Administering SafeShare administrator users

All features of Cocoon Data technologies are accessed through a Cocoon Data user account. The core of these features include the ability to:

• Administer the Cocoon Data Platform (through SafeShare Administration and/or Organisation Administration), as well as to
• Create encrypted files (i.e. file objects / Secure Objects ⁽¹⁾ ) within an organisation,
• Access and decrypt an encrypted file's data and
• Utilise Cocoon Data SafeShare applications.

A Cocoon Data user who has the SafeShare administrator role (also simply known as a 'SafeShare administrator'):

• Has permission to administer organisations that utilise the Cocoon Data Platform and its associated Cocoon Data technologies.
• Is represented by a user account which can be added, edited (by the user themselves) as well as removed (as well as re-added again) by any other SafeShare administrator through the Administrators page.

⁽¹⁾ A file object / Secure Object is defined as Cocoon Data-encrypted data that has been registered on the Cocoon Data Platform, along with the properties associated with this encrypted data. For more information about file objects, see Administering files within the Organisation Administration section of this guide.

A SafeShare administrator user's fields

Each Cocoon Data user's account is defined by a set of fields described in the table below, of which only the Email field can be specified when a SafeShare administrator's account is added account through SafeShare Administration.

A SafeShare administrator user can configure their own user account's fields when they edit their own account.

Unless stated in the following table, these fields and their values are visible on the Administrators page of SafeShare Administration.

Field	Description	Required?
Email	The email address that forms part of a user's credentials, which the user requires to authenticate to the Cocoon Data Platform. This email address: Defines the user's identity and hence, must be unique amongst all user accounts on the Cocoon Data Platform. Is the email address that the Cocoon Data Platform sends notifications to. Cannot be edited once the account has been created.	Yes
First Name (2)	A user's first name (e.g. a given name or nickname). This field is only editable through the user's own My Account feature.	No
Last Name (2)	A user's last name (e.g. a surname or family name). This field is only editable through the user's own My Account feature.	No
Other Name (2)	A user's middle name (e.g. one or more other given names). This field is only visible and editable through the user's own My Account feature.	No
Mobile Number (2)	The mobile number of a user. This field is only visible and editable through the user's own My Account feature. Note: This number must include the country calling code and plus (+) sign prefix. (e.g. +1 234 567 8910 for a US-based number.)	No
Default Language (2)	The language preference/settings for a user. Any changes to this field apply immediately to the user interfaces of SafeShare Administration, SafeShare for Web and Organisation Administration (if the user has access to these features). This field is only visible and editable through the user's own My Account feature. Note: This setting overrides the System Default language (defined through the Internationalisation page).	No
Locked	This field indicates 'Yes' if a Cocoon Data user account has been locked as a result of the user mistyping their password more than the maximum number of times configured by a SafeShare administrator. The user themselves will need to unlock this account by following the instructions in their 'account lockout' notification (or by resetting their password via any of the options on the Cocoon Data Sign-in page). If a user account is not locked, this field indicates nothing. The values of this non-editable field are only visible on the Administrators and/or Users page.	Not applicable
MFA Enabled (2) and Re-seed MFA	The MFA Enabled field's check box for a SafeShare administrator's account is selected if that user has multi-factor authentication (MFA) enabled on their account. (This field is also editable through the user's own My Account feature.) If this check box is selected for a SafeShare administrator's account, then the Re-seed button becomes available for that account in the Re-seed MFA column/field. If a SafeShare administrator account does not have MFA enabled, this field's check box is cleared for their account. The state of MFA being enabled or disabled for SafeShare administrator accounts other than your own is only visible on the Administrators page.	No

⁽²⁾ While a SafeShare administrator can modify these fields' values for their Cocoon Data user account via the My Account feature through SafeShare Administration, the user can also modify these values via equivalent features in SafeShare for Web and other SafeShare products, as well as Organisation Administration (assuming they are a member of at least one organisation and have the required roles to access these features). A SafeShare administrator becomes a member of an organisation when:

• they create a new organisation through SafeShare Administration and make themselves the administrator of this organisation, or
• an existing Organisation administrator of that organisation adds this SafeShare administrator's user account to their organisation.

Note: Other fields are associated with a SafeShare administrator's user account. However, these fields are either:

• only visible through the 'Users' page of Organisation Administration, or
• used internally by the Cocoon Data Platform and are therefore only exposed to a limited extent through user interfaces (or not exposed at all).

SafeShare administrators and user roles

Each Cocoon Data user must be assigned a role, which grants the user access to different sets of features available through the Cocoon Data Platform and Cocoon Data technologies. A Cocoon Data user is automatically granted the SafeShare administrator role when their user account is added through SafeShare Administration.

Note: Users can have more than one role (as explained in more detail in the following table):

• A user with the SafeShare administrator role can also be granted the Organisation administrator role for any organisation.
• A user with either of these administrator roles can also be granted either the Originator or Collaborator role for any organisation.
• Likewise, a user with either the Originator or Collaborator role in any organisation can have the SafeShare administrator and/or Organisation administrator roles.

Role	Description
SafeShare administrator	A Cocoon Data user with the SafeShare administrator role can access all administration features of their Cocoon Data Platform instance made available through the SafeShare Administration interface. A Cocoon Data user's account is granted this role when the user is either: added to SafeShare Administration (by another existing SafeShare administrator), or the first person to access SafeShare Administration on a new Cocoon Data Platform instance. Notes: Other than the ability to administer the Cocoon Data Platform, a Cocoon Data user who only has the SafeShare administrator role does not have access to the features of Cocoon Data technologies available to Cocoon Data users with other roles. These other roles (detailed in the next row): are granted to Cocoon Data users by the Organisation administrators of organisations configured on the Cocoon Data Platform and are specific to each organisation. A Cocoon Data user with the SafeShare administrator role only, however, can grant themselves the Organisation administrator role for an organisation by making themselves the administrator of this organisation when they add/create the organisation. Only SafeShare administrators can add the SafeShare administrator role to another Cocoon Data user by adding the user's account through SafeShare Administration.
Other Cocoon Data user roles	Cocoon Data users with roles other than the SafeShare administrator role can access other features of their organisations' access to the Cocoon Data Platform relating to the manipulation and handling of files. For more information about these other Cocoon Data user roles, see An organisation user's roles in the Organisation Administration section of this guide. A SafeShare administrator can grant any Cocoon Data user (including themselves) the Organisation administrator role for an organisation, at the time of creating the organisation. An Organisation administrator can administer all aspects of their organisations' access to the Cocoon Data Platform through SafeShare products and the Cocoon Data Platform's API. An Organisation administrator can grant themselves and other Cocoon Data users the Originator or Collaborator roles for manipulating and handling files within their organisations. Only Organisation administrators within an organisation can grant the Organisation administrator role for their organisation to any other Cocoon Data user.

Adding a SafeShare administrator account

This procedure describes how to add a SafeShare administrator user account to the Cocoon Data Platform. This process grants the Cocoon Data user the SafeShare administrator role.

To add a SafeShare administrator user to the Cocoon Data Platform:

1. Ensure you are signed in to SafeShare Administration.
2. Click the Administrators option on the left of the SafeShare Administration interface to open the Administrators page.
3. Click the Add New button.
4. In the Add New SafeShare Administrator dialog box, specify the email address of the user.
5. Click Save and the user (now a SafeShare administrator) will appear as a new entry on the Administrators page.
   Notes:
   • If this user's email address has not yet been registered on the Cocoon Data Platform, a new Cocoon Data user account is automatically created for them. This user's:
     • Cocoon Data user account will have the Local account type, which is only visible through the 'Users' page of Organisation Administration and
     • email address is sent an 'account created' email notification, with instructions on how to sign in (to SafeShare Administration). The initial sign-in process usually requires the SafeShare administrator to reset their password immediately after signing in.
   • If this user already has a user account on the Cocoon Data Platform, their account is granted the SafeShare administrator role (and if this user account was not already a member of any organisation, their account is enabled). Although this user is not sent an email notification as a result of being granted the SafeShare administrator role, this user will be able to access SafeShare Administration the next time they sign in.

Removing SafeShare administrators

Removing a Cocoon Data user account from SafeShare Administration:

• removes the SafeShare administrator role from the user account and
• prevents the user from gaining access (through this account) to the SafeShare Administration interface and its features.

Note: Removing a Cocoon Data user account from SafeShare Administration does not delete this account from the Cocoon Data Platform. If a Cocoon Data user (previously removed from SafeShare Administration) is added back again or granted other user roles (which would provide the user with access to features such as file handling and manipulation within their organisation/s on the Cocoon Data Platform), then the same user account is re-utilised. Any fields that the user had previously edited/customised are retained.

To remove a Cocoon Data user account from SafeShare Administration:

1. Ensure you are signed in to SafeShare Administration.
2. Click the Administrators option on the left of the SafeShare Administration interface to open the Administrators page.
3. Find the SafeShare administrator whose account is to be removed from SafeShare Administration and select their check box on the left.
4. Click the
   
   (Remove User) button which appears at the top and then Yes on the confirmation message box to continue.
   The selected user accounts are removed from SafeShare Administration and will no longer have access to the SafeShare Administration interface and its features.

Editing your SafeShare administrator account

This procedure describes how to edit the fields of your (SafeShare administrator) user account on the Cocoon Data Platform.

To edit your SafeShare administrator user account:

1. Ensure you are signed in to SafeShare Administration.
2. Click your email address at the top-right of the page and choose My Account from the drop-down menu.
3. In the Account Details section of the subsequent page, update any of your user account's fields (described in detail above).
   Note: The Email addresses of all Cocoon Data user accounts on the Cocoon Data Platform are unique and since this field may be used for auditing purposes, no Cocoon Data user account's email address field can be edited. However, to update the email address of your user account and/or those of other SafeShare administrators, then for each of these users:
   1. Add a new SafeShare administrator account (with their new email address). For each account whose Account Type is LDAP, obtain the new email address from your LDAP server/user directory administrator in order to add their account (with this email address) to SafeShare Administration.
   2. Remove the user's old Cocoon Data user account.
4. Click Save and your user account's fields will be updated.
   Notes:
   • If you cannot edit your user account's fields, then your Account Type is likely to be LDAP. (Be aware that additional field information, such as the Account Type, are only visible through the 'Users' page of Organisation Administration.) The fields of LDAP user accounts are edited through their respective LDAP servers' user directories and are updated on the Cocoon Data Platform during synchronisation events with these user directories. See Configuring LDAP for more information.
   • Other than your own Cocoon Data user account, it is not possible to edit the fields (above) of any other Cocoon Data user accounts.

Changing your SafeShare administrator account password

Only a Cocoon Data user with the Local Account Type who has signed in to either SafeShare for Web or SafeShare Administration can change their own password.

Note: The authentication of an LDAP user on the Cocoon Data Platform is delegated to its respective LDAP server. If you have an LDAP user account and wish to change its password, you will need to contact your LDAP administrator for details on how to do this (e.g. through the user account on your LDAP server/user directory). See Configuring LDAP for more information.

To change your password:

1. Ensure you are signed in to SafeShare Administration.
2. Click your email address at the top-right of the page and choose My Account from the drop-down menu.
3. In the Security section of the subsequent page, click the Change password button.
4. On the Set your password... page, specify your current password and then your new password twice (i.e. once more to verify it).
5. Click the Change button and your Cocoon Data user account's password is now changed.

Terminating your SafeShare administrator account's sessions

Terminating your SafeShare administrator account's sessions immediately invalidates all of your currently valid refresh tokens. This action immediately signs you out of your current SafeShare Administration session and then every other SafeShare application with which you have an active session (i.e. once these sessions' access tokens expire). This also includes any other client applications using the Cocoon Data Platform's resources with access tokens obtained through your account.

This feature is useful if your SafeShare administrator account is at risk of being compromised - for example, you suspect that you forgot to sign out from a shared computer or you were signed in from a laptop that was either lost or stolen before you signed out.

To terminate your SafeShare administrator account's sessions:

1. Ensure you are signed in to SafeShare Administration.
2. Click your email address at the top-right of the page and choose My Account from the drop-down menu.
3. In the Security section of the subsequent page, click the Terminate button.
   Your current SafeShare Administration session with the Cocoon Data Platform is terminated immediately, which also results in you being signed out from your current session. You will need to sign in again to gain access to SafeShare for Web, as well as your Cocoon Data Platform's resources.
   Note: Every other SafeShare application with which you have an active session (including any other client applications using the Cocoon Data Platform's resources with access tokens obtained through your account), will be terminated once these sessions' access tokens expire.

Enabling or disabling MFA for a SafeShare administrator

If required, any SafeShare administrator user account (including your own) can be configured with multi-factor authentication (MFA) by enabling this feature on such an account.

If MFA has been enabled on a Cocoon Data user account, then in order to successfully sign in through this account (on the Cocoon Data Sign-in page), the user is required to enter both their password (i.e. the 1st authentication factor) as well as an authentication code obtained from an authenticator application (aka authenticator app) running on the user's mobile device (i.e. the 2nd authentication factor).

The MFA feature supports the following mobile devices and authenticator apps:

• Android-based devices running the Google Authenticator app,
• Apple's iPhone, iPad or iPod Touch devices running the Google Authenticator app, or
• Microsft Windows-based devices running Microsoft's authenticator app.

Notes:

• Before enabling MFA on a SafeShare administrator account, you may wish to confirm if the user of this account is in possession of any one of these supported mobile devices (above), or notify the user that they will require access to one of these devices to continue signing in through the Cocoon Data Sign-in page.
• The URLs to download the appropriate authenticator app for a supported device are available to users when they configure MFA on their accounts (and are themselves configurable through the Configuration page).

To enable or disable MFA on your and/or other SafeShare administrator account/s:

1. Ensure you are signed in to SafeShare Administration.
2. Click the Administrators option on the left of the SafeShare Administration interface to open the Administrators page.
3. Find the SafeShare administrator (or SafeShare administrators) account/s whose MFA settings are to be enabled or disabled.
4. Do either of the following:
   • To enable MFA on the account/s, select the check box/es (in the MFA Enabled column) of the relevant user account/s, which immediately enables MFA on the account/s.
     Each SafeShare administrator with MFA enabled in this manner is sent an email notification informing them that MFA has been enabled for their account. This email message contains a time-limited link, which leads to step-by-step instructions for the user to:
     1. Configure their mobile device with the appropriate authenticator app.
     2. Configure the authenticator app (once installed) with their Cocoon Data user account, so that the authenticator app can generate the appropriate authentication codes (for the 2nd authentication factor).
   • To disable MFA on the account/s, clear the check box/es (in the MFA Enabled column) of the relevant user account/s, which disables MFA on the account/s.
     Each SafeShare administrator with MFA disabled in this manner is sent an email notification informing them that MFA has been disabled for their account.

Tip: You can also enable or disable MFA on your own SafeShare administrator account by:

1. Ensuring you are signed in to SafeShare Administration.
2. Clicking your email address at the top-right of the page and choosing My Account from the drop-down menu.
3. In the Security section of the subsequent page, clicking the Enable/Disable button to the right of Multi-factor authentication.

Re-configuring MFA for a SafeShare administrator

While multi-factor authentication (MFA) is enabled on a SafeShare administrator's account, the user might lose the ability to generate authentication codes for their 2nd authentication factor (explained in more detail above) due to any of the following reasons:

• The SafeShare administrator deleted their Cocoon Data user account configuration from the authenticator application (app) installed on their mobile device.
• The time-limited link for configuring MFA expired before the SafeShare administrator had a chance to complete the MFA configuration process. This is the link contained in the email notification informing the SafeShare administrator that MFA has been enabled on their account.
• The SafeShare administrator lost their mobile device. The user will require a replacement device in order to continue signing in through the Cocoon Data Sign-in page with MFA enabled on their account.

If one of these scenarios occurs, the SafeShare administrator will no longer be able to sign in through the Cocoon Data Sign-in page and they may likely send you or any other SafeShare administrator an email message about one of these scenarios having occurred (via 'contact your administrator' feature on the Authentication code request page as they attempt to sign in through the Cocoon Data Sign-in page).

Therefore, to resolve this situation, the SafeShare administrator requires MFA to be re-configured (aka re-seeded) for their account.

To re-configure MFA on one or more SafeShare administrator account/s:

1. Ensure you are signed in to SafeShare Administration.
2. Click the Administrators option on the left of the SafeShare Administration interface to open the Administrators page.
3. Find the SafeShare administrator (or SafeShare administrators) whose user account/s are to be re-configured for MFA.
4. Click the Re-seed button (in the Re-seed MFA column) associated with the account/s. This button is only available on SafeShare administrator accounts with MFA already enabled.
   Each SafeShare administrator with MFA re-configured in this manner is sent an email notification informing them that MFA has been enabled for their account, similar to the email notification they received when MFA was enabled on their account. This email message contains a new time-limited link, leading to step-by-step instructions for the user to:
   1. (Re-)configure their mobile device with the appropriate authenticator app (should the user need to conduct this step again).
   2. (Re-)configure the authenticator app (once installed) with their Cocoon Data user account, which allows the authenticator app to generate the appropriate authentication codes for the 2nd authentication factor.