- 23 Jan 2025
- 15 Minutes to read
-
Print
-
DarkLight
Managing User Accounts
- Updated on 23 Jan 2025
- 15 Minutes to read
-
Print
-
DarkLight
Overview
The following user account types can be created in ThreatConnect®: Application Programming Interface (API) users, TAXII™ users, ThreatConnect users with a variety of System and Organization roles, and Read Only Users (including Read Only Commenters). This article demonstrates how to view the membership of an Organization, how to create each kind of user account, and how to edit and delete user accounts.
Before You Start
User Roles
- To create user accounts, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.
- To view information on user accounts other than your own on the Membership tab of the Organization Settings screen, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.
- To edit user accounts, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.NoteYou cannot edit a user account whose System role has a higher permission level than your user account’s System role. That is, a user account with a System role of Operations Administrator cannot edit a user account with a System role of Administrator; a user account with a System role of Accounts Administrator cannot edit a user account with a System role of Administrator or Operations Administrator; and a user account with a System role of User cannot edit a user account with a System role of Administrator, Operations Administrator, or Accounts Administrator.
- To delete user accounts, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.NoteYou cannot delete a user account whose System role has a higher permission level than your user account’s System role. That is, a user account with a System role of Operations Administrator cannot delete a user account with a System role of Administrator; a user account with a System role of Accounts Administrator cannot delete a user account with a System role of Administrator or Operations Administrator; and a user account with a System role of User cannot delete a user account with a System role of Administrator, Operations Administrator, or Accounts Administrator.
Viewing Membership for an Organization
Hover over Settingson the top navigation bar and select Org Settings to display the Membership tab of the Organization Settings screen (Figure 1). The Membership tab includes a table listing all users in the Organization. Above the table, you can see how many more users of each type can be added to the Organization.
Creating User Accounts
You can create four types of user accounts in ThreatConnect: API user, TAXII user, user, and Read Only User.
Creating an API User
Follow these steps to create an API user account in ThreatConnect:
- Hover over Settings
on the top navigation bar and select Org Settings.
- On the Membership tab of the Organization Settings screen (Figure 1), click Create API User.
- Fill out the fields on the API User Administration window (Figure 2) as follows:
- First Name: Enter the API user’s first name.
- Last Name:Enter the API user’s last name.NoteThe API user’s first and last name will be displayed in areas of the Organization that log user activity or identify users who added or changed a threat intelligence object or Workflow Case.
- System Role: Select the API user’s System role. Available System roles for API users include the following:
- Api User: API users with this role can use all ThreatConnect v2 and v3 API endpoints, with the exception of the v3 API TC Exchange™ administration endpoints.
- Exchange Admin: API users with this role can use all ThreatConnect v2 and v3 API endpoints, including the v3 API TC Exchange administration endpoints.NoteThe System Role dropdown is available only when the user creating the account has a System role of Operations Administrator or Administrator. If the dropdown is not available, a System role of Api User will be assigned to the API user automatically.
- Organization Role: Select the API user’s Organization role.
- Token Expiration (days): (Optional) Enter the number of days until the API user’s token will expire.NoteIf the API user will be using an API token to authenticate API requests to ThreatConnect, you must click SAVE USER AND GENERATE TOKEN to create the API user’s account and token.
- Disabled: (Optional) Leave this checkbox cleared. When editing an existing API user, you can select this checkbox to disable the API user’s account, which is typically done when the API user no longer requires ThreatConnect access and the Administrator wishes to retain log integrity.
- Include in Observations and False Positives: (Optional) Select the checkbox to allow data provided by the API user to be included in observation and false-positive counts.
- Allow User to Exceed API Link Limit: (Optional) Select the checkbox to override the system-level limit on the number of association levels that can be retrieved at one time for intelligence items using the ThreatConnect v3 API.
- Custom TQL Timeout: (Optional) Select the checkbox to override the system-level ThreatConnect Query Language (TQL) query timeout for the API user, and then enter the maximum amount of time, in milliseconds, that TQL queries made by the API user will be allowed to run before timing out.NoteThe Custom TQL Timeout checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator.
- Use one of the following methods to save and create the API user account:
- If the API user will be using their Access ID and Secret Key to authenticate API requests to ThreatConnect, record the Secret Key, as it will not be accessible after the API User Administration window is closed. Then click SAVE at the lower-right corner of the window.
- If the API user will be using their API token to authenticate API requests to ThreatConnect, click SAVE USER AND GENERATE TOKEN to the right of the Token Expiration (days) field on the API User Administration window.
Creating a TAXII User
- See Using the ThreatConnect TAXII Server for instruction on creating a TAXII user for the TAXII 1.x server.
- See the Creating a TAXII User for the TAXII 2.1 Server for instruction on creating a TAXII user for the TAXII 2.1 server.
Creating a User
Follow these steps to create a user account in ThreatConnect:
- Hover over Settings
on the top navigation bar and select Org Settings.
- On the Membership tab of the Organization Settings screen (Figure 1), click Create User.
- Fill out the fields on the User Administration window (Figure 3) as follows:
- E-Mail: Enter an email address. This address will be the name of the user account.
- Password: Enter the initial user password, which is subject to the ThreatConnect password policy defined within the system settings. The user will be prompted to change this password when they log into ThreatConnect for the first time.
- First Name: Enter the user’s first name.
- Last Name: Enter the user’s last name.NoteThe user’s first and last name will be displayed in areas of the Organization that log user activity or identify users who added, changed, or commented on a threat intelligence object or Workflow Case. In Communities that have profile anonymity turned off, the user’s first and last name will be displayed on posts they created on the Posts screen and to Community Directors when viewing users in member Organizations.
- System Role: Select the user’s System role.NoteThe System Role dropdown will be available only when the user creating the account has a System role of Administrator or Operations Administrator. If the dropdown is not available, a System role of User will be assigned to the user account automatically.
- Organization Role: Select the user’s Organization role.NoteIf you selected a System role of Super User, only an Organization role of Organization Administrator will be available in the Organization Role dropdown.
- Groups: (Optional) Select one or more user groups to which to add the user. User groups allow multiple users to be assigned to Workflow Cases and Tasks together.
- Locked: (Optional) Leave this checkbox cleared. When editing an existing user account that has been locked by ThreatConnect, you can clear this checkbox to unlock the account.
- Disabled: (Optional) Leave this checkbox cleared. When editing an existing user, you can select this checkbox to disable the user account, which is typically done when a user no longer requires ThreatConnect access and the Administrator wishes to retain log integrity.
- Password Reset Required: (Optional) Select this checkbox to require the user to change their account password the next time they log into ThreatConnect. This checkbox is selected by default upon account creation, and it is cleared once the password has been changed.
- Multi-Factor Authentication Reset Required: (Optional) Select this checkbox to require the user to configure multi-factor authentication (MFA) for their account or to reset MFA for a user who already has it configured (for example, if the user has lost their MFA token). An icon such as the Google Authenticator™
logo will be displayed in the Status column for users who have MFA enabled.
NoteMFA can be disabled for a user on the Authenticator tab of the User Profile screen for the user. To navigate to this screen, click on the user’s account name in the Account column of the Membership tab of the Organization Settings screen (Figure 1).ImportantIf a System Administrator has enforced MFA systemwide via the twoFactorAuthenticationRequired system setting, then MFA may not be disabled for individual users. - Terms of Service Acceptance Required: (Optional) Select this checkbox to reset the “terms of service” flag so the user is presented with the terms of service again. It is selected by default when creating a new user.NoteThe Terms of Service Acceptance Required checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator and the termsOfServiceRequireNewUserToAccept system setting is turned on.
- Send Account Info E-mail: (Optional) Select this checkbox to send an email with the account information to the email address entered in the E-Mail field. It is selected by default when creating a new user.
- Custom TQL Timeout: (Optional) Select this checkbox to override the system-level ThreatConnect Query Language (TQL) query timeout specified in the tqlQueryTimeoutsystem setting for the user, and then enter the maximum amount of time, in milliseconds, that TQL queries made by the user will be allowed to run before timing out.NoteThe Custom TQL Timeout checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator.
- Time Zone: (Optional) Select the time zone for the user.
- Log Out After: (Optional) Select the amount of time of inactivity after which the user will be logged out.
- Summary E-mail Time: (Optional) Select the time at which the user will receive daily summary emails of followed items or other notifications from ThreatConnect.
- Click SAVE on the User Administration window.
Creating a Read-Only User
Follow these steps to create a Read Only User account in ThreatConnect:
- Hover over Settings
on the top navigation bar and select Org Settings.
- On the Membership tab of the Organization Settings screen (Figure 1), click Create Read Only User.
- Fill out the fields on the User Administration window (Figure 4) as follows:
- E-Mail: Enter an email address. This address will be the name of the user account.
- Password: Enter the initial user password, which is subject to the ThreatConnect password policy defined within the system settings. The user will be prompted to change this password when they log into ThreatConnect for the first time.
- First Name: Enter the user’s first name.
- Last Name: Enter the user’s last name.NoteFor Read Only Commenters, the user’s first and last name will be displayed in areas of the Organization that log user activity or identify users who commented on a threat intelligence object or Workflow Case. In Communities that have profile anonymity turned off, the user’s first and last name will be displayed on posts they created on the Posts screen and to Community Directors when viewing users in member Organizations.
- System Role: Retain the default selection of Read Only User. Changing the selection will result in the creation of a different kind of user.NoteThe System Role dropdown will be available only when the user creating the account has a System role of Operations Administrator or Administrator. If the dropdown is not available, a System role of Read Only User will be assigned to the user account automatically.
- Organization Role: Select an Organization role of Read Only User or Read Only Commenter.
- Groups: (Optional) Select user groups to which to add the user. User groups allow multiple users to be assigned to Workflow Cases and Tasks together.
- Locked: (Optional) Leave this checkbox cleared. When editing an existing user account that has been locked by ThreatConnect, clear this checkbox to unlock the account.
- Disabled: (Optional) Leave this checkbox cleared. When editing an existing user, you can select this checkbox to disable the user account, which is typically done when a user no longer requires ThreatConnect access and the Administrator wishes to retain log integrity.
- Password Reset Required: (Optional) Select this checkbox to require the user to change the account password upon next login. This checkbox is selected by default upon account creation, and it is cleared once the password has been changed.
- Multi-Factor Authentication Reset Required: (Optional) Select this checkbox to require the user to configure MFA for their account or to reset MFA for a user who already has it configured (for example, if the user has lost their MFA token). An icon such as the Google Authenticator
logo will be displayed in the Status column for users who have MFA enabled.
NoteMFA can be disabled for a user on the Authenticator tab of the User Profile screen for the user. To navigate to this screen, click on the user’s account name in the Account column of the Membership tab of the Organization Settings screen (Figure 1).ImportantIf a System Administrator has enforced MFA systemwide via the twoFactorAuthenticationRequired system setting, then MFA may not be disabled for individual users. - Terms of Service Acceptance Required: (Optional) Select this checkbox to reset the “terms of service” flag so the user is presented with the terms of service again. It is selected by default when creating a new user.NoteThe Terms of Service Acceptance Required checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator and the termsOfServiceRequireNewUserToAccept system setting is turned on.
- Send Account Info E-mail: (Optional) Select this checkbox to send an email with the account information to the email address entered in the E-Mail field. It is selected by default when creating a new user.
- Custom TQL Timeout: (Optional) Select this checkbox to override the system-level ThreatConnect Query Language (TQL) query timeout specified in the tqlQueryTimeoutsystem setting for the user, and then enter the maximum amount of time, in milliseconds, that TQL queries made by the user will be allowed to run before timing out.NoteThe Custom TQL Timeout checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator.
- Time Zone: (Optional) Select the time zone for the user.
- Log Out After: (Optional) Select the amount of time of inactivity after which the user will be logged out.
- Summary E-mail Time: (Optional) Select the time at which the user will receive daily summary emails of followed items or other notifications from ThreatConnect.
- Click SAVE on the User Administration window.
Editing User Accounts
Follow these steps to edit a user account in ThreatConnect:
- Hover over Settings
on the top navigation bar and select Org Settings.
- On the Membership tab of the Organization Settings screen (Figure 1), click Edit
to the right of an entry in the table.
- Make the desired changes in the User Administration window for the user account type.ImportantWhen you change a user’s System role, their Community role in each Community and Source they belong to will be reset to the default Community role configured for their Organization in that owner. For example, consider a user with a System role of User and a Community role of Director in Community ABC. If Community ABC has a default role of Contributor for the user’s Organization, then the user's Community role in Community ABC will change from Director to Contributor if the user’s System role is changed (for example, from User to Operations Administrator). There is one notable exception: Users with a System role of Read Only User have only three Community roles available to them in any Community or Source: Commenter, User, and Banned. Therefore, users whose System role is changed to Read Only User will get the “highest” Community role available to them (Commenter) in a Community or Source if the default Community role configured for their Organization in that owner is anything other than Commenter, User, or Banned.ImportantThe Send Account Info Email checkbox in the User Administration window will not be displayed when edit a user account. It is displayed only when creating a new user.
- Click SAVE on the User Administration window for the user account type.
Deleting User Accounts
Follow these steps to delete a user account in ThreatConnect:
- Hover over Settings
on the top navigation bar and select Org Settings.
- On the Membership tab of the Organization Settings screen (Figure 1), click Delete
to the right of an entry in the table.
- If there are active Playbooks assigned to execute under the user’s account, the User Deletion window will display a dropdown to assign the Playbooks to a different user account. If there are Job Apps assigned to execute under the user’s account, the User Deletion window will display a dropdown to assign the Job Apps to an API user account. Select a user account for each available dropdown.NoteWhen a user account is deleted, inactive Playbooks (i.e., Playbooks in design mode) assigned to execute under the user’s account will automatically be assigned to the first user account listed on the Membership tab of the Organization Settings screen.
- Click YES on the User Deletion window.
ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Google Authenticator™ is a trademark of Google LLC.
TAXII™ is a trademark of The MITRE Corporation.
20037-01 v.14.A