Managing User Accounts
  • 23 Jan 2025
  • 15 Minutes to read
  • Dark
    Light

Managing User Accounts

  • Dark
    Light

Article summary

Overview

The following user account types can be created in ThreatConnect®: Application Programming Interface (API) users, TAXII™ users, ThreatConnect users with a variety of System and Organization roles, and Read Only Users (including Read Only Commenters). This article demonstrates how to view the membership of an Organization, how to create each kind of user account, and how to edit and delete user accounts.

Before You Start

User Roles

  • To create user accounts, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.
  • To view information on user accounts other than your own on the Membership tab of the Organization Settings screen, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.
  • To edit user accounts, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.
    Note
    You cannot edit a user account whose System role has a higher permission level than your user account’s System role. That is, a user account with a System role of Operations Administrator cannot edit a user account with a System role of Administrator; a user account with a System role of Accounts Administrator cannot edit a user account with a System role of Administrator or Operations Administrator; and a user account with a System role of User cannot edit a user account with a System role of Administrator, Operations Administrator, or Accounts Administrator.
  • To delete user accounts, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.
    Note
    You cannot delete a user account whose System role has a higher permission level than your user account’s System role. That is, a user account with a System role of Operations Administrator cannot delete a user account with a System role of Administrator; a user account with a System role of Accounts Administrator cannot delete a user account with a System role of Administrator or Operations Administrator; and a user account with a System role of User cannot delete a user account with a System role of Administrator, Operations Administrator, or Accounts Administrator.

Viewing Membership for an Organization

Hover over SettingsSettings iconon the top navigation bar and select Org Settings to display the Membership tab of the Organization Settings screen (Figure 1). The Membership tab includes a table listing all users in the Organization. Above the table, you can see how many more users of each type can be added to the Organization.

Note
Only users with a System role of Administrator or Operations Administrator can change the maximum number of users of each type for an Organization. To change user limits for an Organization, edit the Organization on the Organizations tab of the Account Settings screen. See the “Configure an Organization Account” section of ThreatConnect Account Administration Guide for more information.
Note
The ability to create API users is determined by the terms of your ThreatConnect license. For more information, contact your Customer Success Manager.

Figure 1_Managing User Accounts_7.7.0

 

Note
The System Role column will be displayed only if your user account has a System role of Administrator or Operations Administrator.

Creating User Accounts

You can create four types of user accounts in ThreatConnect: API user, TAXII user, user, and Read Only User.

Creating an API User

Follow these steps to create an API user account in ThreatConnect:

  1. Hover over Settingson the top navigation bar and select Org Settings.
  2. On the Membership tab of the Organization Settings screen (Figure 1), click Create API User.
  3. Fill out the fields on the API User Administration window (Figure 2) as follows:

    Figure 2_Managing User Accounts_7.7.0

     

    • First Name: Enter the API user’s first name.
    • Last Name:Enter the API user’s last name.
      Note
      The API user’s first and last name will be displayed in areas of the Organization that log user activity or identify users who added or changed a threat intelligence object or Workflow Case.
    • System Role: Select the API user’s System role. Available System roles for API users include the following:
      • Api User: API users with this role can use all ThreatConnect v2 and v3 API endpoints, with the exception of the v3 API TC Exchange™ administration endpoints.
      • Exchange Admin: API users with this role can use all ThreatConnect v2 and v3 API endpoints, including the v3 API TC Exchange administration endpoints.
        Note
        The System Role dropdown is available only when the user creating the account has a System role of Operations Administrator or Administrator. If the dropdown is not available, a System role of Api User will be assigned to the API user automatically.
    • Organization Role: Select the API user’s Organization role.
    • Token Expiration (days): (Optional) Enter the number of days until the API user’s token will expire.
      Note
      If the API user will be using an API token to authenticate API requests to ThreatConnect, you must click SAVE USER AND GENERATE TOKEN to create the API user’s account and token.
    • Disabled: (Optional) Leave this checkbox cleared. When editing an existing API user, you can select this checkbox to disable the API user’s account, which is typically done when the API user no longer requires ThreatConnect access and the Administrator wishes to retain log integrity.
    • Include in Observations and False Positives: (Optional) Select the checkbox to allow data provided by the API user to be included in observation and false-positive counts.
    • Allow User to Exceed API Link Limit: (Optional) Select the checkbox to override the system-level limit on the number of association levels that can be retrieved at one time for intelligence items using the ThreatConnect v3 API.
    • Custom TQL Timeout: (Optional) Select the checkbox to override the system-level ThreatConnect Query Language (TQL) query timeout for the API user, and then enter the maximum amount of time, in milliseconds, that TQL queries made by the API user will be allowed to run before timing out.
      Note
      The Custom TQL Timeout checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator.
  4. Use one of the following methods to save and create the API user account:

Creating a TAXII User

Creating a User

Follow these steps to create a user account in ThreatConnect:

  1. Hover over Settingson the top navigation bar and select Org Settings.
  2. On the Membership tab of the Organization Settings screen (Figure 1), click Create User.
  3. Fill out the fields on the User Administration window (Figure 3) as follows:

    Figure 3_Managing User Accounts_7.7.0

     

    • E-Mail: Enter an email address. This address will be the name of the user account.
    • Password: Enter the initial user password, which is subject to the ThreatConnect password policy defined within the system settings. The user will be prompted to change this password when they log into ThreatConnect for the first time.
    • First Name: Enter the user’s first name.
    • Last Name: Enter the user’s last name.
      Note
      The user’s first and last name will be displayed in areas of the Organization that log user activity or identify users who added, changed, or commented on a threat intelligence object or Workflow Case. In Communities that have profile anonymity turned off, the user’s first and last name will be displayed on posts they created on the Posts screen and to Community Directors when viewing users in member Organizations.
    • System Role: Select the user’s System role.
      Note
      The System Role dropdown will be available only when the user creating the account has a System role of Administrator or Operations Administrator. If the dropdown is not available, a System role of User will be assigned to the user account automatically.
    • Organization Role: Select the user’s Organization role.
      Note
      If you selected a System role of Super User, only an Organization role of Organization Administrator will be available in the Organization Role dropdown.
    • Groups: (Optional) Select one or more user groups to which to add the user. User groups allow multiple users to be assigned to Workflow Cases and Tasks together.
    • Locked: (Optional) Leave this checkbox cleared. When editing an existing user account that has been locked by ThreatConnect, you can clear this checkbox to unlock the account.
    • Disabled: (Optional) Leave this checkbox cleared. When editing an existing user, you can select this checkbox to disable the user account, which is typically done when a user no longer requires ThreatConnect access and the Administrator wishes to retain log integrity.
    • Password Reset Required: (Optional) Select this checkbox to require the user to change their account password the next time they log into ThreatConnect. This checkbox is selected by default upon account creation, and it is cleared once the password has been changed.
    • Multi-Factor Authentication Reset Required: (Optional) Select this checkbox to require the user to configure multi-factor authentication (MFA) for their account or to reset MFA for a user who already has it configured (for example, if the user has lost their MFA token). An icon such as the Google Authenticator™Google Authenticator iconlogo will be displayed in the Status column for users who have MFA enabled.
      Note
      MFA can be disabled for a user on the Authenticator tab of the User Profile screen for the user. To navigate to this screen, click on the user’s account name in the Account column of the Membership tab of the Organization Settings screen (Figure 1).
      Important
      If a System Administrator has enforced MFA systemwide via the twoFactorAuthenticationRequired system setting, then MFA may not be disabled for individual users.
    • Terms of Service Acceptance Required: (Optional) Select this checkbox to reset the “terms of service” flag so the user is presented with the terms of service again. It is selected by default when creating a new user.
      Note
      The Terms of Service Acceptance Required checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator and the termsOfServiceRequireNewUserToAccept system setting is turned on.
    • Send Account Info E-mail: (Optional) Select this checkbox to send an email with the account information to the email address entered in the E-Mail field. It is selected by default when creating a new user.
    • Custom TQL Timeout: (Optional) Select this checkbox to override the system-level ThreatConnect Query Language (TQL) query timeout specified in the tqlQueryTimeoutsystem setting for the user, and then enter the maximum amount of time, in milliseconds, that TQL queries made by the user will be allowed to run before timing out.
      Note
      The Custom TQL Timeout  checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator.
    • Time Zone: (Optional) Select the time zone for the user.
    • Log Out After: (Optional) Select the amount of time of inactivity after which the user will be logged out.
    • Summary E-mail Time: (Optional) Select the time at which the user will receive daily summary emails of followed items or other notifications from ThreatConnect.
  4. Click SAVE on the User Administration window.

Creating a Read-Only User

Follow these steps to create a Read Only User account in ThreatConnect:

Note
Read Only User accounts do not count against an Organization’s user license limits as long as the accounts have a System role of Read Only User. Creating Read Only User accounts requires a license that allows Read Only Users.
  1. Hover over Settingson the top navigation bar and select Org Settings.
  2. On the Membership tab of the Organization Settings screen (Figure 1), click Create Read Only User.
  3. Fill out the fields on the User Administration window (Figure 4) as follows:

    Figure 4_Managing User Accounts_7.7.0

     

    • E-Mail: Enter an email address. This address will be the name of the user account.
    • Password: Enter the initial user password, which is subject to the ThreatConnect password policy defined within the system settings. The user will be prompted to change this password when they log into ThreatConnect for the first time.
    • First Name: Enter the user’s first name.
    • Last Name: Enter the user’s last name.
      Note
      For Read Only Commenters, the user’s first and last name will be displayed in areas of the Organization that log user activity or identify users who commented on a threat intelligence object or Workflow Case. In Communities that have profile anonymity turned off, the user’s first and last name will be displayed on posts they created on the Posts screen and to Community Directors when viewing users in member Organizations.
    • System Role: Retain the default selection of Read Only User. Changing the selection will result in the creation of a different kind of user.
      Note
      The System Role dropdown will be available only when the user creating the account has a System role of Operations Administrator or Administrator. If the dropdown is not available, a System role of Read Only User will be assigned to the user account automatically.
    • Organization Role: Select an Organization role of Read Only User or Read Only Commenter.
    • Groups: (Optional) Select user groups to which to add the user. User groups allow multiple users to be assigned to Workflow Cases and Tasks together.
    • Locked: (Optional) Leave this checkbox cleared. When editing an existing user account that has been locked by ThreatConnect, clear this checkbox to unlock the account.
    • Disabled: (Optional) Leave this checkbox cleared. When editing an existing user, you can select this checkbox to disable the user account, which is typically done when a user no longer requires ThreatConnect access and the Administrator wishes to retain log integrity.
    • Password Reset Required: (Optional) Select this checkbox to require the user to change the account password upon next login. This checkbox is selected by default upon account creation, and it is cleared once the password has been changed.
    • Multi-Factor Authentication Reset Required: (Optional) Select this checkbox to require the user to configure MFA for their account or to reset MFA for a user who already has it configured (for example, if the user has lost their MFA token). An icon such as the Google AuthenticatorA close-up of a coin  Description automatically generated with medium confidencelogo will be displayed in the Status column for users who have MFA enabled.
      Note
      MFA can be disabled for a user on the Authenticator tab of the User Profile screen for the user. To navigate to this screen, click on the user’s account name in the Account column of the Membership tab of the Organization Settings screen (Figure 1).
      Important
      If a System Administrator has enforced MFA systemwide via the twoFactorAuthenticationRequired system setting, then MFA may not be disabled for individual users.
    • Terms of Service Acceptance Required: (Optional) Select this checkbox to reset the “terms of service” flag so the user is presented with the terms of service again. It is selected by default when creating a new user.
      Note
      The Terms of Service Acceptance Required checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator and the termsOfServiceRequireNewUserToAccept system setting is turned on.
    • Send Account Info E-mail: (Optional) Select this checkbox to send an email with the account information to the email address entered in the E-Mail field. It is selected by default when creating a new user.
    • Custom TQL Timeout: (Optional) Select this checkbox to override the system-level ThreatConnect Query Language (TQL) query timeout specified in the tqlQueryTimeoutsystem setting for the user, and then enter the maximum amount of time, in milliseconds, that TQL queries made by the user will be allowed to run before timing out.
      Note
      The Custom TQL Timeout checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator.
    • Time Zone: (Optional) Select the time zone for the user.
    • Log Out After: (Optional) Select the amount of time of inactivity after which the user will be logged out.
    • Summary E-mail Time: (Optional) Select the time at which the user will receive daily summary emails of followed items or other notifications from ThreatConnect.
  4. Click SAVE on the User Administration window.

Editing User Accounts

Follow these steps to edit a user account in ThreatConnect:

  1. Hover over Settingson the top navigation bar and select Org Settings.
  2. On the Membership tab of the Organization Settings screen (Figure 1), click EditPencil icon_Blackto the right of an entry in the table.
  3. Make the desired changes in the User Administration window for the user account type.
    Important
    When you change a user’s System role, their Community role in each Community and Source they belong to will be reset to the default Community role configured for their Organization in that owner. For example, consider a user with a System role of User and a Community role of Director in Community ABC. If Community ABC has a default role of Contributor for the user’s Organization, then the user's Community role in Community ABC will change from Director to Contributor if the user’s System role is changed (for example, from User to Operations Administrator). There is one notable exception: Users with a System role of Read Only User have only three Community roles available to them in any Community or Source: Commenter, User, and Banned. Therefore, users whose System role is changed to Read Only User will get the “highest” Community role available to them (Commenter) in a Community or Source if the default Community role configured for their Organization in that owner is anything other than Commenter, User, or Banned.
    Important
    The Send Account Info Email checkbox in the User Administration window will not be displayed when edit a user account. It is displayed only when creating a new user.
  4. Click SAVE on the User Administration window for the user account type.

Deleting User Accounts

Follow these steps to delete a user account in ThreatConnect:

  1. Hover over Settingson the top navigation bar and select Org Settings.
  2. On the Membership tab of the Organization Settings screen (Figure 1), click DeleteTrash icon_Blackto the right of an entry in the table.
  3. If there are active Playbooks assigned to execute under the user’s account, the User Deletion window will display a dropdown to assign the Playbooks to a different user account. If there are Job Apps assigned to execute under the user’s account, the User Deletion window will display a dropdown to assign the Job Apps to an API user account. Select a user account for each available dropdown.
    Note
    When a user account is deleted, inactive Playbooks (i.e., Playbooks in design mode) assigned to execute under the user’s account will automatically be assigned to the first user account listed on the Membership tab of the Organization Settings screen.
  4. Click YES on the User Deletion window.

ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Google Authenticator™ is a trademark of Google LLC.
TAXII™ is a trademark of The MITRE Corporation.

20037-01 v.14.A


Was this article helpful?


What's Next