory since the LOB’s short name should be
unique.

 The LOB short name should follow the

Windows folder naming convention. If the
naming convention does not match, the LOB
can't be created.

Description Enter a description for the LOB.

Address Enter the address of the LOB.

Report Header Specify the header name for the LOB report.

Valid Till The LOB will be valid until the specified date.

Active It enables the LOB once it is created.

3. Fill up the details and then click the Create button to create the LOB:

222
Administrative Console

2.6.2 Modify LOB

The administrator may occasionally need to modify the LOBs that are assigned to human identities. Consider a
scenario where the administrator wants to extend the LOB's validity in ARCON CI, change the LOB's name, or
temporarily suspend the LOB. In this case, the LOB needs to be modified or dropped. Sometimes it's necessary
to activate the inactive LOBs.

Perform the below steps to modify the LOB:

1. Navigate to the LOBs screen and click the Modify button:

2. Modify screen appears. Make the required changes and click the Modify button:

 The Short Name field is not editable since the LOB Short Name is used in Archival Assets to fetch the
recorded history videos.

223
Administrative Console

2.6.2.1 Bulk Update

The bulk update will allow you to update the properties of the selected records at the same time. This helps to
update the same fields in multiple LOBs. The bulk update module allows the administrator to update the LOBs
more quickly than updating the same thing for each LOB separately.

Selection of the required records will automatically enable the LOBs Detail option at the top right corner of the
LOBs screen. That helps the admin to modify it for multiple selected human identities with the same data.

Perform the below steps to bulk update the properties of the selected records:

1. Select the check box in the grid header to select all the records or select the required records only as per
your requirement:

2. Selection of the required record will automatically enable the modify pop-up options at the top right
corner of the LOBs screen:

3. Click the LOBs Detail option to update the Report Header name:

224
Administrative Console

4. Update the Report Header name for selected LOBs report and change the status of the LOBs to Active
or Inactive as per requirement:

5. After filling up the required changes, click on the Update button to save the changes. It will update all
the selected records with the same Report Header name:

225
Administrative Console

226
Administrative Console

3 Setting
The Tag Management and Identity Attributes offer a more precise setup of tags and user attributes, which aids
in enhancing security. The management of access to resources and assets is made simpler by these settings.

3.1 Tags Management

ARCON Administrative Console also provides the feature of custom tagging to assets. For clients with a huge
infrastructure and a huge number of assets, the tag management feature will help to provide a custom grouping
and clear view of assets as per the custom tree view. There will also be ease in filtering and searching for assets
based on the tags. The end-user can directly find assets through the custom tree view which is formed via tags.
After filtering assets through Tag Tree Filter, Administrator can easily assign the required users.

To navigate to the Tags Management, use the following path:

Settings > Setting Management > Tag Management:

Refer to the table below to understand the columns displayed on the Tag Management page:

Column Name Description

Tags Configuration This allows the admin to create, modify, and delete tags.

Tags Ordering This allows the admin to configure the order for a custom tree view of assets.

3.1.1 Tags Configuration

This section helps you to create, modify, and delete tags. The tags created can be assigned to assets. Tag
creation defines the tag name and corresponding tag values for the same in the ARCON CI solution.

To navigate, use the following path:

Settings > Setting Management > Tag Management > Tags Configuration

227
Administrative Console

The Tag Management screen has two tabs, such as Active and InActive. The Active tab consists of active tags
and the InActive tab consists of inactive tags.

Refer to the table to understand the different types of filters that are available on the Tag Management page:

Column Name Description

Active This section displays the list of active tags that can be
assigned to any asset.

Inactive This section displays the list of inactive tags. Inactive

tags are not visible while assigning to assets. This can
be re-activated anytime from the Inactive section.

Search This is a global filter, and you can search for any tag by
entering the tag name here.

AG Grid Column This filter is a column filter that applies to the column
level. Click this icon to select filter categories such as
contains, not contains, equals, etc. Then, search for
the keywords.

AG Grid Filter This filter enables you to search for both individual
and multiple values, that have to be separated by
Commas. Even if you enter the input partially, the
filter will still accurately refine the necessary values.

Refer to the table below to understand the columns displayed on the Tag Management page:

228
Administrative Console

Column Name Description

Tag Name It displays the tag name.

Tag Values It displays the tag values.

Active It confirms the status of the tag.

Created By It displays the username of the admin who created the

tag.

Created On It displays the date and time when the tag was
created.

Modified By It displays the username of the admin who modified

the tag.

Modified On It displays the date and time when the tag was last
modified.

Action You can modify the tag details by clicking the Modify
button.

Export as Excel

The Export as Excel button is used to export all the records on a particular page in an Excel format.

Customize Columns

You can customize the view of any records displayed in the Tag Management screen with the help of the
Customize button.

To get a customized view of the human identity details, perform the steps below:

1. Click on the Customize columns option on the right side of the records.

229
Administrative Console

2. Enable or disable the columns as per your requirement. Based on the selection, you can see your
customized view of records.

3.1.1.1 Tag Creation

There are two ways to create tags:

• Manual Tag Creation to create a single tag.

• Bulk Tag Creation to create multiple tags at a time.

3.1.1.1.1 Manual Tag Creation

This section explains the tag creation process using the Create button.

Perform the steps below to create a tag with the Create button:

Steps Action Items

1 Click on the + icon at the bottom right corner of the Tag Management page:

2 Two pop-up buttons will be displayed. Click on the Create button to create a new tag manually:

230
Administrative Console

Steps Action Items

The Create Tag page will be displayed:

231
Administrative Console

Steps Action Items

Refer below to understand the fields:

• Tag Name: Enter the name of the Tag. (Example:- Location, Team, etc.)
• LOBs: Select one or multiple LOBs from the drop-down list.
• Tags Type: Select the types of asset from the drop-down to define the tag's usability.
• Active: Enable the Active toggle to activate the tag. If you keep the toggle disabled, then the
tag will remain inactive.
• Multi-Select Tag-Values: Turn on the Multi-Select Tag-Values toggle to make multiple tag
values available to map to the asset. If you keep the toggle off, the single tag value can be
mapped to assets.
• Inheritable Tag-Values: Turn on the Inheritable Tag-Values toggle to make tag value
transmissible for other module. For Example, if you create the tag for the business asset, the
same tag can be used for the digital identity as well.
• Mandatory: Turn on the Mandatory toggle to make the tag compulsory to map while creating
any asset. You can’t create an asset without mapping the mandatory tag. If you keep the toggle
off, the tag will remain optional and you can create any assets without mapping the tag.
• Tag Value:

232
Administrative Console

Steps Action Items

Custom: Enter the tag values. (example:- For the location tags, write the location
name.)
System: Select a group from the drop-down to fetch the data.

3 Select the Custom radio button and then fill in the tag values in the Add Tag Values field and press
Enter to add tag values:

 When creating tags, each tag will automatically be assigned a different color.

4 If you want to create a tags by using the existing values, then select the System radio button and then
select a group from the drop-down to fetch the data.

233
Administrative Console

Steps Action Items

5 Click on the Cross icon to remove the tag value or click on the Pencil icon to edit the tag value:

234
Administrative Console

Steps Action Items

6 You can either cancel the tag creation process by clicking on the Cancel button or clear the entered
data by clicking on the Clear button:

235
Administrative Console

Steps Action Items

7 Click Create to complete the creation process:

8 A confirmation message appears. Click on the YES button to create the tag:

9 A successful message for the tag creation appears.

10 Go to the Tag Management page and refresh it to see the newly added tag:

 If the tag is created with the Active toggle turned on, then the tag will appear on the Active
screen.
If the tag is created with the Active toggle turned off, then the tag will appear on the
InActive screen.

236
Administrative Console

3.1.1.1.2 Bulk Tag Creation

This section explains the multiple tag creation process using the Import File button. The client can require
many tags. So it becomes hectic and time-consuming for administrators to create one tag at a time. So we
provide a feature for the bulk creation of tags.

Perform the steps below to create multiple tags with the Import File button:

Steps Action Items

1 Click on the + icon at the bottom right corner of the Tag Management page:

2 Two pop-up buttons will be displayed. Click on the Import File button to create multiple tags:

The Import data screen will be displayed:

237
Administrative Console

Steps Action Items

3 Click on the Download Sample Template link to download the template and then save the file on
your local machine:

4 Fill in the required data in the downloaded Excel sample template and save it:

 Data should be entered with a left alignment. If the tag values are more than one, they
should be comma separated without space between the tag values.

238
Administrative Console

Steps Action Items

5 Click on the Browse button to browse to the updated template:

6 Select the updated template file and click on the Open button to upload the template:

239
Administrative Console

Steps Action Items

7 After completion of the upload, click on the Import button to import the template and create new
tags:

8 A file imported status message appears as “Bulk Import was successful. Please download the status
report to understand the status of all the attempted import records”:

9 Click the Download Uploaded File button to download the tag creation status Excel sheet:

240
Administrative Console

Steps Action Items

10 Open the status Excel sheet and check the status of individual tag details entered in the sample Excel
sheet:

 If you find any error status, update the human identity details accordingly and upload again.

11 Go to the Tag Management page and refresh it to see the newly added tags.

3.1.1.2 Delete/Modify Details Of Tag

This section helps you modify the details of a tag. You can modify the details of a particular tag using the Modify
button. Also, this allows the admin to delete the tag from the application.

Perform the steps below to modify the tag details:

Steps Action Items

1 Navigate to the Tag Management > Active or InActive page and then click on the Modify button of
the tag you want to modify:

2 The Modify page will be displayed similar to the Create page.

241
Administrative Console

Steps Action Items

3 Click on the Cross icon to remove the tag value or click on the Pencil icon to edit the tag value:

4 Make the required changes in the existing fields and click on the Modify button. Refer to the Tags
Creation section for fields detail.

242
Administrative Console

Steps Action Items

5 If required, click the Drop button to delete the tag.

6 A confirmation message will be displayed. Click on the YES button to delete the tag.

7 A successful message for the tag deletion will be displayed.

3.1.1.3 Dropping, Disabling, And Activating Of Tags

Admin can use the Drop or Disable of tags feature to delete or disable single/multiple tags respectively that are
not assigned to any asset. If needed the Admin can Activate the disabled tags as well.
3.1.1.3.1 Dropping Tags

This section helps you to delete single/multiple tags.

Perform the steps below to drop tag(s):

243
Administrative Console

Steps Action Items

1 Navigate the following path to get the Active and Inactive tags list: Settings > Setting Management >
Tag Management > Tags Configuration:

2 Select the tags that you want to drop from the Active or Inactive tab:

244
Administrative Console

Steps Action Items

3 Click the Drop option to delete the selected tags:

4 The Drop Tags screen will be displayed. Click the Drop button:

5 A confirmation message will be displayed “Are you sure want to drop tags“. Then click the Yes button
to delete the tags:

6 A successful message for the tag deletion will be displayed “Tags dropped successfully“.

3.1.1.3.2 Disabling Tags

This section helps you to disable single/multiple active tags.

Perform the steps below to disable tag(s):

245
Administrative Console

Steps Action Items

1 Navigate the following path to get the Active and Inactive tags list: Settings > Setting Management >
Tag Management > Tags Configuration > Active:

2 Select the tags that you want to disable from the Active tab:

246
Administrative Console

Steps Action Items

3 Click the Disable option to Inactivate the selected tags:

4 The Disable Tags screen will be displayed. Click the Disable button:

5 A confirmation message will be displayed “Are you sure want to disable tags?“. Then click the Yes
button to disable the tags:

6 A successful message for the tag disabled will be displayed “Tags disabled successfully“.

3.1.1.3.3 Activating Tags

This section helps you to activate single/multiple inactive tags.

Perform the steps below to activate tag(s):

247
Administrative Console

Steps Action Items

1 Navigate the following path to get the Active and Inactive tags list: Settings > Setting Management >
Tag Management > Tags Configuration > InActive:

2 Select the tags that you want to activate from the InActive tab:

3 Click the Activate option to activate the selected tags:

248
Administrative Console

Steps Action Items

4 The Activate Tags screen will be displayed. Click the Activate button:

5 A confirmation message will be displayed “Are you sure want to activate tags?“. Then click the Yes
button to activate the tags:

6 A successful message for the tag activation will be displayed “Tags activated successfully“.

3.1.2 Tags Ordering

This section helps you to give orders to the tags. The Tags Ordering configures the order which will be used
primarily for Custom Tree View of Assets. If the Tag Tree View Order is not set, then all the available tags will
be visible in alphabetical order. The Tag Tree View Order can be set after the selection of a particular LOB.

To navigate, use the following path:

Settings > Setting Management > Tags Management > Tags Ordering:

The Tag Ordering page will be displayed:

249
Administrative Console

Refer to the table below to understand the columns displayed on the Tag Ordering page:

Column Name Description

Tag Tree View Order Tags order configured in this Section will determine the Custom N Level Tree
View to be formed for Assets. If the admin wants to display an asset in the
Custom Tree View, then ensure that at least one tag value from the configured
tags is assigned.

Available Tags Tags in the Available Tags section are optional tags that are not configured for
Custom Tree View. It is not mandatory to assign these tags to the assets.

Ordering of Tags

This section explains configuring the order of the tags, which will be used for the custom Tree View of Assets.

Perform the steps below to configure the order of the tags:

250
Administrative Console

Steps Action Items

1 Navigate to the Tag Ordering page. Settings > Setting Management > General > Tags Ordering:

2 Drag the required tags from the Available Tags list and drop them into the Tag Tree View Order list
to configure the ordering of the tags for custom tree view:

3 Drag and drop all the required tags into the Tag Tree View Order list in a sequence to reflect the
Custom Tree View of Assets:

251
Administrative Console

Steps Action Items

4 Click the Save button to save the Tag Tree View Order:

3.2 User Attribute

The user attributes feature allows administrators to create custom attributes that can be used to store
additional values for users. These attributes can be used to capture information that is not typically included in
standard user profiles or that is unique to the organization's needs.

Administrators can define custom attributes based on their organization's specific requirements. This can
include fields such as job title, department, location, employee ID, or any other custom field that is relevant to
the organization's needs. Once the attributes are defined, they can be used to capture information for
individual user profiles.

The user attributes feature provides flexibility for administrators to manage user information in a way that
meets their specific needs. It also allows for the creation of unique identifiers for users that can be used to
associate other data or metadata with the user profiles.

By utilizing the user attributes feature, administrators can better manage their user profiles and ensure that
they have access to the most relevant and up-to-date information for their users. This can improve the
efficiency of user management processes, reduce errors, and ultimately improve the overall user experience.

This section explains how to manage user attributes, including how to create and modify custom attributes. You
can add and define user attributes for ARCON CI Directory.

There are two different types of user attributes, such as Custom and Built-In attributes.

• Custom Attributes: The user attributes that are created by the client itself.
• Built-In Attributes: The user attributes that are created by ARCON CI to assist clients.

To navigate to the User Attribute screen, use the following path:

252
Administrative Console

Administrative Console > Settings > Setting Management (User Attribute):

Refer to the table to understand the different types of filters and tabs that are available on the User Attribute
screen:

Filter or Tab Name Description

Active This section displays the list of active user attributes.

An active user attribute is one that is active to clarify
the user properties. By using modify option disabled
attributes can be changed to active attributes.

Disabled This section displays the list of disabled user

attributes. A disabled user attribute is a user
attributes that are disabled and can be used in the
future. By using modify option active attributes can be
changed to disabled attributes.

Search The Search filter at the top provides a quick and easy
way to search a specific user attribute.

Customize You can customize the view of any field displayed in

the User Attributes screen.

Refer to the table below to understand the different columns displayed on the User Attribute screen:

253
Administrative Console

Field Name Description

Attribute Name It displays the name of the user attribute that is used
to fetch the data at the backend.

 The first character of the attribute name

should be in lowercase and the name should
be written without space.

Attribute Alias Name It displays the name of the user attribute that is used
to be visible on the UI screen.

Attribute Type It displays the type of the user attribute, such as

Custom and Built In.

Attribute Input Type It displays the type of attributes to fill in the data in a
user form. For example drop-down, text, date, etc.

LOB It displays the name of the LOB the attributes belong

to.

Is Display It displays the visibility status of the user attribute. If

Yes, then the attribute is visible, and if No, then the
attribute is not visible.

Is Mandatory It displays the usability of the user attribute. If Yes,

then the attribute is mandatory, and if No, then the
attribute is optional.

Action It displays the action item for the particular user

attribute. It is used to modify the attributes.

3.2.1 Create User Attributes

This section helps you create new user attributes. To create a user attribute, perform the steps below:

1. Click the + icon at the bottom right corner of the User Attribute screen:

254
Administrative Console

2. Click the Create button to create a new user attribute:

3. The User Attribute creation screen will be displayed:

255
Administrative Console

Refer to the User Attribute Creation Screen section to understand all the fields' descriptions and use.
4. Fill in the required fields and then click the Create button to create the user attribute. You can either
click the Clear button if want to clear the data or click the Cancel button if want to cancel the process:

256
Administrative Console

5. A message will be displayed for your confirmation “Are you want to save this attribute?“. Click Yes to
confirm. Otherwise, you can click No to revoke the process:

6. A user attribute creation status message will be displayed “User Attribute Added Successfully“:

7. Either click the Cancel button if want to cancel the user attribute creation process or Click the Clear
button if want to clear the data entered in the user attribute creation screen:

257
Administrative Console

8. The created user attribute will be visible on the User Attribute screen.

3.2.1.1 User Attributes Creation Screen

This section helps you understand the field-level description displayed on the User Attribute creation screen:

Refer to the following table to understand the field-level description displayed on the User Attribute creation
screen:

258
Administrative Console

Field Name Description

User Attribute Enter the name of the user attribute that will be used to fetch the data
at the backend code level, e.g. email.

 The first character of the attribute name should be in

lowercase and the name should be written without space.

User Friendly Name Enter the name of the user attribute that will be visible on the front-end
User Creation screen, e.g. Email ID.

LOBs Enter the LOB name the user attribute belongs to.

Input Type Enter the type of attributes.

Text The Text attribute is used to create a text box to enter a few details of
the user.

259
Administrative Console

Field Name Description

Password The Password attribute is used to create a text box to enter the
password of the user.

Checkbox The Checkbox attribute is used to create a Checkbox on the UI screen.

Radio Button The Radio Button attribute is used to create a Radio Button on the UI
screen.
Selection of the Radio Button attribute will enable the Enter Manually
option. You can add or remove the data that will be displayed on the
User Form screen.

List The List attribute is used to create a list on the User Form screen.
Selection of the List attribute will enable two options, such as Enter
Manually and Enter with the help of API.
• Enter Manually: Add or remove the data manually by selecting
the Enter Manually option:

• Enter with the help of API: Use the Enter with the help of API
option to fetch the data by using API.

Text Area The Text Area attribute is used to create a bigger text box to write a
description about the user.

Date The Date attribute is used to create a date picker to enter a date.

Email The Email attribute is used to enter an email ID.

260
Administrative Console

Field Name Description

Dropdown The Dropdown attribute is used to create a dropdown to select data.

Selection of the Dropdown attribute will enable three options, such as
Enter Manually, Enter with the help of API, and User Attribute.
• Enter Manually: Add or remove the data manually by selecting
the Enter Manually option. Selection of the Enter Manually
option will enable two fields, such as Display Name and Value:

Display Name: Enter the required name that will display

in the dropdown list.
Value: Enter the value (short name) of the name entered
in the Display Name field.
• Enter with the help of API: Use the Enter with the help of API
option to fetch the data by using API.
• User Attribute: Use the User Attribute option to display a few
specific attributes of the user.
Select the required attributes from the dropdown list:

Display in Add User Form This allows you to make the attribute visible on the Add User Form.

261
Administrative Console

Field Name Description

Mandatory Attribute This allows you to set the functionality status as mandatory for the
particular attribute.

Display in User Profile This allows you to make the attribute visible on the User Profile screen.

Editable by End User This allows you to make the attribute editable by the End User.

Description Enter the description of the attribute.

Comment Enter the comment about the attribute that will be visible on the User
Form screen to guide the end user.

3.2.2 Modify User Attributes

This section helps you to modify the details of a user attribute. You can change the details of a particular user
attribute using Modify button. Also, this section describes the steps involved in temporarily disabling the user
attributes and activating the disabled user attributes.

To modify the user attribute details, perform the steps below:

1. Navigate to the User Attribute screen (Settings > Attributes) and click the Modify button:

2. A Modify screen will be displayed similar to the Create screen. Make the required changes in the
existing fields and click the Modify button:

262
Administrative Console

Refer to the User Attribute Creation Screen section to understand the different columns displayed on the
User Attribute screen.
3. One message will be displayed for your confirmation “Are you sure want to update this Attribute?“.
Click Yes to confirm. Otherwise, you can click No to revoke the process:

4. One user attribute disabled status message will be displayed “Attribute Disabled Successfully”:

5. If want to temporarily disable the user attribute, then click the Disable button:

263
Administrative Console

6. One message will be displayed for your confirmation “Are you sure want to disable this User
Attribute?“. Click Yes to confirm. Otherwise, you can click No to revoke the process:

7. One user attribute disabled status message will be displayed “Attribute Disabled Successfully”:

8. The attribute will move to the Disabled user attribute's list:

3.2.2.1 Activating Disabled User Attribute

This section helps you activate a user attribute. To activate a user attribute, perform the steps below:

1. Navigate to the User Attribute screen (Settings > Attributes), and then go to the Disabled attribute
screen:

264
Administrative Console

2. Click the Activate button:

3. One user attribute activated status message will be displayed “Attribute Activated”:

4. The attribute will move to the Active user attribute's list.

3.2.3 Attributes Ordering

This section helps you to give orders to the User Attributes. The Attributes Ordering configures the order
which will be visible on the user creation form.

Perform the steps below to configure the order of the Attributes:

1. Navigate to, Settings > User Attribute:

2. Click the Attributes Ordering option:

265
Administrative Console

3. The User Attribute Order screen will be displayed:

4. Drag the user attributes to the desired sequence and the sequence number of the attributes will be
changed automatically.
5. Click Save to save the changes:

266
Administrative Console

3.3 Application Attribute

The application attributes feature allows administrators to create custom attributes that can be used to store
additional values for applications. These attributes can be used to capture information that is not typically
included in standard profiles or that is unique to the application’s needs. This can include fields such as
username, password, or any other custom field that is relevant to the application’s needs.

The application attributes feature provides flexibility for administrators to manage the application information
in a way that meets their specific needs. It also allows for the creation of unique identifiers for applications.

This section explains how to manage application attributes, including how to create and modify custom
attributes. You can add and define application attributes for the ARCON CI Directory.

To navigate to the Application Attribute screen, use the following path:

Administrative Console > Settings > Setting Management (Application Attribute):

267
Administrative Console

Refer to the table to understand the different types of filters and tabs that are available on the Application
Attribute screen:

Filter or Tab Name Description

Active This section displays the list of active application

attributes. An active application attribute is active to
clarify the application properties. By using modify
option disabled attributes can be changed to active
attributes.

Disabled This section displays the list of disabled application

attributes. A disabled application attribute is an
application attribute that are disabled and can be used
in the future. By using modify option active attributes
can be changed to disabled attributes.

Search The Search filter at the top provides a quick and easy
way to search a specific application attribute.

Customize You can customize the view of any field displayed in

the Application Attributes screen.

Refer to the table below to understand the different columns displayed on the Application Attribute screen:

268
Administrative Console

Field Name Description

Attribute Name It displays the name of the application attribute that is

used to fetch the data at the backend.

 The first character of the attribute name

should be in lowercase and the name should
be written without space.

Attribute Alias Name It displays the name of the application attribute that is
used to be visible on the UI screen.

Attribute Input Type It displays the type of attributes to fill in the data in a
form. For example drop-down, text, date, etc.

LOB It displays the name of the LOB the attributes belong

to.

Is Display It displays the visibility status of the application

attribute. If Yes, then the attribute is visible, and if No,
then the attribute is not visible.

Is Mandatory It displays the usability of the application attribute. If

Yes, then the attribute is mandatory, and if No, then
the attribute is optional.

Action It displays the action item for the particular

application attribute. It is used to modify the
attributes.

3.3.1 Create Application Attributes

This section helps you create new application attributes. To create an application attribute, perform the steps
below:

1. Click the + icon at the bottom right corner of the Application Attribute screen:

269
Administrative Console

2. Click the Create button to create a new application attribute:

3. The Application Attribute creation screen will be displayed:

Refer to the Application Attribute Creation Screen section to understand all the fields' descriptions and
use.
4. Fill in the required fields and then click the Create button to create the application attribute. You can
either click the Clear button if want to clear the data or click the Cancel button if want to cancel the
process:

270
Administrative Console

5. A message will be displayed for your confirmation “Are you want to save this attribute?“. Click Yes to
confirm. Otherwise, you can click No to revoke the process:

6. An attribute creation status message will be displayed “Application Attribute Added Successfully“:

7. Either click the Cancel button if want to cancel the application attribute creation process or Click the
Clear button if want to clear the data entered in the application attribute creation screen:

271
Administrative Console

8. The created application attribute will be visible on the Application Attribute screen.

3.3.1.1 Application Attributes Creation Screen

This section helps you understand the field-level description displayed on the Application Attribute creation
screen:

272
Administrative Console

Refer to the following table to understand the field-level description displayed on the Application Attribute
creation screen:

Field Name Description

Application Attribute Enter the name of the application attribute that will be used to fetch the
data at the backend code level, e.g. email.

 The first character of the attribute name should be in

lowercase and the name should be written without space.

User Friendly Name Enter the name of the application attribute that will be visible on the
front-end screen, e.g. Email ID.

LOBs Enter the LOB name the application attribute belongs to.

Input Type Enter the type of attributes.

Text The Text attribute is used to create a text box to enter a few details of
the application.

273
Administrative Console

Field Name Description

Password The Password attribute is used to create a text box to enter the
password of the application.

Checkbox The Checkbox attribute is used to create a Checkbox on the UI screen.

Radio Button The Radio Button attribute is used to create a Radio Button on the UI
screen.
Selection of the Radio Button attribute will enable the Enter Manually
option. You can add or remove the data that will be displayed on the
digital identity creation screen.

List The List attribute is used to create a list on the digital identity creation
screen.
Selection of the List attribute will enable two options, such as Enter
Manually and Enter with the help of API.
• Enter Manually: Add or remove the data manually by selecting
the Enter Manually option:

• Enter with the help of API: Use the Enter with the help of API
option to fetch the data by using API.

Text Area The Text Area attribute is used to create a bigger text box to write a
description of the application.

Date The Date attribute is used to create a date picker to enter a date.

Email The Email attribute is used to enter an email ID.

274
Administrative Console

Field Name Description

Dropdown The Dropdown attribute is used to create a dropdown to select data.

Selection of the Dropdown attribute will enable three options, such as
Enter Manually, Enter with the help of API, and Application Attribute.
• Enter Manually: Add or remove the data manually by selecting
the Enter Manually option. Selection of the Enter Manually
option will enable two fields, such as Display Name and Value:

Display Name: Enter the required name that will display

in the dropdown list.
Value: Enter the value (short name) of the name entered
in the Display Name field.
• Enter with the help of API: Use the Enter with the help of API
option to fetch the data by using API.

Display in Digital Identity This allows you to make the attribute visible on the Digital Identity
creation screen.

Display in User Profile This allows you to make the attribute visible on the User Profile screen.

Editable by End User This allows you to make the attribute editable by the End User.

Description Enter the description of the attribute.

Comment Enter the comment about the attribute that will be visible on the User
Form screen to guide the end user.

3.3.2 Modify Application Attributes

This section helps you to modify the details of application attributes. You can change the details of application
attributes using Modify button. Also, this section describes the steps involved in temporarily disabling the
application attributes and activating the disabled application attributes.

To modify the application attribute details, perform the steps below:

1. Navigate to the Application Attribute screen (Settings > Attributes) and click the Modify button:

275
Administrative Console

2. A Modify screen will be displayed similar to the Create screen. Make the required changes in the
existing fields and click the Modify button:

276
Administrative Console

Refer to the Application Attribute Creation Screen section to understand the different columns displayed
on the Application Attribute screen.
3. One message will be displayed for confirmation “Are you sure want to modify this Attribute?“. Click Yes
to confirm. Otherwise, you can click No to revoke the process:

4. A status message will be displayed “Attribute Updated Successfully”:

5. If want to temporarily disable the application attribute, then click the Disable button:

6. One message will be displayed for confirmation “Are you sure want to disable this application
attribute?“. Click Yes to confirm. Otherwise, you can click No to revoke the process:

277
Administrative Console

7. A disabled status message will be displayed “Attribute Disabled Successfully”:

8. The attribute will move to the Disabled application attribute's list:

3.3.2.1 Activating Disabled Application Attribute

This section helps you activate an application attribute. To activate an application attribute, perform the steps
below:

1. Navigate to the Application Attribute screen (Settings > Attributes), and then go to the Disabled
attribute screen:

2. Click the Activate button:

3. An activated status message will be displayed “Attribute Activated”:

4. The attribute will move to the Active application attribute's list.

278
Administrative Console

3.4 Local App Store

The ARCON Local App Store is an offline marketplace that provides connectors for onboarding various
infrastructure assets like operating systems, database instances, network devices, security devices, web
applications, and desktop applications. These connectors can be downloaded from the marketplace or
uploaded manually.

In addition to the connectors provided by the marketplace, ARCON also includes a few default connectors like
RDP, SSH, Windows, Linux, and more. This makes it easy for organizations to get started with the onboarding
process.

The Local App Store also allows users to modify the parameters and ports for each connector. This can be done
through the Modify feature available on the Local App Store screen. Once the parameters and ports are
modified, they can be used globally whenever the same connector is used for onboarding an asset.

Overall, the ARCON Local App Store provides a centralized platform for organizations to discover, download,
and manage connectors for onboarding various infrastructure assets. By providing default connectors and the
ability to modify connector parameters, the Local App Store helps streamline the onboarding process and
optimize asset management processes.

Use the following path to navigate to the Local App Store screen:

Administrative Console > Settings > Local App Store:

As shown on the Local App Store screen, you can view the list of onboarded local connectors.

Refer to the table below to understand the fields on the Local App Store screen:

Field Name Description

User Categories

Active This section displays the list of active connectors.

Disabled This section displays the list of disabled connectors.

279
Administrative Console

Field Name Description

Asset Categories

Business Asset A business asset is a software program that helps

businesses automate and optimize their various
processes and operations to increase efficiency and
productivity. These assets can be web applications,
hardware devices, routers, etc.

Infrastructure Assets An infrastructure asset is a collection of various assets

such as operating systems, network devices, security
devices, and database instances. These assets can be
Windows RDP, SSH Linux, MS SQL, etc.

Column Details

Name It displays the names of the connectors.

Type It displays the category of the connectors.

Version It displays the version number of the connectors.

SSO It displays if the connector has the capability of SSO.

LCM It displays if the connector has the capability of life

cycle management.

IGA It displays if the connector has the capability of

Identity Governance.

Vault It displays if the connector has the capability of Vault.

Source It displays if the asset is inbuilt or available in the

marketplace.

Action You can modify the application status and details by

clicking the Modify button.

3.4.1 Onboard Local App

This section helps you onboard connectors. There are two ways to onboard it:

• Manual Upload
• Upload From Marketplace

3.4.1.1 Manual Upload Of Local Apps

The administrators can upload connectors for the infrastructure asset from the local store. This section
explains the manual uploading of connectors.

Perform the below steps to upload connectors manually:

280
Administrative Console

1. Click the + icon at the bottom right corner of the Local App Store screen:

2. Two pop-up buttons will be displayed. Click the Manual Upload button:

3. The Manual Upload screen will be displayed:

4. Click Browse to find the asset from the local app store.
5. Click Upload to complete the process.

281
Administrative Console

3.4.1.2 Upload From Marketplace

The administrators can upload assets from the ARCON marketplace. This section explains the manual
uploading of connectors from the ARCON marketplace.

Perform the below steps to upload connectors from the ARCON marketplace:

1. Click the + icon at the bottom right corner of the Local App Store screen:

2. Two pop-up buttons will be displayed. Click the Upload from Marketplace button to upload the
connector:

3.4.1.3 Modify Connectors

The administrators can modify the connector. This section explains the procedure to modify the uploaded
connectors.

Perform the below steps to modify the uploaded connectors:

1. Navigate to the Local App Store screen and click the Modify button:

282
Administrative Console

2. A Modify RDP Connectors screen will be displayed. Make the required changes in the existing fields and
click on the Save button:

 The Modification screen will be changed according to the selection of the connector.

283
Administrative Console

Refer to the table below to understand the columns displayed on the Modify RDP Connectors screen.

Field Name Description

Modify Fast Connector Details

Host Name It displays the hostname of the connector. You can

modify it.

IP Address/DNS It displays the IP/DNS address of the connector. You

can modify it.

Domain Name It displays the domain name of the connector. You can
modify it.

Port It displays the port number of the connector. You can

modify it.

Modify Single Sign-On Configuration It displays all types of SSO available for that
connector. You can modify or delete it.

3. Click on the Cross icon if you want to remove the SSO:

4. Click on the Edit icon to edit the SSO:

5. The connector’s detail fields will be displayed:

284
Administrative Console

6. Update the details as per your requirements and then click Save to save the SSO modification:

285
Administrative Console

7. Click Push to ARC Connector to save the connector modification:

286
Administrative Console

8. Click the Modify drop-down if you want to upload or delete or download the connector:

9. Select Upload to upload an updated version of the same connector; select Download to download the
connector to your local machine or select Disable to inactive the connector.

3.4.1.4 Activate Disabled Connectors

The administrators can disable the connectors if the connector is not in use. This section explains the procedure
to disable the connectors.

Perform the below steps to disable the connectors:

1. Navigate to the Local App Store screen and click the Disabled tab:

287
Administrative Console

2. Click Activate to activate the connector:

3. The connector will be moved to the Active list.

288
Administrative Console

4 Acronyms
The acronyms used in this manual are as follows:

Acronyms Description

CI Converged Identities

LOB Line of Business

SSH Secure Shell

RDP Remote Desktop Protocol

OTP One Time Password

DB Database

PVSL Password Vault & Session Logging

SGS Secure Gateway Server

289
Administrative Console

5 Related Documents
Below are the related documents, which help to understand the ARCON CI in detail

• ARCON CI Installation & Configuration Guide describes how to prepare the environment, install, and
configure the ARCON Converged Identities Solution.
• ARCON CI Set-up Pre-requisite describes the hardware and software required for deployment of
ARCON CI in the user environment.
• ARCON CI Troubleshoot provides the basic information for ARCON CI issues.

290
POC (Point of Contact) & Support Information

The product is developed and maintained by ARCON PAM TechSolutions Private Limited. We at ARCON are
continuously thriving to develop and deliver the best quality products. Being our valued customer, we would like to
know your feedback, suggestions, and ideas for improvements with regard to our products and services. You can
always reach out to us through the below ways of communication:

Web

https://arconnet.com/

Sales Contact

You can directly contact us with sales-related topics at the email address [email protected], or leave us your
contact information and we will call you back.

Support Contact

To access ARCON PAM Support Centre (ASC), Sign in with your account.

1. Remote support is available 24*7.

2. ARCON PAM Support System is available only for registered users with a valid support package.ARCON

3. PAM Support Centre (ASC): https://support.arconnet.com/

4. Central Support E-mail Address: [email protected]

5. Support hotline:

• Global: +91 8080005577 (For ARCON PAM Support Press 3)

• UAE: 800035703628 (Press 1)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any
means such as electronic, mechanical, photocopying, recording, or otherwise without permission.