Control Center Users and Roles

HYPR Control Center Standard: Control Center Settings

In addition to regular users (who unlock their workstations or log in to web applications with HYPR), the Control Center also has its own separate set of users. To view the Control Center users in your system, select Control Center Settings and go to the Control Center Users tab:

2650

Control Center User Roles

When you add a new Control Center user, you assign them a role that defines the screens and features they can and can’t access.

There are four roles in Control Center:

  • Admin
  • App Manager
  • User Manager
  • Viewer

πŸ“˜

Task-based Roles

Control Center roles are task-based, not hierarchical.

Admin users can see the role assigned to each user in the Role column of the Control Center Users screen (click Control Center Settings and go to the Control Center Users tab). Any logged-in user can see their own role at the bottom of the Control Center navigation pane.

2650

To see how many users of each type you have, click Control Center Settings and go to the User Roles tab.

1496

Admin Role

The Admin role is appropriate for anyone in your company who needs full Control Center access, such as system administrators.

For new HYPR environments, the first Control Center user in your organization is given the Admin role by HYPR.

Any Control Center users who were added in older versions of HYPR (versions without multiple roles) will be automatically assigned the Admin role after the upgrade. See Changing a Control Center User’s Role if you want to give them different permissions.

Admin users can access and use all Control Center screens and features. Actions they can perform include the following:

  • Change Control Center settings (the options on the Control Center Settings page)
  • Add, delete, and manage other Control Center users, including other Admin users
  • Change the roles of other Control Center users, including other Admin users
  • View Audit Trail screens
  • Set up, manage, and delete integrations

What Admin users can’t do:

  • Delete their own Control Center user accounts
  • Change their own roles

Viewer Role

The Viewer role allows read-only access to certain Control Center pages and features. Viewer users can do the following:

  • View (but not change) information on the Workstation page
  • View (but not change) information on the Integrations page
  • View the Workstation and Integrations Audit Trail screens (optional)

User Manager Role

The User Manager role is intended for anyone who manages and supports the end users (non-Control Center users) in your HYPR environment.

User Managers can do the following:

  • Delete HYPR Passwordless client users
  • Send login recovery PINs to HYPR Passwordless client users (workstation unlock)
  • Add and delete integration users
  • Send login recovery PINs to integration users
  • Generate magic links for integration users
  • View the Workstation and Integrations Audit Trail screens (optional)

App Manager Role

The App Manager role is designed for users who create and manage integrations, such as developers.

App Manager users can do the following:

  • Add new integrations (but they can’t delete them)
  • View enrolled and pending integration users (but they can’t add new users or delete them)
  • Assist integration users by sending login recoveries and creating magic links
  • Configure options on the FIDO2 Settings screen
  • Configure options on the Integration Settings screen (except for Delete Integration)
  • Configure options on the Access Tokens page (except for Revoke)
  • View the Audit Trail for integrations (optional)

Adding a Control Center User

To add a Control Center user, you send them an email invitation containing a link they can use to register a device for logging in to the Control Center. Successfully registering a device creates their Control Center user account.

  1. Select Control Center Settings in the Control Center left navigation pane.
  2. Go to Control Center Users and click Add User.
2650

This screen appears:

1032
  1. Type the user’s first name, last name, and email address. The email address will be associated with this user for the purposes of logging in to the Control Center, so it’s typically their business email. It’s also the address where the invitation to be a Control Center user is sent, so it needs to be a valid address they can access. The email address must also be unique for your HYPR environment.
  2. If you want to use something other than the email address as the username, deselect Use the email address as the user’s username and enter the value you want.
  3. Select the Control Center role you want to assign to this user. See Control Center User Roles for information on each role.
  4. Select the Enable Audit Trail Access checkbox if you want to allow this user to view the Audit Trail screens. Admin users always have access to the Audit Trail, so you can’t deselect this option if you’re assigning the Admin role.

For more information on Audit Trail screens, see Disabling or Enabling Audit Trail Access.

  1. Click Add. The email is sent to the address you entered, and a confirmation screen appears.
760

The user’s name appears in the Pending list:

2324

What the Invited User Does

The user you invited should get an email similar to this one:

1322 1872

In the Device Manager, users select the type of device they want, then pair the device following the on-screen instructions. (The process is similar to pairing a device with the HYPR Passwordless client for a workstation login; please see Pairing with the HYPR Mobile App.)

πŸ“˜

No Security Key Option

If Smartphone is the only option that appears for new users, and you’d like them to be able to log in with a security key, or through biometric recognition on their computer (Touch ID for Mac or Windows Hello, for example), you must enable FIDO2 authentication for the Control Center. See FIDO2 Settings.

After the user has successfully registered a device, their name moves to the Registered list in the Control Center Users screen, indicating they have been added successfully.

2050

The URL for accessing the Control Center is included in their invitation email.

Troubleshooting Adding Users

If sending an email invite doesn’t work for one or more users, or the link they receive expires before they can use it, you can do either of the following:

  • Resend the invite. This action sends the user an email containing a new link.
  • Manually generate a link and send it to the user, for example through a separate email or a messaging application. (The link you generate in this case is called a magic link.)

Resending the Invite

To resend the invite, complete these steps:

  1. Go to the Pending list in the Control Center Users screen.
  2. Locate the user you want to invite again and click Options in the Action column.
  3. Click Resend Magic Link.
2324
  1. In the confirmation screen, click Resend Invite Email.
792

Creating a Magic Link

The links that are sent as part of the email invitation process are called β€œmagic links.” You can create a magic link separately from the auto-created emails. You can then send or give the link to the user through any appropriate, secure communication channel. These magic links work the same way as the links included in the email invitations.

To create a new magic link for a user, complete these steps:

  1. Go to the Pending list in the Control Center Users screen.
  2. Locate the user and click Options in the Action column.
  3. Click Create Magic Link.
2324
  1. Magic links are valid for 24 hours (86,400 seconds) by default. If you want to increase or decrease this time, adjust the Token Validity Time in Seconds setting in the next screen.
1028
  1. Click Create.

πŸ“˜

Practical Magic

When you create a new magic link, any links created earlier for that user are invalidated.

1026
  1. Click Copy and Close. You can then send the link to the user, for example by pasting it into a new email or a message in another communication channel. They use it the same way they would use the link sent through the original invitation. Note that magic links are valid only for the named user.

πŸ“˜

Secure Channels

Magic links allow access to the Control Center and the Device Manager, and for this reason they should be treated as sensitive data. Make sure any channel you use to distribute them is secure.

Changing the Device Used for Control Center Logins

If users want to add another device for logging into the Control Center, or if they want to unpair an existing device, they can do so through the HYPR Device Manager.

  1. Start the Control Center.
  2. Click Device Manager on the pop-up menu under the email address or username.
2158
  1. Add or remove devices as needed. Please see Using the HYPR Device Manager for details.

πŸ“˜

Pair Off

Be careful about removing (unpairing) a device if it’s the only one you’ve registered. If you remove it, you won’t be able to access the Control Center until an Admin user sends you a login recovery email or a magic link. See Restoring a User's Control Center Access.

Removing a Device for Another User

If you need to remove a login device for another user, you can do so through the Registered screen. (You can also use this procedure if you just want to view information about a device.)

  1. Click Control Center Settings in the Control Center left navigation pane.
  2. Go to the Registered screen and locate the user whose device you want to remove.
  3. Click the user’s name in the Name column.
2050

The following information is shown:

2020

The Machines section shows information about the tenant used by your company’s instance of HYPR. The Security Keys section shows devices registered to this user.

  1. In the Security Keys section, locate the row for the device you want to remove and click the Delete icon.
  2. Click Yes, Delete to confirm your choice.
804

Changing a Control Center User’s Role

To change a Control Center user’s role, complete these steps:

  1. Click Control Center Settings in the Control Center left navigation pane.
  2. Go to the Control Center Users screen and locate the user whose role you want to change.
  3. Click Options in the Actions column and select Change Role.
2062
  1. Choose the new role for the user.
1026

Note that Admin users can’t change their own roles. Another Admin user can change your role for you, however.

  1. Optionally, change the Enable Audit Trail Access option for this user.
  2. Click Change.

πŸ“˜

Role Call

When you change the role of a user who is currently logged in to the Control Center, the new role will take effect when they switch to a different page in the UI. In some cases, depending on the change you made, they may have to log out and back in again to see the new role.

Disabling or Enabling Audit Trail Access

Admin users always have Audit Trail access; this setting can’t be changed. For other roles, you choose whether to give the user Audit Trail access when you add them to the Control Center. You can change the setting at any time.

There are several Audit Trail screens in the Control Center. If you enable Audit Trail access for someone, they’ll be able to view any Audit Trail in pages available for that role. For example, if you give Audit Trail access to an App Manager user, they’ll be able to view the Audit Trail screen in the Integrations page of the Control Center, but they won’t be able to view the one under Control Center Settings because their role doesn’t have access to that page.

To change a user’s Audit Trail access, complete these steps:

  1. Click Control Center Settings in the Control Center left navigation pane.
  2. Go to the Control Center Users screen and locate the user whose Audit Trail access you want to change.
  3. Click Options in the Actions column and select Change Role.
  4. Optionally, choose a new role for the user.
  5. Set the Enable Audit Trail Access option as required.
1026
  1. Click Change.

If the user is currently logged in to the Control Center, they may have to log out and back in again to see the results of the change.

Removing a Control Center User

You can remove Control Center access for both registered and pending users. In the case of a pending user, removing them invalidates the link in the original invitation email so it can’t be used to register a device, which means the user can’t create a Control Center account.

To remove a user’s Control Center access, follow these steps:

  1. Go to the Registered list in the Control Center Users screen. (If the user has not yet registered a device, go to the Pending list instead.)
  2. Locate their name and click Options in the Actions column.
  3. Click Delete User.
  4. On the confirmation screen, select the checkbox and click Delete User.
1024

πŸ“˜

Just the Control Center

Deleting a user from the Control Center only removes their Control Center access; it doesn’t remove them from other parts of the HYPR system. For example, if they have a regular user account and log in to their computer through the HYPR Passwordless client, they’ll still be able to do that.

See also Removing a Device for Another User.

Restoring a User's Control Center Access

There may be situations in which a user loses their access to the Control Center and needs to get it back. For example, if they registered their phone for logging in, and then lost the phone, they’ll be unable to access the Control Center (there is no login+password alternative method for getting into the HYPR Control Center). In cases like this, they’ll need help from another Control Center user.

Only users with the Admin role can restore access for other Control Center users.

There are two methods you can use to help another user regain Control Center access:

Send Login Recovery

This is a quick, convenient way to restore login ability for a user who can still access the email address associated with their Control Center account. (This is the email address shown for them in the Email column of the Control Center Users screen.)

  1. Go to the Registered list in the Control Center Users screen. (If the user has no devices registered for login, their name will be on the Pending list, not the Registered list.)
  2. Locate the user’s name and click Options in the Actions column.
  3. Click Send Login Recovery.
1920
  1. Click Send Recovery Email on the confirmation screen.
804

The user is sent an email with a link they can use to register a new device, which should allow them to get their access back.

Create Magic Link

This method is useful if the Send Login Recovery option doesn’t work, or if the user can’t access the email address associated with their Control Center account. Magic links work the same way as the links included in the auto-created email invitations, although magic links expire in 24 hours.

  1. Go to the Registered list in the Control Center Users screen. (If the user has no devices registered for login, their name will be on the Pending list, not the Registered list.)
  2. Locate the user’s name and click Options in the Actions column.
  3. Click Create Magic Link and follow the instructions on the screen. For more information, please see Creating a Magic Link.
1920

Frequently Asked Questions

Q: I'm the only Control Center user at my company, and I lost my access to the Control Center. What should I do?

A: Please call HYPR Support for assistance.

Q: How can I tell what my role is?

A: Your role is shown under your username at the bottom of the left navigation pane in the Control Center.

Q: What happens to Control Center users created in older versions of HYPR before roles were introduced?

A: Existing users will be assigned the Admin role by default, but their role can be changed if required.

Q: Why doesn’t a role change seem to have any effect?

A: In some cases, role changes only take effect after the user logs out and back in again.

Q: Why do users sometimes see an error message after a role change?

A: Occasionally, users who are logged in at the time you’re changing their role will be logged out automatically when they navigate away from the current screen, and they may see an error message. (Typically, the change is either to or from the Admin role.) If this happens, ask them to log back in again, which should resolve the issue.