CA Identity Manager Connector Guides › Connectors Guide › Connecting to Endpoints › RSA Authentication Manager SecurID 7 Connector › Connector Specific Features › How You Acquire and Manage RSA 7.1 Endpoints › Responsibilities List and Account Synchronization › Remove the Trusted Members of a Trusted Group

Remove the Trusted Members of a Trusted Group

If you no longer want to manage a trusted user as part of a trusted group, you can remove the trusted user from a trusted group.

To remove the trusted members from a trusted group

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint from which you want to remove trusted members of a group and then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select Trusted Group in the Object Type list and click Search.

   The list of trusted groups appears in the list view.

6. Right-click the trusted group you want to remove members from, then click Properties.

   The Trusted Group dialog General 1 tab appears.

7. Click the Trusted User Members tab.

   The trusted users that are members of the group appear in the Assigned list.

8. In the Assigned list, select the trusted user or trusted users you want to remove from the trusted group, then move them to the Available list, then click OK.

   The trusted users you specified are removed from the trusted group.

Administrative Roles

Administrative roles are read-only. You can only view the security domain scope in which the administrator has permission to manage objects and the identity source an administrator has permission to manage users from.

However, you can assign and unassign a user account to an administrative role.

More information:

How to Remove an Administrative Role

How to Assign an Administrative Role

View Administrative Roles

You can view the administrative roles in your organization.

To view administrative roles

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to view administrative roles, and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Administrative Roles container in the Container tree, then click Search.

   The Administrative Roles for the endpoint you specified appear in the list view.

5. Right-click the Administrative role you want to view details for.

   The Administrative Roles dialog appears and displays the identity sources an administrator has permissions to manage users from, and the security domain the administrator has permissions to manage users from.

How to Assign an Administrative Role

To assign an administrative role use either of the following methods:

• Edit an individual user and specify the administrative roles you want the user to have
• Edit an administrative role and specify the users that have the administrative role

Specify the Administrative Roles You Want the User to Have

To let a user perform specified actions in a specific security domain, you can assign an administrative role to a user. You can assign multiple administrative roles to a user.

To specify the administrative roles you want a user to have

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to assign an administrative role to a user account and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right click the user account you want to assign and administrative role, then click Properties.

   The User Account dialog appears.

7. Click the Administrative Roles tab.

   The administrative roles that the user is assigned appear in the Assigned list, and the containers in the namespace you can search appear in the Available List Search tree.

8. Search for the administrative roles you want to assign to the user.

   The administrative roles you can assign to the user account appear in the Available list.

9. In the Available list, select the Administrative role or administrative roles you want to assign to the user, then move it to the Assigned list, then click OK.

   The administrative role you selected is assigned to the user.

Specify the Users That Have the Administrative Role

To let a user perform specified actions in a specific security domain, you can assign a user to an administrator role. You can assign multiple users to an administrative role at the same time.

To specify the users that have the administrative role

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to specify the users that have the administrative role and then select Content.

   The Endpoint Content dialog appears.

4. Select Administrative Roles in the Object Type list and click then click Search.

   The administrative roles appear in the list view.

5. Right click the administrative role you want to add users to, then click Properties.

   The Administrative Roles dialog appears.

6. Click the Administrator roles tab.

   The users that are assigned the administrative roles appear in the Assigned list, and the containers in the namespace you can search appear in the Available List Search tree.

7. Search for the administrative roles you want to assign to the user.

   The administrative roles assigned to the user account appear in the Available list.

8. In the Available list, select the user or users you want to assign to the administrative role then move it to the Assigned list, then click OK.

   Both local and trusted users appear in the Available list. Verify that you select the correct user type before you move it to the Assigned list. For more information, see Local and Remote User Support.

   The user you specified is added to the administrative role.

How to Remove an Administrative Role

To remove an administrative role use either of the following methods:

• Edit an individual user and remove the administrative roles you do not want the user to have
• Edit an administrative role and remove the users you do not want to have the administrative role

Unassign an Administrative Role from a User Account

If you no longer want to manage the actions a user can perform in a specific security domain using an administrative role you can remove an administrative role from a user. You can remove multiple administrative roles from a user at the same time.

To remove the administrative roles you do not want users to have

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you do not want administrative roles a user to have and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right click the user account you want to assign and administrative role, then click Properties.

   The User Account dialog appears.

7. Click the Administrative Roles tab.

   The administrative roles that the user is assigned appear in the Assigned list, and the containers in the namespace you can search appear in the Available List Search tree.

8. Search for the administrative roles you want to unassign from a user.

   The administrative roles assigned to the user account appear in the Assigned list.

9. In the Assigned list, select the administrative role or administrative roles you want to remove from the user, then move it to the Available list, then click OK.

   The administrative role is removed from the user.

Unassign a User Account Assigned to an Administrative Role

If you no longer want to manage the actions a user can perform in a specific security domain using an administrative role you can remove a user from an administrator role. You can remove multiple users from an administrative role at the same time.

To remove users from an administrative role

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to remove users from an administrative role and then select Content.

   The Endpoint Content dialog appears.

4. Select Administrative Roles in the Object Type list and click then click Search.

   The administrative roles appear in the list view.

5. Right click the administrative role you want to remove users from, then click Properties.

   The Administrative Roles dialog appears.

6. Click the Administrator roles tab.

   The users that are assigned the administrative role appear in the Assigned list, and the containers in the namespace you can search appear in the Available List Search tree.

7. Search for the administrative roles you want to unassign from the user.

   The administrative roles assigned to the user account appear in the Assigned list.

8. In the Assigned list, select the user or users you want to unassign from the administrative role then move it to the Available list, then click OK.

   The user is removed from the administrative role.

Manage Groups

The RSA 7.1 SecurID connector supports the following user group management operations:

• Creating groups
• Editing groups
• Adding and removing users to or from groups
• Make groups members of other groups
• Creating trusted groups
• Associating groups with authentication agents
• Removing group members from groups
• Associating trusted groups with authentication agents

More Information:

Create a Group

Edit a Group

Create a Trusted Group

Associate a Trusted Group with Authentication Agent

Edit a Trusted Group

How to Add Users to Groups

How to Remove Users from Groups

Create a Group

You can organize users into groups based on your specific business needs, for example, locations, business departments or job title. You can also create user groups that contain other user groups, for example, a user group named Melbourne that contains a group named Technical Writers. The members of groups that contain other groups are named group members.

To create a user group

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint you want to create a trusted user on and then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select Group in the Object Type list and click New.

   The Group dialog General 1 tab appears.

6. On the General 1 tab, specify the basic details of the group you want to create.
7. On the Access Times (UTC/GMT) tab, specify the times when the members of a user group can authenticate.
8. On the Identity Source tab, specify the identity source you want to add the user group to.
9. On the Group Members tab, add a user group to the group.
10. On the Authentication tab, specify the user groups access to specific authentication agents.
11. On the User Members tab, search for the user you want to add to the group, then add it to the group.
12. Click Ok.

    The user group you specified is created.

Edit a Group

To modify the details of a group, such as the times when members of a user group can authenticate, the groups the group belongs to, the groups access to specific authentication agents, and the members of a group, edit the group.

Note: The identity source where the group is assigned is read-only. You can only specify an identity source for a group when you create the group.

To edit a group

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to edit a group, and then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select Group in the Object Type list and click Search.

   The list of groups appears in the list view.

6. Right click the group you want to change, then click Properties.

   The Group dialog General 1 tab appears.

7. On the General 1 tab, modify the basic details of the group you want to create.
8. On the Access Times (UTC/GMT) tab, specify the times when the members of a group can authenticate.
9. On the Group Members tab, modify the group the group belongs to.
10. On the Authentication tab, modify the groups access to specific authentication agents.
11. On the User Members tab, search for the user you want to add to the group, then add it to the group.
12. Click Ok.

    The details of the user are modified.

Move a Trusted Group into a Different Security Domain

If you want to manage a trusted group under a different security domain, you can move the trusted group to another security domains within the realm.

To move a trusted group into a different security domain

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurId 7 [DYN Endpoint] type in the Object Type drop-down list .
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to move a trusted group and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Trusted Group in the Object Type box and click then click Search.

   The trusted groups for the system domain you selected appear in the list view.

6. Right-click a trusted group in the list view and then click Move.

   The Move in Hierarchy dialog appears.

7. Select the Security Domain you want to move the trusted group into.
8. Click OK.

   The trusted group is moved into the security domain you selected.

How to Add Users to Groups

To add users to groups you can do either of the following:

• Edit an individual user and specify which groups the user is a member of
• Edit a group and specify the members of the group

Specify the Groups a User is a Member of

To manage users as group, you can add users to groups.

To specify the groups a user is a member of

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to add user groups and then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select Group in the Object Type list and click Search.

   The list of groups appears in the list view.

6. Right click the group you want to change, then click Properties.

   The Group dialog General 1 tab appears.

7. Click the User Members tab.
8. Search for the users you want to add to the group.

   The users you can assign to the group appear in the Available list.

9. In the Available list, select the user or users you want to add to the group, then move the user or users to the Assigned list, then click OK.

   Note: Both local and trusted users appear in the Available list. Verify that you select the correct user type before you move it to the Assigned list. For more information, see Local and Remote User Support.

   The users you selected are added to the group.

Specify the Members of a Group

To manage users as group, you can assign a user to a group.

To assign a user to a group

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint where you want to add users to a group and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click an account in the list view and then click Properties.

   The User Account dialog appears.

7. Click the Member of tab.
8. Search for the groups you want to add the user to.

   The groups you can assign the user account to appear in the Available list.

9. In the Available list, select the group or groups you want the user to belong to, then move the group to the Assigned list, then click OK.

   The user is made a member of the groups you selected.

How to Remove Users from Groups

To remove users from groups, you can do either of the following:

• Edit an individual user and remove the group the user is a member of
• Edit a group and remove the user from the group

Remove the Group the User is a Member of

If you you no longer want to manage a user as part of a group, you can remove the group or groups a user is a member of.

To remove the group a user is a member of

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to remove a group a user is a member of, and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click an account in the list view and then click Properties.

   The User Account dialog appears.

7. Click the Member of tab.

   The groups that the user belongs to appear in the Assigned list.

8. In the Assigned list, select the group or groups you want to remove the user from, then move the group to the Available list, then click OK.

   The groups the user is a member of are removed.

Remove the User from a Group

If you you no longer want to manage a user as part of a group, you can remove the user from a groups they are a member of.

To remove a user from a group

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to remove users from a group, and then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select Group in the Object Type list and click Search.

   The list of groups appears in the list view.

6. Right click the group you want to remove members from, then click Properties.

   The Group dialog General 1 tab appears.

7. Click the User Members tab.

   The users that are members of the group appear in the Assigned list.

8. In the Assigned list, select the user or users you want to remove from the group, then move the user or users it to the Available list, then click OK.

   The user you selected is removed from the group.

Make Groups Members of Other Groups

To manage collections of groups, you can make groups members of other groups. For example, you can make the groups Melbourne and Sydney Technical Writers part of the Technical Writers Australia group.

To make groups members of other groups

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to make groups members of other groups and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the security domain where the group you want to add to another group is located.
5. In the Object Type list, select Group, then click Search.

   The Group dialog appears.

6. Select Group in the Object Type list and click Search.

   The list of groups appears in the list view.

7. Right click the group you want to changes, then click Properties.

   The Group dialog General 1 tab appears.

8. Click the Group Members tab.
9. Search for the group you want to add to the group.

   The groups you can add to the group appear in the Available list.

10. Select the group or groups you want to add to the group, then move the group or groups to the Assigned list, then click OK.

    The groups you selected are added to the group.

Remove Group Members from Groups

If you no longer want to manage a group that is part of another group, you can remove group members from groups. For example, you could remove the Melbourne Sales group from the Australian Sales group.

To remove groups members from groups

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to remove groups members from groups and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the security domain where the group you want to add to another group is located.
5. In the Object Type list, select Group, then click Search.

   The Group dialog appears.

6. Select Group in the Object Type list and click Search.

   The list of groups appears in the list view.

7. Right click the group you want to changes, then click Properties.

   The Group dialog General 1 tab appears.

8. Click the Group Members tab.

   The groups that the group is a member of appear in the Assigned list.

9. In the Assigned list, select the group or groups you want to remove from the group, then move the group or groups to the Available list, then click OK.

   The groups you selected are removed from the group.

Associate a Group with Authentication Agent

You can specify the authentication agents you want to give the group permission to access.

To associate a group with an authentication agent

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to associate a group with an authentication agent and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the security domain where the group you want to add to another group is located.
5. In the Object Type list, select Group, then click Search.

   The Group dialog appears.

6. Select Group in the Object Type list and click Search.

   The list of groups appears in the list view.

7. Right click the group you want to change, then click Properties.

   The Group dialog General 1 tab appears.

8. Click the Authentication Agent tab.
9. Search for the authentication agent you want to give the group permission to access.

   The authentication agents you can assign to the group appear in the Available list.

10. In the Available list, select the authentication agent or agents you want to assign to the group, then move the agent or agents to the Assigned list, then click OK.

    You have associated the authentication agent with the group.

Create a Trusted Group

To manage trusted users as a trusted group, you can create a trusted group and specify its members.

To create a trusted group

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to create a trusted group and then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select Trusted Group in the Object Type list and click New.

   The Trusted Group dialog General 1 tab appears.

6. On the General 1 tab, specify the basic details of the trusted group you want to create.
7. On the Access Times (UTC/GMT) tab, specify the times when the members of a trusted user group can authenticate.
8. On the Authentication tab, search for the authentication agents you want the trusted group to authenticate with.
9. On the Trusted User Members tab, search for the user you want to add to the trusted group, then add it to the trusted group.
10. Click Ok.

    The trusted group is created.

Edit a Trusted Group

If the details of trusted group change, for example, the authentication agents the group can use to authenticate, the times when members of a trusted user group can authenticate, the members of the trusted group, you can edit the details of the trusted group.

To edit a trusted group

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to edit a trusted group and then select Content.

   The Endpoint Content dialog appears.

4. Select the System Domain container in the Container tree.
5. Select Trusted Group in the Object Type list and click Search.

   The list of trusted groups appears in the list view.

6. Right click the trusted group you want to change, then click Properties.

   The Trusted Group dialog General 1 tab appears.

7. On the General 1 tab, modify the basic details of the trusted group you want to create.
8. On the Access Times (UTC/GMT) tab, modify the times when the members of a trusted user group can authenticate.
9. On the Authentication tab, modify the authentication agents you want the trusted group to authenticate with.
10. On the Trusted User Members tab, modify the users you want to add to the trusted group, then add it to the trusted group.
11. Click Ok.

    The details of the trusted group are modified.

Move a Group into a Different Security Domain

If you want to manage a group under a different security domain, you can move the group to another security domains within the realm.

To move a group into a different security domain

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurId 7 [DYN Endpoint] type in the Object Type drop-down list .
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to move a group and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Group in the Object Type box and click then click Search.

   The groups for the system domain you selected appear in the list view.

6. Right-click a group in the list view and then click Move.

   The Move in Hierarchy dialog appears.

7. Select the Security Domain you want to move the group into.
8. Click OK.

   The group is moved into the security domain you selected.

Associate a Trusted Group with Authentication Agent

To specify the authentication agents you want to give a trusted group permission to access, you can associate a trusted group with an authentication agent.

To associate a trusted group with an authentication agent

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to associate a trusted group with an authentication agent, and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the security domain where the trusted group you want to associate with an authentication agent is located.
5. In the Object Type list, select Trusted Group, then click Search.

   The Trusted Group dialog appears.

6. Select Trusted Group in the Object Type list and click Search.

   The list of trusted groups appears in the list view.

7. Right click the trusted group you want to change, then click Properties.

   The Trusted Group dialog General 1 tab appears.

8. Click the Authentication Agents tab.
9. Search for the authentication agent you want to give the trusted group permission to access.

   The authentication agents you can assign to the trusted group appear in the Available list.

10. In the Available list, select the authentication agent or agents you want to assign to the trusted group, then move the agent or agents to the Assigned list, then click OK.

    The authentication agent is associated with the trusted group.

RADIUS Profiles Management

The RSA 7.1 SecurID connector supports the following RADIUS Profile management operations:

• Creating, editing, modifying and deleting a RADIUS profile
• Assigning and unassigning RADIUS Profiles to users
• Assigning and unassigning RADIUS Profiles to trusted users

More information:

How to Assign a User to a RADIUS Profile

Associate a RADIUS Profile with an Authentication Agent

How to Unassign RADIUS Profiles from Users

How to Assign a Trusted User to a RADIUS Profile

How to Unassign a Trusted User from a RADIUS Profile

Remove Trusted Users from an Existing RADIUS Profile

Create a RADIUS Profile

Edit a RADIUS Profile

Delete a RADIUS Profile

How to Assign a User to a RADIUS Profile

You can assign a RADIUS profile to a user in either of the following ways:

• Assign a RADIUS profile to a user
• Add users to an existing RADIUS profile

Assign a RADIUS Profile to a User

To specify the session requirements for a user that requests remote network access, you can assign a RADIUS profile to the user.

To assign a RADIUS profile to a user

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to assign a RADIUS profile to a user and then select Content.

   The Endpoint Content dialog appears.

4. Select RADIUS profiles in the Container tree and then click Search.

   The RADIUS profiles for the system domain you selected appear in the list view.

5. Right-click a RADIUS Profile in the list view and then click Properties.

   The RADIUS Profile dialog appears.

6. Click the Users tab.

   Search for the users you want to assign a RADIUS profile to.

   The users you can assign to the RADIUS profile appear in the Available list, and the users assigned to the profile appear in the Assigned list.

7. In the Available list, select the user or users you want to assign to the RADIUS Profile, then move them to the Assigned list, then click OK.

   The RADIUS profile is assigned to the user.

Add Users to an Existing RADIUS Profile

To specify the session requirements for a user that requests remote network access, you can add users to an existing RADIUS profile.

To add users to an existing RADIUS profile

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to add users to an existing RADIUS profile and then select Content.

   The Endpoint Content dialog appears.

4. Select a security domain in the Container tree and then in the Object Type list, select User Account.
5. Click Search.

   The users in the system domain you selected appear in the list view.

6. Right-click a user in the list view and then click Properties.

   The User Account dialog appears.

7. Click the RADIUS Profiles tab.
8. Search for the RADIUS profiles you want add the user too.
9. The RADIUS profiles you can assign to the user appear in the Available list, and the RADIUS profiles assigned to the user appear in the Assigned list.
10. In the Available list, select the RADIUS profile or profiles you want to assign to the user, then move them to the Assigned list, then click OK.

    The user is added to the RADIUS profile.

How to Unassign RADIUS Profiles from Users

You can unassign a RADIUS profile from a user in either of the following ways:

• Unassign a RADIUS profile from a user
• Remove users from an existing RADIUS profile

Unassign a User from a RADIUS Profile

If you no longer want to manage the session requirements for a user that requests remote network access using a RADIUS profile, you can unassign a user from a RADIUS profile.

To unassign a RADIUS profile from a user

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to unassign a RADIUS profile from a user and then select Content.

   The Endpoint Content dialog appears.

4. Select a security domain in the Container tree and then in the Object Type list, select User Account.
5. Click Search.

   The users in the system domain you selected appear in the list view.

6. Right-click a user in the list view and then click Properties.

   The User Account dialog appears.

7. Click the RADIUS Profiles tab.

   The users assigned to the RADIUS profiles appear in the Assigned list.

8. In the Assigned list, select the user or users you want to unassign from the RADIUS profile, then move them to the Available list, then click OK.

   The RADIUS profile is unassigned from the user.

Remove Users from an Existing RADIUS Profile

If you no longer want to manage the session requirements for a user that requests remote network access using a RADIUS profile, you can can remove users from an existing RADIUS profile.

To remove users from an existing RADIUS profile

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to remove users from an existing RADIUS profile and then select Content.

   The Endpoint Content dialog appears.

4. Select RADIUS profiles in the Container tree and then click Search.

   The RADIUS profiles for the system domain you selected appear in the list view.

5. Right-click a RADIUS Profile in the list view and then click Properties.

   The RADIUS Profile dialog appears.

6. Click the Users tab.

   The users assigned to the RADIUS profile appear in the Assigned list.

7. In the Assigned list, select the user or users you want to unassign from the RADIUS Profile, then move them to the Available list, then click OK.

   The RADIUS profile is removed from the user.

How to Assign a Trusted User to a RADIUS Profile

You can assign a RADIUS profile to a trusted user in either of the following ways:

• Assign a RADIUS profile to a trusted user
• Assign trusted users to an existing RADIUS profile

Assign a RADIUS Profile to a Trusted User

To specify the session requirements for a trusted user that requests remote network access, you can assign a RADIUS profile to the trusted user.

To assign a RADIUS profile to a trusted user

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to remove users from an existing RADIUS profile and then select Content.

   The Endpoint Content dialog appears.

4. Select RADIUS profiles in the Container tree and then click Search.

   The RADIUS profiles for the system domain you selected appear in the list view.

5. Right-click a RADIUS Profile in the list view and then click Properties.

   The RADIUS Profile dialog appears.

6. Click the Trusted Users tab.
7. Search for the trusted users you want to assign the RADIUS profile to.

   The trusted users you can assign to the RADIUS profile appear in the Available list, and the trusted users assigned to the profile appear in the Assigned list.

8. In the Available list, select the trusted user or trusted users you want to assign to the RADIUS Profile, then move them to the Assigned list, then click OK.

   The RADIUS profile is assigned to the trusted user.

Assign Trusted Users to an Existing RADIUS Profile

To specify the session requirements for a trusted user that requests remote network access, you can add trusted users to an existing RADIUS profile.

To add trusted users to an existing RADIUS profile

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to add trusted users to an existing RADIUS profile and then select Content.

   The Endpoint Content dialog appears.

4. Select a security domain in the Container tree and then in the Object Type list, select User Account.
5. Click Search.

   The users in the system domain you selected appear in the list view.

6. Right-click a trusted user in the list view and then click Properties.

   The Trusted User Account dialog appears.

7. Click the RADIUS Profiles tab.
8. Search for the RADIUS profiles you want add the trusted user too.

   The RADIUS profiles you can assign to the trusted user appear in the Available list, and the RADIUS profiles assigned to the trusted user appear in the Assigned list.

9. In the Available list, select the RADIUS profile or profiles you want to assign to the trusted user, then move them to the Assigned list, then click OK.

   The trusted users are added to the RADIUS profile.

How to Unassign a Trusted User from a RADIUS Profile

You can unassign a RADIUS profile from a trusted user in either of the following ways:

• Unassign a RADIUS profile from a trusted user
• Remove a trusted user from an existing RADIUS profile

Unassign a Trusted User from a RADIUS Profile

If you no longer want to manage the session requirements for a trusted user that requests remote network access using a RADIUS profile, you can unassign a RADIUS profile from a trusted user.

To unassign a RADIUS profile from a trusted user

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to unassign a RADIUS profile from a trusted user in the list view and then select Content.

   The Endpoint Content dialog appears.

4. Select a security domain in the Container tree and then in the Object Type list, select Trusted User Account.
5. Click Search.

   The trusted users in the system domain you selected appear in the list view.

6. Right-click a trusted user in the list view and then click Properties.

   The trusted User Account dialog appears.

7. Click the RADIUS Profiles tab.

   The trusted users assigned to the RADIUS profiles appear in the Assigned list.

8. In the Assigned list, select the trusted user or trusted users you want to unassign from the trusted user, then move them to the Available list, then click OK.

   You have unassigned the RADIUS profile from the trusted user.

Remove Trusted Users from an Existing RADIUS Profile

If you no longer want to manage the session requirements for a trusted user that requests remote network access using a RADIUS profile, you can remove a trusted user from an existing RADIUS profile.

To remove trusted users from an existing RADIUS profile

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to remove trusted users from an existing RADIUS profile and then select Content.

   The Endpoint Content dialog appears.

4. Select RADIUS profiles in the Container tree and then click Search.

   The RADIUS profiles for the system domain you selected appear in the list view.

5. Right-click a RADIUS Profile in the list view and then click Properties.

   The RADIUS Profile dialog appears.

6. Click the Trusted Users tab.

   The users assigned to the RADIUS profile appear in the Assigned list.

7. Select the trusted user or trusted users you want to unassign from the RADIUS Profile, then move them to the Available list, then click OK.

   The RADIUS profile is removed from the trusted user.

Associate a RADIUS Profile with an Authentication Agent

To specify the session requirements for a users requesting remote network access using a specific authentication agent, you can associate a RADIUS profile with an Authentication Agent. The RADIUS profile is applied to all users that request remote network access using the specific authentication agent.

To associate a RADIUS profile with an authentication agent

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to associate a RADIUS profile with an authentication agent and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select RADIUS Profiles, then click Search.

   The list of RADIUS Profiles appears in the list view.

5. Right click the RADIUS profile group you want to associate with an authentication agent, then click Properties.

   The RADIUS Profile dialog appears.

6. Click the Authentication Agents tab.
7. Search for the authentication agent you want to associate with a RADIUS profile.

   The authentication agents you can assign to the RADIUS Profile appear in the Available list.

8. In the Available list, select the authentication agent or agents you want to associate with the RADIUS profile, then move the agent or agents to the Assigned list, then click OK.

   The authentication agent is associated with the RADIUS profile.

Create a RADIUS Profile

To specify the session requirements for users that request remote network access, you can create a RADIUS profile.

To create a RADIUS profile

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to assign a RADIUS profile to a user and then select Content.

   The Endpoint Content dialog appears.

4. Select the RADIUS Profiles container in the Container tree, then click New.

   The RSA SecureID 7 RADIUS Profile dialog appears General 1 tab appears.

5. Complete the fields on the General 1 tab.

   You have defined the details of a RADIUS profile.

6. Click the Users tab.
7. Search for the users you want to assign the RADIUS profile to.

   The users you can assign to the RADIUS profile appear in the Available list.

8. In the Available list, select the user or users you want assign to the RADIUS profile, and then move the users to the Assigned list, then click OK.

   You have assigned the select users to RADIUS profiles.

9. Click the Authentication Agents tab.
10. Search for the authentication agents users you want to assign to the RADIUS profile to.

    The authentication agents you can assign to the RADIUS profile appear in the Available list.

11. In the Available list, select the authentication agent or agents you want assign to the RADIUS profile, and then move the authentication agents to the Assigned list.

    You have assigned the select authentication agents to RADIUS profiles.

12. Click OK.

    You have created the RADIUS profile.

Edit a RADIUS Profile

To modify the session requirements for users that request remote network access, you can modify a RADIUS profile.

To edit a RADIUS profile

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to assign a RADIUS profile to a user and then select Content.

   The Endpoint Content dialog appears.

4. Select the RADIUS Profiles container in the Container tree, then click Search.

   The RADIUS Profiles for the system domain you selected appear in the list view.

5. Right-click an RADIUS profile in the list view and then click Properties.

   The RSA SecureID 7 RADIUS Profile dialog General 1 tab appears.

6. Edit the fields on the General 1 tab.

   You have defined the details of a RADIUS profile.

7. Click the Users tab.

   The users that are assigned to the RADIUS profile appear in the Assigned list.

8. In the Assigned list, select the user or users you want to unassign from the RADIUS Profile, then move them to the Available list, then click OK.

   You have assigned the select users to RADIUS profiles.

9. Click the Authentication Agents tab.

   The Authentication Agents tab appears.

   The authentication agents that are assigned to the RADIUS profile appear in the Assigned list.

10. In the Assigned list, select the agent or agents you want to unassign from the RADIUS Profile, then move them to the Available list,

    You have edited the select authentication agents assigned to the RADIUS profile.

11. Click OK.

    You have edited the RADIUS profile.

Delete a RADIUS Profile

If you you no longer want to manage the session requirements of users by using a RADIUS profile, you can delete the RADIUS profile.

To delete a RADIUS profile

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to assign a RADIUS profile to a user and then select Content.

   The Endpoint Content dialog appears.

4. Select the RADIUS Profiles container in the Container tree, then click Search.

   The RADIUS Profiles for the system domain you selected appear in the list view.

5. Right-click a RADIUS profile in the list view then click Delete.
6. When prompted, confirm that you want to delete the RADIUS profile.

   You have deleted the RADIUS profile.

Security Domain Management

The RSA 7.1 SecurID connector supports creating, modifying, or deleting security domains.

More information:

Create a Security Domain

Update a Security Domain

Delete a Security Domain

Create a Security Domain

To represent your companies business structure in a hierarchical tree, you can create security domains in a specified realm.

To create a security domain

1. Click the Endpoints task button and select the RSA SecurID 7 [DYN Endpoint] in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to create a security domain and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, click the realm where you want to create the security domain.
5. Select Security Domain in the Object Type list and click New.

   The Security Domain dialog General 1 tab appears.

6. On the General 1 tab, specify the name of the security domain you want to create.
7. On the Password Policy tab, assign a password policy to the security domain.
8. On the Self service troubleshooting policy tab, assign a Self service troubleshooting policy to the security domain.
9. On the Default authentication grade policy tab, assign an authentication grade policy to the security domain.
10. On the SecurID Token Policy tab, assign a SecurID token policy to the security domain.
11. On the Off-line authentication policy tab, assign an off-line authentication policy to the security domain.
12. Click Ok.

    The security domain is created in the realm you specified.

Update a Security Domain

To update the details of your companies business structure and policies, you can update the details of a security domain.

To update a security domain

1. Click the Endpoints task button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to enable or disable PINS and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, click the realm where you want to create the security domain.
5. Select Security Domain in the Object Type list and click Search.

   The Security Domains for the endpoint you specified appear in the list view.

   In the list view, right-click the security domain you want to update, then click Properties.

   The Security Domain dialog appears.

6. Update the fields on the tabs on the Security Domain dialog as required, then click OK.

   You have updated the details of the selected security domain.

Delete a Security Domain

If your companies business structure or policies change, you can delete the appropriate security domain. A security domain must be empty of all objects before it can be deleted, for example, users, groups, and administrative roles.

To delete a security domain

1. Click the Endpoints task button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to delete a security domain and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, click the realm where you want to delete the security domain.
5. Select Security Domain in the Object Type list and click Search.

   The Security Domains for the endpoint you specified appear in the list view.

6. In the list view, right-click the security domain you want to delete, then click Delete.
7. When prompted, confirm that you want to delete the security domain.

   The security domain is deleted.

Token Management

The RSA 7.1 SecurID connector supports the following Token management operations:

• Assigning and unassigning tokens
• Update and deleting tokens
• Enabling and disabling tokens
• Replacing tokens
• Enabling and clearing PINS
• Requesting PIN changes

Assign a Token to a User

If you want a user to authenticate using a token, assign a token to the user.

To assign a token to a user

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to a token to a user and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click an account in the list view and then click Properties.

   The User Account dialog appears.

7. Click the SecurID Tokens tab.

   The tokens that the user is assigned appear in the Assigned list, and the containers in the namespace you can search appear in the Available List Search tree.

8. Search for the tokens you want to assign to the user.

   The tokens you can assign to the user account appear in the Available list.

9. In the Available list, select the token you want to assign to the user, then move it to the Assigned list, then click OK.

   The selected token is assigned to the user.

Unassign Tokens

If you no longer want a user to authenticate using a token, you can unassign the token from the user.

To unassign tokens

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to unassign tokens and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select User Account in the Object Type list and click then click Search.

   The accounts for the system domain you selected appear in the list view.

6. Right-click an account in the list view and then click Properties.

   The User Account dialog appears.

7. Click The SecurID Tokens tab.

   The tokens roles that the user is assigned appear in the Assigned list, and the containers in the namespace you can search appear in the Available List Search tree.

8. Search for the tokens you want to unassign from the user.

   The tokens assigned to the user account appear in the Assigned list.

9. In the Assigned list, select the token you want to unassign from the user, then move it to the Available list, then click OK.

   The selected token is unassigned from the user.

Update Tokens

You can update information about token codes, such as whether the token requires the user to enter their SecurID PIN, or whether the user is required to change the SecurID PIN the next time they authenticate with the token. You can also do the following:

• Enable or disable the token
• Clear the SecurID PIN
• Specify the token you want to replace this token with
• Replace a selected token with the current token
• Create, edit, or delete one-time tokencodes

To update tokens

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to update tokens and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Properties.

   The Token dialog appears.

7. Update the information you require, then click OK.

   The selected token is updated.

Delete Tokens

To delete a token, you can remove it from the internal database.

To delete a token

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to delete a token and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Delete.
7. When prompted, confirm that you want to delete the token code.

   The token is removed from the system and can no longer be assigned. If the token is assigned to user, the user cannot use the token to authenticate.

Enable Tokens

To let a user authenticate with a token they are assigned, enable the token.

To enable tokens

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to enable a token and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Properties.

   The Token dialog appears.

7. Click the General 1 tab.
8. Select the Enabled Status check box, then click Apply.

   The user that is assigned the token can now use the token to authenticate.

Disable Tokens

If you no longer want a user to authenticate using the token they are assigned, disable the token.

To disable tokens

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to disable tokens and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Properties.

   The Token dialog appears.

7. Click the General 1 tab.
8. Clear the Enabled Status check box, then click Apply.

   The user that is assigned the token can no longer use the token to authenticate.

How to Replace Tokens

You can put a token in one of the following replacement modes:

• Has a replacement token
• Is a replacement token

You can put a token in replacement mode in either of the following ways:

• Replace a users token with a token assigned by the RSA Server
• Replace a users token with a token you specify
• Replace a selected token with a token you specify

Note: You can put a token in only one token replacement mode at a time.

Replace Tokens

To replace a users token that has been lost or has expired, you can replace the users token with a token assigned by the RSA Server.

To replace tokens

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to replace tokens and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Properties.

   The Token dialog appears.

7. Click the General 1 tab.
8. Select the Replace with next available token check box, then click OK.

   The RSA Server assigns the next available token to the user. The token is put in Has a replacement token mode. The Replacement mode field on the General 1 tab displays Has a replacement token.

Replace a Users Token with a Token you Specify

To replace a users token that has been lost or has expired, you can replace a users token with a with a token you specify.

To replace a users token with a token you specify

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to replace a users token with a token you specify and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Properties.

   The Token dialog appears.

7. Click the Replacement by Token tab.

   The tokens that the user is assigned appear in the Assigned list, and the containers in the namespace you can search appear in the Available List Search tree.

8. Search for the tokens you want to replace with a specific token.

   The tokens you can assign to the user account appear in the Available list.

9. In the Available list, select the token you want to replace, then move it to the Assigned list, then click OK.

   The users token is replaced. The token is put in Has a replacement token mode. The Replacement mode field on the General 1 tab displays Has a replacement token.

Replace a Selected Token with a Token you Specify

You can replace a selected token with a token you specify. Users that were assigned the token you selected are assigned the new token you specified.

To replace a selected token with a token you specify

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to replace a selected token with a token you specify and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Properties.

   The Token dialog appears.

7. Click the Will Replace Token tab.

   The tokens that the user is assigned appear in the Assigned list, and the containers in the namespace you can search appear in the Available List Search tree.

8. Search for the tokens you want to replace.

   The tokens that you can replace with the current token appear in the Available list.

9. in the Available list, select the token you want to replace the current token with, then move it to the Assigned list, then click OK.

   The current token is replaced with the token you selected.

   The token is put in Is a replacement token mode. The connector updates the Replacement mode field on the General 1 tab and displays Is a replacement token.

Enable or Disable PINs

To specify whether a user must enter a PIN and their token code when they authenticate, you can enable or disable PINS.

To enable or disable PINS

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to enable or disable a PIN and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Properties.

   The Token dialog appears.

7. Click the General 2 tab.
8. Select or clear the PIN is set check box.

   Users that are assigned the token code you modified may have to enter a PIN and their token code when they authenticate, depending on whether you enabled or disabled the PIN.

Clear PINs

To specify that a user has to enter a tokencode and has to create a PIN when they next authenticate, you can clear the users current PIN.

To clear a PIN

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.
3. The RSA 7.1 endpoints appear in the list view.

   Right-click the endpoint on which you want to clear a PIN view and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Properties.

   The Token dialog appears.

7. Click the General 2 tab.
8. Select the Clear PIN check box.

   The SecurID PIN assigned to a users logon is cleared. The user is required to enter a tokencode and is prompted to create a PIN when they next authenticate.

Request PIN Change

To specify that the user must change their PIN at the next logon, you can request a PIN change.

To request a PIN change

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to request a PIN change and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Security Domain you want to search.
5. Select Token in the Object Type list and click then click Search.

   The tokens for the system domain you selected appear in the list view.

6. Right-click a token in the list view and then click Properties.

   The Token dialog appears.

7. Click the General 2 tab.
8. Select the PIN change at next logon check box, then click OK.

   The PIN assigned to a users logon is cleared. The user is required to enter a tokencode and is prompted to create a PIN when they next authenticate.

RSA Read-only Objects

The following endpoint objects are read-only on the RSA 7.1 SecurID endpoint:

• Authentication agents
• Authentication grade policies
• Identity sources
• Lockout policies
• Off-line authentication policies
• Password policies
• Self-service troubleshooting policies
• Token policies
• Trusted realms

View Authentication Agents

You can view the details of a selected authentication agent.

To view authentication agents

1. Click the Endpoints task button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to view authentication agents and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the SystemDomain container.
5. Expand the System Domain container then select the system domain where you want to view authentication agents.
6. Click Search.

   The authentication agents for the endpoint you specified appear in the list view.

7. Right-click the authentication agents you want to view details for, then click Properties.

   The Authentication Agent dialog General 1 tab appears and displays the details of the selected authentication agent.

View Authentication Grade Policies

You can view the authentication grade policies in a specified security domain.

To view authentication grade policies

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to view authentication grade policies and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the RSA Policies container in the Container tree.
5. In the Object list, select Authentication Grade, then click Search.

   The authentication grade policies for the endpoint you specified appear in the list view.

6. Right-click the authentication grade policy you want to view details for, then click Properties.

   The Authentication Grade dialog General 1 tab appears and displays the details of the selected authentication grade policy.

View Identity Sources

You can view the details of a selected identity source.

To view identity sources

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to view identity sources and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Identity Source container in the Container tree.
5. Click Search.

   The identity sources for the endpoint you specified appear in the list view.

6. Right-click the identity source you want to view details for, then click Properties.

   The Identity Source dialog General 1 tab appears and displays the details of the selected identity source.

View Lockout Policies

You can view the lockout policies in a specified security domain.

To view lockout policies

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to view lockout policies and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the RSA Policies container in the Container tree.
5. In the Object list select Lockout Policy, then click Search.

   The lockout policies for the endpoint you specified appear in the list view.

6. Right-click the lockout policy you want to view details for, then click Properties.

   The Lockout Policy dialog General 1 tab appears and displays the details of the selected lockout policy.

View Off-Line Authentication Policies

You can view the off-line authentication policies in a specified security domain.

To view off-line authentication policies

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search

   The RSA 7.1 endpoints appear in the list view

3. Right-click the endpoint on which you want to view off-line authentication policies and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the RSA Policies container in the Container tree.
5. In the Object list, select Off-line Authentication Policy, then click Search.

   The SecurID token policies for the endpoint you specified appear in the list view.

6. Right-click the off-line authentication policy you want to view details for, then click Properties.

   The Off-line authentication Policy dialog General 1 tab appears and displays the details of the selected off-line authentication policy.

View Password Policies

You can view the password policies in a specified security domain.

To view password policies

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to view password policies and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the RSA Policies container in the Container tree.
5. In the Object list select Password Policy, then click Search.

   The Password Policies for the endpoint you specified appear in the list view.

6. Right-click the password policy you want to view details for, then click Properties.

   The Password Policies dialog General 1 tab appears and displays the details of the selected password policy.

View SecurID Token Policies

You can view the SecurID token policies in a specified security domain.

To view SecurID token policies

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to view SecurID policies and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the RSA Policies container in the Container tree.
5. In the Object list, select SecurID Token Policy, then click Search.

   The SecurID token policies for the endpoint you specified appear in the list view.

6. Right-click the SecurID token policies policy you want to view details for, then click Properties.

   The SecurID Token Policies dialog General 1 tab appears and displays the details of the selected SecurID token policy.

View Self-service Troubleshooting Password Policies

You can view the self-service troubleshooting password policies in a specified security domain.

To view self-service troubleshooting password policies

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to view self-service troubleshooting password policies and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the RSA Policies container in the Container tree.
5. In the Object list, select Self-service Password policies, then click Search.

   The self-service troubleshooting policies for the endpoint you specified appear in the list view.

6. Right-click the self-service password policy you want to view details for, then click Properties.

   The Self-service Troubleshooting Policy dialog General 1 tab appears and displays the details of the selected self-service troubleshooting policy.

View RSA Trusted Realms

You can view the details of the trusted realms your realm is permitted to receive authentication requests from.

To view trusted realms

1. In the Provisioning Manager, click the Endpoints button and select the RSA SecurID 7 [DYN Endpoint] type in the Object Type drop-down list.
2. Click Search.

   The RSA 7.1 endpoints appear in the list view.

3. Right-click the endpoint on which you want to view trusted realms and then select Content.

   The Endpoint Content dialog appears.

4. In the Container tree, select the Trusted Realms container in the Container tree.
5. Click Search.

   The trusted realms for the endpoint you specified appear in the list view.

6. Right-click the trusted realm you want to view details for, then click Properties.

   The Trusted Realms dialog General 1 tab appears and displays the details of the selected trusted realm.