FAQ

General

Where is my Identity Automation data stored?

Identity Automation hosts your data using services provided by Amazon Web Services (AWS).

Amazon Web Services are trusted and relied upon all over the world to provide highly secure and scalable infrastructure. Learn more about Amazon Web Services security here, including their System & Organizational Control (SOC) report.

Does Identity Automation have multiple data centers?

Yes. Identity Automation is deployed across multiple availability zones in AWS. Each availability zone is an isolated, state-of-the-art, highly-available data center helping to provide the highest degree of availability.

How do I know that my Identity Automation services will always be available? What is the SLA?

The Identity Automation Service Level Agreement is 99.5% uptime to ensure anywhere, any time access to your services.

What is Identity Automation’s RapidIdentity Cloud?

You can use RapidIdentity Cloud to securely control individual and group access to your organization resources. You can create and manage user identities (“cloud users”) and grant permissions for those cloud users to access your resources.

How do I get started with RapidIdentity Cloud?

To start using RapidIdentity Cloud, you must subscribe to Identity Automation services. You then can create and manage users, groups, and permissions via LDAP synchronizations or the RapidIdentity Cloud console, which gives you a point-and-click, web-based interface.

What problems does RapidIdentity Cloud solve?

RapidIdentity Cloud makes it easy to provide multiple users with secure access to your organization’s resources. RapidIdentity Cloud enables you to manage cloud users and their access. You can create users in Identity Automation’s identity management system, assign users individual security credentials (such as access keys, passwords, multi-factor authentication devices), or request temporary security access to provide users access to your organization’s services and resources. You can specify permissions to control which operations a user can perform.

Who can use RapidIdentity Cloud?

Any Identity Automation customer can use RapidIdentity Cloud.

What is a user?

A user is a unique identity recognized by Identity Automation services and applications. Similar to a login user in an operating system like Windows or UNIX, a user has a unique name and can identify itself using familiar security credentials such as a password or access key. A user can be an individual, system, or application requiring access to your organization’s services. RapidIdentity Cloud supports users (referred to as “cloud users”) managed in the Identity Automation identity management system.

What can a user do?

You can permit a user to access any or all of your organization’s services that have been integrated with RapidIdentity Cloud.

RapidIdentity Cloud User Management

How are RapidIdentity Cloud users managed?

RapidIdentity Cloud supports multiple methods to:

  • Create and manage cloud users.
  • Create and manage cloud groups.
  • Manage users’ security credentials.
  • Create and manage policies to grant access to Identity Automation services and resources.

You can create and manage users, groups, and policies by using the RapidIdentity Cloud console.

What is a group?

A group is a collection of cloud users or a listing presented via LDAP synchronization. Manage group membership as a simple list:

  • Add users to or remove them from a group.
  • A user can belong to multiple groups.
  • Groups cannot belong to other groups.
  • Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.
  • Groups do not have security credentials and cannot access web services directly; they exist solely to make it easier to manage user permissions.
What kinds of security credentials can RapidIdentity Cloud users have?

RapidIdentity Cloud users can have any combination of credentials that Identity Automation supports, such as a password, OTP, or MFA. This allows organizations to allow users to interact with RapidIdentity Cloud in any manner that makes sense for them.

Can I enable and disable user access?

Yes. You can enable and disable a RapidIdentity Cloud user’s access via the RapidIdentity Cloud console or LDAP synchronization. If you disable the access, the user cannot access cloud services.

Who is able to manage users for an RapidIdentity Cloud account?

The RapidIdentity Cloud administrator(s) can manage users, groups, security, and permissions. For example, an administrator user may manage users for a corporation—a recommended practice.

How are MFA devices configured for RapidIdentity Cloud users?

You (the RapidIdentity Cloud account holder) can allow the configuration of multiple MFA devices.

Do RapidIdentity Cloud user names have to be email addresses?

No, but they can be. User names are just ASCII strings that are unique within a given RapidIdentity Cloud account. You can assign names using any naming convention you choose, including email addresses.

Which character sets can I use for RapidIdentity Cloud usernames?

You can only use ASCII characters for RapidIdentity Cloud entities.

Are user attributes other than username supported?

Yes, see product for details.

Can I define a password policy for my user’s passwords?

Yes, you can enforce strong passwords by requiring a minimum length or at least one number. You can enforce password validation via https://haveibeenpwned.com/ requiring users to select a password not listed under compromise. You can also require a password reset upon the next cloud sign-in.

RapidIdentity Cloud Role Management

What is an RapidIdentity Cloud role?

An RapidIdentity Cloud role is an cloud entity that defines a set of permissions for making cloud service requests. RapidIdentity Cloud roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as cloud users, applications, or cloud services.

What problems do RapidIdentity Cloud roles solve?

RapidIdentity Cloud roles allow you to delegate access with defined permissions to trusted entities without having to share long-term access keys. You can use cloud roles to delegate access to cloud users managed within your account, or to a cloud service.

How do I get started with RapidIdentity Cloud roles?

You create a role in a way similar to how you create a user—name the role, attach a policy, and assign a group to it.

How are RapidIdentity Cloud roles managed?

You can create and manage RapidIdentity Cloud roles via the RapidIdentity Cloud console, which gives you a point-and-click, web-based interface.

What is the difference between an RapidIdentity Cloud role and an RapidIdentity Cloud user?

An RapidIdentity Cloud user has permanent long-term access and is used to directly interact with cloud services. An RapidIdentity Cloud role does not have any credentials and cannot make direct requests to cloud services. RapidIdentity Cloud roles are meant to be assumed by authorized entities, such as cloud users and applications.

Can I add an RapidIdentity Cloud role to an AD group?

No. With the LDAP synchronization, you can create groups and assign roles to that group for access management.

Permissions

How do permissions work?

Access control policies are attached to user groups, and roles to assign permissions to cloud resources. By default, cloud user groups, and roles have no permissions; users with sufficient permissions must use a policy to grant the desired permissions.

How do I assign permissions using a policy?

To set permissions, you can create and attach policies using the RapidIdentity Cloud Management Console. Users who have been granted the necessary permissions can create policies and assign them to cloud users groups, and roles.

Multi-factor authentication

What is RapidIdentity Cloud MFA?

RapidIdentity Cloud multi-factor authentication provides an extra level of security that you can apply to your cloud environment. You can enable RapidIdentity Cloud MFA for your cloud account and for individual cloud Identity and Access Management (cloud) users you create under your account.

How does RapidIdentity Cloud MFA work?

The primary way to authenticate using a cloud MFA device for RapidIdentity Cloud Management Console users: When a user with MFA enabled signs in to a cloud website, they are prompted for their username and password (the first factor–what they know), and an authentication response from their cloud MFA device (the second factor–what they have). All cloud websites that require sign-in, such as the RapidIdentity Cloud Management Console, fully support RapidIdentity Cloud MFA.

How do I help protect my cloud resources with MFA?

Follow these easy steps:

  • Get an MFA device: Use our MFA application on a device such as your smartphone.
  • After you have configured the MFA device, you must activate it in the RapidIdentity Cloud console.
  • Can I have multiple MFA devices active for my RapidIdentity Cloud account?
  • Yes. Each cloud user must have its own MFA device.
Can I use virtual, hardware, or SMS MFA with multiple RapidIdentity Cloud accounts?

No. The MFA device or mobile phone number associated with virtual MFA is bound to an individual cloud identity (cloud user or root account). If you have a TOTP-compatible application installed on your smartphone, you can create multiple virtual MFA devices on the same smartphone. Each one of the virtual MFA devices is bound to a single identity, just like hardware MFA devices. If you dissociate (deactivate) the MFA device, you can then reuse it with a different cloud identity.

I already have a hardware MFA device (Gemalto) from my place of work or from another service I use, can I re-use this device with RapidIdentity Cloud MFA?

No. RapidIdentity Cloud MFA relies on knowing a unique secret associated with your hardware MFA (Gemalto) device in order to support its use. Because of security constraints that mandate such secrets never be shared between multiple parties, RapidIdentity Cloud MFA cannot support the use of your existing Gemalto device. Only a compatible hardware MFA device purchased from Gemalto can be used with RapidIdentity Cloud MFA. You can re-use an existing U2F security key with RapidIdentity Cloud MFA, as U2F security keys do not share any secrets between multiple parties.

Provisioning a Virtual MFA Device

What is a virtual MFA device?

A virtual MFA device is an entry created in a TOTP compatible software application that can generate six-digit authentication codes. The software application can run on any compatible computing device, such as a smartphone.

What are the differences between a virtual MFA device and physical MFA devices?

Virtual MFA devices use the same protocols as physical MFA devices. Virtual MFA devices are software-based and can run on your existing devices such as smartphones. Most virtual MFA applications also allow you to enable more than one virtual MFA device, which makes them more convenient than physical MFA devices.

Which virtual MFA applications can I use with RapidIdentity Cloud MFA?

You can use applications that generate TOTP-compliant authentication codes, such as the RI application and Google Authenticator application, with RapidIdentity Cloud MFA. You can provision virtual MFA devices either automatically by scanning a QR code with the device’s camera or by manual seed entry in the virtual MFA application.

What is a QR code?

A QR code is a two-dimensional barcode that is readable by dedicated QR barcode readers and most smartphones. The code consists of black squares arranged in larger square patterns on a white background. The QR code contains the required security configuration information to provision a virtual MFA device in your virtual MFA application.

Encryption

What encryption in motion is utilized?

Encryption in Transit. RapidIdentity Cloud provides Secure Sockets Layer (SSL) and Transport Layer Security encryption for data in motion.

What encryption is utilized for data at rest?

RapidIdentity Cloud provides data-at-rest encryption using the Advanced Encryption Standard (AES) algorithm, AES-256-bit encryption. This method encrypts files transparently, which protects confidential data.