SafeShare Administrator's Guide
Toggle TOC panel
Administering SafeShare administrator users

All features of Covata technologies are accessed through a Covata user account. The core of these features include the ability to:

A Covata user who has the SafeShare administrator role (also simply known as a 'SafeShare administrator'):

  • Has permission to administer organisations that utilise the Covata Platform and its associated Covata technologies.
  • Is represented by a user account which can be added, edited (by the user themselves) as well as removed (as well as re-added again) by any other SafeShare administrator through the Administrators page.

(1) A file object / Secure Object is defined as Covata-encrypted data that has been registered on the Covata Platform, along with the properties associated with this encrypted data. For more information about file objects, see Administering files within the SafeShare Organisation Administration section of this guide.

Administrators page

A SafeShare administrator user's fields

Each Covata user's account is defined by a set of fields described in the table below, of which only the Email field can be specified when a SafeShare administrator's account is added account through SafeShare Administration.

A SafeShare administrator user can configure their own user account's fields when they edit their own account.

Unless stated in the following table, these fields and their values are visible on the Administrators page of SafeShare Administration.

Field Description Required?
Email The email address that forms part of a user's credentials, which the user requires to authenticate to the Covata Platform. This email address:
  • Defines the user's identity and hence, must be unique amongst all user accounts on the Covata Platform.
  • Is the email address that the Covata Platform sends notifications to.
  • Cannot be edited once the account has been created.
Yes
First Name (2) A user's first name (e.g. a given name or nickname). This field is only editable through the user's own My Account feature. No
Last Name (2) A user's last name (e.g. a surname or family name). This field is only editable through the user's own My Account feature. No
Other Name (2) A user's middle name (e.g. one or more other given names). This field is only visible and editable through the user's own My Account feature. No
Mobile Number (2)

The mobile number of a user. This field is only visible and editable through the user's own My Account feature.

Note: This number must include the country calling code and plus (+) sign prefix.
(e.g. +1 234 567 8910 for a US-based number.)

No
Default Language (2)

The language preference/settings for a user. Any changes to this field apply immediately to the user interfaces of SafeShare Administration, SafeShare for Web and Organisation Administration (if the user has access to these features).
This field is only visible and editable through the user's own My Account feature.

Note: This setting overrides the System Default language (defined through the Internationalisation page).

No
Locked This field indicates 'Yes' if a Covata user account has been locked as a result of the user mistyping their password more than the maximum number of times configured by a SafeShare administrator. The user themselves will need to unlock this account by following the instructions in their 'account lockout' notification (or by resetting their password via any of the options on the Covata Sign-in page).
If a user account is not locked, this field indicates nothing. The values of this non-editable field are only visible on the Administrators and/or Users page. 		Not applicable
2FA Enabled (2) and
Re-seed 2FA 		The 2FA Enabled field's check box for a SafeShare administrator's account is selected if that user has two-factor authentication (2FA) enabled on their account. (This field is also editable through the user's own My Account feature.)
If this check box is selected for a SafeShare administrator's account, then the Re-seed button becomes available for that account in the Re-seed 2FA column/field.
If a SafeShare administrator account does not have 2FA enabled, this field's check box is cleared for their account. The state of 2FA being enabled or disabled for SafeShare administrator accounts other than your own is only visible on the Administrators page. 		No

(2) While a SafeShare administrator can modify these fields' values for their Covata user account via the My Account feature through SafeShare Administration, the user can also modify these values via equivalent features in SafeShare for Web and other SafeShare products, as well as Organisation Administration (assuming they are a member of at least one organisation and have the required roles to access these features). A SafeShare administrator becomes a member of an organisation when:

Note: Other fields are associated with a SafeShare administrator's user account. However, these fields are either:

SafeShare administrators and user roles

Each Covata user must be assigned a role, which grants the user access to different sets of features available through the Covata Platform and Covata technologies. A Covata user is automatically granted the SafeShare administrator role when their user account is added through SafeShare Administration.

Note: Users can have more than one role (as explained in more detail in the following table):

  • A user with the SafeShare administrator role can also be granted the Organisation administrator role for any organisation.
  • A user with either of these administrator roles can also be granted either the Originator or Collaborator role for any organisation.
  • Likewise, a user with either the Originator or Collaborator role in any organisation can have the SafeShare administrator and/or Organisation administrator roles.
Role Description
SafeShare administrator A Covata user with the SafeShare administrator role can access all administration features of their Covata Platform instance made available through the SafeShare Administration interface.
A Covata user's account is granted this role when the user is either: Notes:
  • Other than the ability to administer the Covata Platform, a Covata user who only has the SafeShare administrator role does not have access to the features of Covata technologies available to Covata users with other roles. These other roles (detailed in the next row):
    • are granted to Covata users by the Organisation administrators of organisations configured on the Covata Platform and
    • are specific to each organisation.
    A Covata user with the SafeShare administrator role only, however, can grant themselves the Organisation administrator role for an organisation by making themselves the administrator of this organisation when they add/create the organisation.
  • Only SafeShare administrators can add the SafeShare administrator role to another Covata user by adding the user's account through SafeShare Administration.
Other Covata user roles Covata users with roles other than the SafeShare administrator role can access other features of their organisations' access to the Covata Platform relating to the manipulation and handling of files. For more information about these other Covata user roles, see An organisation user's roles in the SafeShare Organisation Administration section of this guide.
  • A SafeShare administrator can grant any Covata user (including themselves) the Organisation administrator role for an organisation, at the time of creating the organisation.
  • An Organisation administrator can administer all aspects of their organisations' access to the Covata Platform through SafeShare products and the Covata Platform's API.
  • An Organisation administrator can grant themselves and other Covata users the Originator or Collaborator roles for manipulating and handling files within their organisations.
  • Only Organisation administrators within an organisation can grant the Organisation administrator role for their organisation to any other Covata user.

Adding a SafeShare administrator account

This procedure describes how to add a SafeShare administrator user account to the Covata Platform. This process grants the Covata user the SafeShare administrator role.

To add a SafeShare administrator user to the Covata Platform:

  1. Ensure you are signed in to SafeShare Administration.
  2. Click the Administrators option on the left of the SafeShare Administration interface to open the Administrators page.
  3. Click the Add New button.
  4. In the Add New SafeShare Administrator dialog box, specify the email address of the user.
  5. Click Save and the user (now a SafeShare administrator) will appear as a new entry on the Administrators page.
    Notes:
    • If this user's email address has not yet been registered on the Covata Platform, a new Covata user account is automatically created for them. This user's:
    • If this user already has a user account on the Covata Platform, their account is granted the SafeShare administrator role (and if this user account was not already a member of any organisation, their account is enabled). Although this user is not sent an email notification as a result of being granted the SafeShare administrator role, this user will be able to access SafeShare Administration the next time they sign in.

Removing SafeShare administrators

Removing a Covata user account from SafeShare Administration:

Note: Removing a Covata user account from SafeShare Administration does not delete this account from the Covata Platform. If a Covata user (previously removed from SafeShare Administration) is added back again or granted other user roles (which would provide the user with access to features such as file handling and manipulation within their organisation/s on the Covata Platform), then the same user account is re-utilised. Any fields that the user had previously edited/customised are retained.

To remove a Covata user account from SafeShare Administration:

  1. Ensure you are signed in to SafeShare Administration.
  2. Click the Administrators option on the left of the SafeShare Administration interface to open the Administrators page.
  3. Find the SafeShare administrator whose account is to be removed from SafeShare Administration and select their check box on the left.
  4. Click the
    Remove User button
    (Remove User) button which appears at the top and then Yes on the confirmation message box to continue.
    The selected user accounts are removed from SafeShare Administration and will no longer have access to the SafeShare Administration interface and its features.

Editing your SafeShare administrator account

This procedure describes how to edit the fields of your (SafeShare administrator) user account on the Covata Platform.

To edit your SafeShare administrator user account:

  1. Ensure you are signed in to SafeShare Administration.
  2. Click your email address at the top-right of the page and choose My Account from the drop-down menu.
  3. In the Account Details section of the subsequent page, update any of your user account's fields (described in detail above).
    Note: The Email addresses of all Covata user accounts on the Covata Platform are unique and since this field may be used for auditing purposes, no Covata user account's email address field can be edited. However, to update the email address of your user account and/or those of other SafeShare administrators, then for each of these users:
    1. Add a new SafeShare administrator account (with their new email address). For each account whose Account Type is LDAP, obtain the new email address from your LDAP server/user directory administrator in order to add their account (with this email address) to SafeShare Administration.
    2. Remove the user's old Covata user account.
  4. Click Save and your user account's fields will be updated.
    Notes:
    • If you cannot edit your user account's fields, then your Account Type is likely to be LDAP. (Be aware that additional field information, such as the Account Type, are only visible through the 'Users' page of SafeShare Organisation Administration.) The fields of LDAP user accounts are edited through their respective LDAP servers' user directories and are updated on the Covata Platform during synchronisation events with these user directories. See Configuring LDAP for more information.
    • Other than your own Covata user account, it is not possible to edit the fields (above) of any other Covata user accounts.

Changing your SafeShare administrator account password

Only a Covata user with the Local Account Type who has signed in to either SafeShare for Web or SafeShare Administration can change their own password.

Note: The authentication of an LDAP user on the Covata Platform is delegated to its respective LDAP server. If you have an LDAP user account and wish to change its password, you will need to contact your LDAP administrator for details on how to do this (e.g. through the user account on your LDAP server/user directory). See Configuring LDAP for more information.

To change your password:

  1. Ensure you are signed in to SafeShare Administration.
  2. Click your email address at the top-right of the page and choose My Account from the drop-down menu.
  3. In the Security section of the subsequent page, click the Change password button.
  4. On the Set your password... page, specify your current password and then your new password twice (i.e. once more to verify it).
  5. Click the Change button and your Covata user account's password is now changed.

Terminating your SafeShare administrator account's sessions

Terminating your SafeShare administrator account's sessions immediately invalidates all of your currently valid refresh tokens. This action immediately signs you out of your current SafeShare Administration session and then every other SafeShare application with which you have an active session (i.e. once these sessions' access tokens expire). This also includes any other client applications using the Covata Platform's resources with access tokens obtained through your account.

This feature is useful if your SafeShare administrator account is at risk of being compromised - for example, you suspect that you forgot to sign out from a shared computer or you were signed in from a laptop that was either lost or stolen before you signed out.

To terminate your SafeShare administrator account's sessions:

  1. Ensure you are signed in to SafeShare Administration.
  2. Click your email address at the top-right of the page and choose My Account from the drop-down menu.
  3. In the Security section of the subsequent page, click the Terminate button.
    Your current SafeShare Administration session with the Covata Platform is terminated immediately, which also results in you being signed out from your current session. You will need to sign in again to gain access to SafeShare for Web, as well as your Covata Platform's resources.
    Note: Every other SafeShare application with which you have an active session (including any other client applications using the Covata Platform's resources with access tokens obtained through your account), will be terminated once these sessions' access tokens expire.

Enabling or disabling 2FA for a SafeShare administrator

If required, any SafeShare administrator user account (including your own) can be configured with two-factor authentication (2FA) by enabling this feature on such an account.

If 2FA has been enabled on a Covata user account, then in order to successfully sign in through this account (on the Covata Sign-in page), the user is required to enter both their password (i.e. the 1st authentication factor) as well as an authentication code obtained from an authenticator application (aka authenticator app) running on the user's mobile device (i.e. the 2nd authentication factor).

The 2FA feature supports the following mobile devices and authenticator apps:

  • Android-based devices running the Google Authenticator app,
  • Apple's iPhone, iPad or iPod Touch devices running the Google Authenticator app, or
  • Microsft Windows-based devices running Microsoft's authenticator app.

Notes:

  • Before enabling 2FA on a SafeShare administrator account, you may wish to confirm if the user of this account is in possession of any one of these supported mobile devices (above), or notify the user that they will require access to one of these devices to continue signing in through the Covata Sign-in page.
  • The URLs to download the appropriate authenticator app for a supported device are available to users when they configure 2FA on their accounts (and are themselves configurable through the Configuration page).

To enable or disable 2FA on your and/or other SafeShare administrator account/s:

  1. Ensure you are signed in to SafeShare Administration.
  2. Click the Administrators option on the left of the SafeShare Administration interface to open the Administrators page.
  3. Find the SafeShare administrator (or SafeShare administrators) account/s whose 2FA settings are to be enabled or disabled.
  4. Do either of the following:
    • To enable 2FA on the account/s, select the check box/es (in the 2FA Enabled column) of the relevant user account/s, which immediately enables 2FA on the account/s.
      Each SafeShare administrator with 2FA enabled in this manner is sent an email notification informing them that 2FA has been enabled for their account. This email message contains a time-limited link, which leads to step-by-step instructions for the user to:
      1. Configure their mobile device with the appropriate authenticator app.
      2. Configure the authenticator app (once installed) with their Covata user account, so that the authenticator app can generate the appropriate authentication codes (for the 2nd authentication factor).
    • To disable 2FA on the account/s, clear the check box/es (in the 2FA Enabled column) of the relevant user account/s, which disables 2FA on the account/s.
      Each SafeShare administrator with 2FA disabled in this manner is sent an email notification informing them that 2FA has been disabled for their account.

Tip: You can also enable or disable 2FA on your own SafeShare administrator account by:

  1. Ensuring you are signed in to SafeShare Administration.
  2. Clicking your email address at the top-right of the page and choosing My Account from the drop-down menu.
  3. In the Security section of the subsequent page, clicking the Enable/Disable button to the right of Two-factor authentication.

Re-configuring 2FA for a SafeShare administrator

While two-factor authentication (2FA) is enabled on a SafeShare administrator's account, the user might lose the ability to generate authentication codes for their 2nd authentication factor (explained in more detail above) due to any of the following reasons:

  • The SafeShare administrator deleted their Covata user account configuration from the authenticator application (app) installed on their mobile device.
  • The time-limited link for configuring 2FA expired before the SafeShare administrator had a chance to complete the 2FA configuration process. This is the link contained in the email notification informing the SafeShare administrator that 2FA has been enabled on their account.
  • The SafeShare administrator lost their mobile device. The user will require a replacement device in order to continue signing in through the Covata Sign-in page with 2FA enabled on their account.

If one of these scenarios occurs, the SafeShare administrator will no longer be able to sign in through the Covata Sign-in page and they may likely send you or any other SafeShare administrator an email message about one of these scenarios having occurred (via 'contact your administrator' feature on the Authentication code request page as they attempt to sign in through the Covata Sign-in page).

Therefore, to resolve this situation, the SafeShare administrator requires 2FA to be re-configured (aka re-seeded) for their account.

To re-configure 2FA on one or more SafeShare administrator account/s:

  1. Ensure you are signed in to SafeShare Administration.
  2. Click the Administrators option on the left of the SafeShare Administration interface to open the Administrators page.
  3. Find the SafeShare administrator (or SafeShare administrators) whose user account/s are to be re-configured for 2FA.
  4. Click the Re-seed button (in the Re-seed 2FA column) associated with the account/s. This button is only available on SafeShare administrator accounts with 2FA already enabled.
    Each SafeShare administrator with 2FA re-configured in this manner is sent an email notification informing them that 2FA has been enabled for their account, similar to the email notification they received when 2FA was enabled on their account. This email message contains a new time-limited link, leading to step-by-step instructions for the user to:
    1. (Re-)configure their mobile device with the appropriate authenticator app (should the user need to conduct this step again).
    2. (Re-)configure the authenticator app (once installed) with their Covata user account, which allows the authenticator app to generate the appropriate authentication codes for the 2nd authentication factor.