Maintaining a safe and secure environment for any software or SaaS solution requires continuous attention to detail. User account management can be one of the trickiest challenges. Each user account represents an open door through which users can enter the system, and must, therefore be carefully monitored and updated to maintain reliable security.

Every system experiences constant changes in its audience: employees join, shift responsibilities, and leave, on each occasion creating the potential need for attention by administrators. The fluid nature of a modern workforce means maintaining a fully updated user account record requires both periodic and ad hoc attention.

The purpose of this document is to provide guidance to Agiloft Administrators on recommended user account hygiene practices.  Regular maintenance of your KB audience is a sound business practice to ensure the right people have the right level of access to your organization’s data. 

Making user account hygiene part of your standard security practices

Every user account grants system access to anyone that knows the login credentials associated with that user account. As a result, it’s vital that user accounts be monitored and promptly disabled when:

• A user’s responsibilities change so they don’t need the same level of access;
• A user leaves the company;
• A project using a test account is completed; or
• Permissions are redefined at the group level, potentially leaving users with more or less access than they should have.

When a user account is no longer in use or should no longer be in use, we typically recommend deactivating, rather than deleting, the user account: this preserves the option to re-enable past accounts in situations where, for instance, a workflow process is stuck, and preserves the audit trail associated with the user account.

When to check your user account hygiene

As an Agiloft Administrator, if you are not already in the practice of periodically conducting audits of user accounts (‘periodic updates’), or do not have a process in place to update or deactivate individual user accounts when roles change or people leave the organization (‘ad hoc updates’), this is an opportunity to take action and immediately improve your security by implementing the user account hygiene practices described below including the steps to carry out these practices in your Agiloft KB.

Ad hoc user account updates

It is important that unauthorized users, including employees who were authorized users but should no longer have access as a user, be immediately excluded from your Agiloft system to safeguard your data. You should ensure that your organization’s offboarding process includes informing you when an authorized user leaves, so that you can promptly deactivate their user account. You should also ensure that you are informed when authorized users change roles so you can update their permission group(s) if their access needs change based on their new position.

Periodic updates (Audit of all user accounts)

We additionally recommend you run a detailed audit of your user accounts at least annually, or more frequently as your organization requires or recommends, to maximize security and maintain an up-to-date list of active users. While year-end is often the ideal time to review these practices and implement any updates, as necessary, we recommend that you follow whatever cadence is recommended by your company to perform these maintenance tasks in addition to ad hoc updates to individual user accounts as part of your onboarding and offboarding processes or role change processes. If you do not have a record of a recent user account audit, we recommend you execute one immediately. The instructions below describe how to review your user accounts.

Guidance on user account management in Agiloft

How to deactivate a user account

Deactivating a user is a simple, but necessary, task as part of user account hygiene. The steps are as follows:

1. Log in to your KnowledgeBase (KB).
2. Open the People table.
3. Use the search filters to find all users who have at least one group assigned. If no groups are assigned to a user, that user cannot login.
4. Find the user account you need to deactivate. If you’re doing your annual audit, search the list of user accounts for any that should be deactivated, making special note of the exceptions below. If you prefer, you may export the data to Excel for review. You might find it helpful to search/filter on fields like full name, login, and email. Look for:
   • Former employee accounts
   • Any users you cannot identify as being active employees of your organization or who were otherwise granted access to your Agiloft instance where such access is no longer required
   • Any users who might be employees but do not require access to your Agiloft instance
   • Test accounts that are no longer required
5. For any accounts that need to be deactivated, edit the user record and:
   1. Unassign all Groups.
   2. Deselect the Primary Team.
   3. Save the record.

A few recommendations when deactivating user accounts:

1. Do not deactivate the account with the “admin” login. This account is used by the system to perform various background activities. Ensure you understand who has access to this account and follow your organizational policies on admin account security.
2. Manage the following accounts with caution. Though you may deactivate them, you should first confirm your Agiloft instance does not make use of them (e.g., for integrations). If you are unsure, simply reset their passwords instead of deactivating them.
• Anonymous
• EW System (Used by Agiloft Support to access your KB upon request. Please do not edit if you use Agiloft Support.)
• System (Used by Agiloft Support to access your KB upon request. Please do not edit if you use Agiloft Support.)
• Guest
• Register

How to modify user access

Sometimes users’ responsibilities change, resulting in a need for an adjustment to their permissions, rather than to deactivate their account. You can change a user account’s permissions by taking the following steps:

1. Log in to your KB
2. Go to the People table
3. Review the groups each user is assigned. You might find it helpful to modify your table view to add the “Group” and “Current Roles” fields. If you prefer, you may export the data to Excel for review.
4. If you identify a user with access beyond what they should have:
1. Edit the user record.
2. Update the “Group” field to remove any groups they should not be assigned.
3. Save the record.

For guidelines and best practices on groups, configuration, and permissions, follow the Groups Help Page.

We strongly recommend you implement both ad hoc updates to, and periodic audits of, user accounts as part of your security processes.

Recommendations for SSO environments

Agiloft environments using Single Sign-On (SSO) may contain certain accounts that can still be accessed through just username and password. Therefore, it is important even within SSO-enabled organizations to regularly review user accounts, and, indeed, to ensure notification during offboarding for account deactivation. Regardless of whether a given user account is protected by SSO, you should also regularly assess permissions to ensure all users are assigned the correct groups, and have appropriate access and authority.

Other user account hygiene recommendations

Agiloft provides a range of options for password management to meet your needs. We recommend you review these options and ensure they are in line with your organizational security policies and industry standards.

Agiloft has additional security recommendations that we make available as part of our Administrator Guide and update from time to time. We recommend that you regularly review the security recommendations page.