The Unifyia platform allows organizations to onboard users in two ways - Onboard User and Onboard User with PIV ID. If the user is a new user, use the option Onboard User. If the user has an existing PIV ID issued by external organizations, then select Onboard Users with PIV ID.

Before You Begin

Before you begin to use the application, ensure that you have installed the Unifyia Client on the system to access the connected devices.

Onboard User

The Onboard User feature allows you to sponsor a user by adding basic information regarding the user and assigning groups that determine the roles, access privileges, and the identities that are to be issued based on the configured workflow for the selected role. Additionally, if organization policy permits, the user may also have access to the self-service portal to add and manage issued identities.

To onboard a new user, navigate to Management > Users. On the displayed page, select + Onboard User. You will notice two tabs - General Information and Assign Groups.

Onboard Users with PIV ID

Prerequisite

• The user, who needs a derived PIV credential, must be present with an active PIV ID.
• If your organization wishes to read and capture the user's common name from the PIV ID, ensure that the option Read Name from Certificate Common Name during Onboarding with PIV ID under Configuration > General Settings is enabled. Contact your administrator for confirmation.

The Unifyia platform allows you to onboard users using their existing PIV IDs. This simplifies the process, especially when issuing derived PIV credentials. In this approach, the basic details of the user are captured by the system from the provided PIV ID. To onboard a user using PIV ID, follow the below steps:

1. Navigate to Management > Users. On the displayed page, select + Onboard User with PIV ID.
2. The primary card verification page appears.
3. Connect the user's PIV ID and select it from the dropdown list. Ask the user to enter the PIN when prompted.
4. On successful verification of the primary credential, you will notice two tabs - General Information and Assign Groups.
5. Under the General Information tab, the user's first name, last name, username, and email are displayed. Slide the Allow Self-Service button to the right to grant the user access to the platform.
6. Under the Assign Groups page, search for the groups that you need to assign to the user and select them. You have the option to assign single or multiple groups. When you assign multiple groups, the user inherits the roles and access privileges of the combined groups. Uncheck the box to deselect a group.
7. Select Save to onboard the user.
8. The user is sent a welcome email. Additionally, if enabled, the user will also receive an enrollment invite email to continue with the enrollment process.
9. If the users onboarded using the PIV ID do not require completing the enrollment or approval process, they can be directly issued derived PIV credentials.
10. If the enrollment and approval steps are configured, users must complete these steps before becoming eligible for the issuance of derived credentials. Appropriate emails are triggered to notify the users based on the configured workflow.

This completes the onboarding of a user using the PIV ID. However, if as an operator you are permitted to continue with the enrollment, you are directed to proceed with the enrollment of the user. You could choose to continue by selecting Yes or cancel by selecting No.

FAQ

How to create users with dual roles?

To create users with dual roles, ensure to assign a group that has two roles or two different groups that have different roles, for example, one with role Sponsor and another with the role Registrar. When users are assigned such groups during onboarding or at a later point in time, they will have the roles, permissions, and access privileges of the all roles assigned in the groups. However, this privilege is at the discretion of the organization based on the requirements.

How can authorized operators perform self-service actions?

Authorized operators must be assigned a group that has user role to perform self-service actions. For example, if the authorized operators must be able to sponsor users and also manage the issued credentials to them, select the group that has both roles or two different groups, one with role user and another with the role Sponsor. This privilege is based on the organizations policy. If enabled, the users will notice a Self-Service Enabled toggle button on the dashboard in the top left-hand corner.

Learn more about assigning additional roles for a group.

Can users edit their information if they hold dual roles, both as a user and as an authorized operator (such as a Sponsor, Registrar, or Adjudicator)?

No, users cannot edit their data when they have dual roles. However, if configured, they can issue and manage additional identities in the self-service mode.

If a user is assigned to a group with multiple roles, which role credentials can they use to sign in?

The highest role authentication methods would be displayed and applicable during the login process. When a user has multiple roles, the platform enforces the authentication methods of the highest role assigned. During the login process, only the authentication options associated with the highest-level role are displayed. This ensures the user signs in with the strongest authentication methods required by their role hierarchy.

Edit Onboarded Information

If you want to edit the onboarded user information, go to the main menu Management > Users. Search the user either by name or email. Under the Actions column, select the Edit Onboarded Information icon and edit the details as required. Once completed, select Save to update the details of the user.