FAQ

Identity Automation hosts your data using services provided by Amazon Web Services (AWS).

Amazon Web Services are trusted and relied upon all over the world to provide highly secure and scalable infrastructure. Learn more about Amazon Web Services security here, including their System & Organizational Control (SOC) report.

Yes. Identity Automation is deployed across multiple availability zones in AWS. Each availability zone is an isolated, state-of-the-art, highly-available data center helping to provide the highest degree of availability.

The Identity Automation Service Level Agreement is 99.9% uptime to ensure anywhere, any time access to your services.

You can use RapidIdentity Cloud to securely control individual and group access to your organization resources. You can create and manage user identities (“cloud users”) and grant permissions for those cloud users to access your resources.

To start using RapidIdentity Cloud, you must subscribe to Identity Automation services. You then can create and manage users, groups, and permissions via LDAP synchronizations or the RapidIdentity Cloud console, which gives you a point-and-click, web-based interface.

RapidIdentity Cloud makes it easy to provide multiple users with secure access to your organization’s resources. RapidIdentity Cloud enables you to manage cloud users and their access. You can create users in Identity Automation’s identity management system, assign users individual security credentials (such as access keys, passwords, multi-factor authentication devices), or request temporary security access to provide users access to your organization’s services and resources. You can specify permissions to control which operations a user can perform.

Any Identity Automation customer can use RapidIdentity Cloud.

A user is a unique identity recognized by Identity Automation services and applications. Similar to a login user in an operating system like Windows or UNIX, a user has a unique name and can identify itself using familiar security credentials such as a password or access key. A user can be an individual, system, or application requiring access to your organization’s services. RapidIdentity Cloud supports users (referred to as “cloud users”) managed in the Identity Automation identity management system.

You can permit a user to access any or all of your organization’s services that have been integrated with RapidIdentity Cloud.

RapidIdentity Cloud supports multiple methods to:

• Create and manage cloud users.
• Create and manage cloud groups.
• Manage users’ security credentials.
• Create and manage policies to grant access to Identity Automation services and resources.

You can create and manage users, groups, and policies by using the RapidIdentity Cloud console.

A group is a collection of cloud users or a listing presented via LDAP synchronization. Manage group membership as a simple list:

• Add users to or remove them from a group.
• A user can belong to multiple groups.
• Groups cannot belong to other groups.
• Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.
• Groups do not have security credentials and cannot access web services directly; they exist solely to make it easier to manage user permissions.

RapidIdentity Cloud users can have any combination of credentials that Identity Automation supports, such as a password, OTP, or MFA. This allows organizations to allow users to interact with RapidIdentity Cloud in any manner that makes sense for them.

Yes. You can enable and disable a RapidIdentity Cloud user’s access via the RapidIdentity Cloud console or LDAP synchronization. If you disable the access, the user cannot access cloud services.

The RapidIdentity Cloud administrator(s) can manage users, groups, security, and permissions. For example, an administrator user may manage users for a corporation—a recommended practice.

You (the RapidIdentity Cloud account holder) can allow the configuration of multiple MFA devices.

No, but they can be. User names are just ASCII strings that are unique within a given RapidIdentity Cloud account. You can assign names using any naming convention you choose, including email addresses.

You can only use ASCII characters for RapidIdentity Cloud entities.

Yes, see product for details.

Yes, you can enforce strong passwords by requiring a minimum length or at least one number. You can enforce password validation via https://haveibeenpwned.com/ requiring users to select a password not listed under compromise. You can also require a password reset upon the next cloud sign-in.

An RapidIdentity Cloud role is an cloud entity that defines a set of permissions for making cloud service requests. RapidIdentity Cloud roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as cloud users, applications, or cloud services.

RapidIdentity Cloud roles allow you to delegate access with defined permissions to trusted entities without having to share long-term access keys. You can use cloud roles to delegate access to cloud users managed within your account, or to a cloud service.

You create a role in a way similar to how you create a user—name the role, attach a policy, and assign a group to it.

You can create and manage RapidIdentity Cloud roles via the RapidIdentity Cloud console, which gives you a point-and-click, web-based interface.

An RapidIdentity Cloud user has permanent long-term access and is used to directly interact with cloud services. An RapidIdentity Cloud role does not have any credentials and cannot make direct requests to cloud services. RapidIdentity Cloud roles are meant to be assumed by authorized entities, such as cloud users and applications.

No. With the LDAP synchronization, you can create groups and assign roles to that group for access management.

Access control policies are attached to user groups, and roles to assign permissions to cloud resources. By default, cloud user groups, and roles have no permissions; users with sufficient permissions must use a policy to grant the desired permissions.

To set permissions, you can create and attach policies using the RapidIdentity Cloud Management Console. Users who have been granted the necessary permissions can create policies and assign them to cloud users groups, and roles.

RapidIdentity Cloud multi-factor authentication provides an extra level of security that you can apply to your cloud environment. You can enable RapidIdentity Cloud MFA for your cloud account and for individual cloud Identity and Access Management (cloud) users you create under your account.

The primary way to authenticate using a cloud MFA device for RapidIdentity Cloud Management Console users: When a user with MFA enabled signs in to a cloud website, they are prompted for their username and password (the first factor–what they know), and an authentication response from their cloud MFA device (the second factor–what they have). All cloud websites that require sign-in, such as the RapidIdentity Cloud Management Console, fully support RapidIdentity Cloud MFA.

Follow these easy steps:

• Get an MFA device: Use our MFA application on a device such as your smartphone.
• After you have configured the MFA device, you must activate it in the RapidIdentity Cloud console.
• Can I have multiple MFA devices active for my RapidIdentity Cloud account?
• Yes. Each cloud user must have its own MFA device.

No. The MFA device or mobile phone number associated with virtual MFA is bound to an individual cloud identity (cloud user or root account). If you have a TOTP-compatible application installed on your smartphone, you can create multiple virtual MFA devices on the same smartphone. Each one of the virtual MFA devices is bound to a single identity, just like hardware MFA devices. If you dissociate (deactivate) the MFA device, you can then reuse it with a different cloud identity.

No. RapidIdentity Cloud MFA relies on knowing a unique secret associated with your hardware MFA (Gemalto) device in order to support its use. Because of security constraints that mandate such secrets never be shared between multiple parties, RapidIdentity Cloud MFA cannot support the use of your existing Gemalto device. Only a compatible hardware MFA device purchased from Gemalto can be used with RapidIdentity Cloud MFA. You can re-use an existing U2F security key with RapidIdentity Cloud MFA, as U2F security keys do not share any secrets between multiple parties.

A virtual MFA device is an entry created in a TOTP compatible software application that can generate six-digit authentication codes. The software application can run on any compatible computing device, such as a smartphone.

Virtual MFA devices use the same protocols as physical MFA devices. Virtual MFA devices are software-based and can run on your existing devices such as smartphones. Most virtual MFA applications also allow you to enable more than one virtual MFA device, which makes them more convenient than physical MFA devices.

You can use applications that generate TOTP-compliant authentication codes, such as the RI application and Google Authenticator application, with RapidIdentity Cloud MFA. You can provision virtual MFA devices either automatically by scanning a QR code with the device’s camera or by manual seed entry in the virtual MFA application.

A QR code is a two-dimensional barcode that is readable by dedicated QR barcode readers and most smartphones. The code consists of black squares arranged in larger square patterns on a white background. The QR code contains the required security configuration information to provision a virtual MFA device in your virtual MFA application.

Encryption in Transit. RapidIdentity Cloud provides Secure Sockets Layer (SSL) and Transport Layer Security encryption for data in motion.

RapidIdentity Cloud provides data-at-rest encryption using the Advanced Encryption Standard (AES) algorithm, AES-256-bit encryption. This method encrypts files transparently, which protects confidential data.