# Introduction The **User Managemen**t page is your central hub for configuring access and ensuring data security. **User Management** includes a plethora of different features, so this is an article that you’ll want to take in chunks! Refer back to it whenever you need a refresher on specific features. To access: 1. Click your avatar, then **User management**. ​ 2. With the page open. click links in the left pane to open each tab. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823943730/0bf25283a612b8cb82940f627441/user%2Bmanagement%2Bmenu%2Bpane.png?expires=1781782200&signature=5829f43a72bb73772a0d568fa43f2099a56c687647e59806f852a78b795fb0a3&req=dSglFcB6noZcWfMW1HO4zQPSkvJylNLnhq8bN%2BnxRds%2BGQnM%2FX9%2FA6puXKKf%0A4uuiup6V7xdmLsPrjHM%3D%0A) # Profile The **Profile** screen shows your personal account details, including email, name, username, phone number, and job title. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823940174/c2a363c82b3366dd191b9b79ab7d/user+management+profile+tab.png?expires=1781782200&signature=ce1518d92721c8341e4da723ee97e9bb8dd1d556d01904bf146d724790f799df&req=dSglFcB6nYBYXfMW1HO4zS7R3gGgbS1NH%2FWc2enCce5RRJtvg%2FteCeXQrOUx%0Ab7DYfKozYP0MwgxwaOg%3D%0A) **## Edit your profile** 1. Click the **Edit** icon to open up the editor. ​ 2. Make the changes and click **Save**. --- # Privacy & security The **Privacy & Security** screen shows authentication and account protection settings for your profile. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823940797/eab5ebcfaa0be51339447affea71/user+management+privacy+and+security+tab.png?expires=1781782200&signature=46a0d1d6be5e0489051f2f30f90c247e0219a9cf3cdbf4dd16afd0fbfc9f4676&req=dSglFcB6nYZWXvMW1HO4zdQsncZHJyY2O2XPka4Rk31o8gKF%2FX6O93oCRpyB%0A1RSNMWp3XicypjkGCpY%3D%0A) **## Set up passkey** 1. Click **Set up** and follow the on-screen instructions. This will depend on the device. ​ 2. The device will then ask you to confirm that you want to create a passkey. It will ask you to **authenticate** using your **fingerprint**, **face scan**, or **screen lock PIN/pattern**. ​ 3. Confirm what you have entered. ​ 4. Once you’ve authenticated, the passkey is created and saved on your device or in your device’s secure password manager. **## Set up Multi-factor authentication (MFA)** 1. Click **Set up** and follow the on-screen instructions. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823942320/4738760f62dd6c62bc442266b82f/user+management+mfa+qr.png?expires=1781782200&signature=dc4bd02356b8fb6c9dbe2faeed5b6e6453ccd4d809abc0e8f3eba05a27869575&req=dSglFcB6n4JdWfMW1HO4zeaiqzk7dolAiD5wtF4P4SNnWlP0uEkXZQzDiVX7%0A4cW9%0A) 2. Confirm the settings. The **Configuration** tab in MFA has three options: Don’t Force, Force (MFA) and Force except enterprise SSO. For more on SSO, check out the article [Set up SSO SAML and OIDC](https://docs.foundational.io/en/articles/12807462-set-up-sso-saml-and-oidc). **## Add security key** Click **Set up** and follow the on-screen instructions. **## Log out all other sessions** It’s not uncommon to have multiple active sessions. However, active sessions may allow access to sensitive data. The **log out all other sessions** feature terminates connections to your account across all devices and browsers, except for the one you are currently using. 1. Click **Log out all other sessions**. A warming message appears. ​ ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823959063/8778314b4673ead46b1d576729a1/user+management+log+out+screen.png?expires=1781782200&signature=8822868c03169c0c481b853a4e855aeba81581ed679b63faf0923ec62dc17516&req=dSglFcB7lIFZWvMW1HO4zSs00ssIYrfhFIHmy0WL4oVY5UFj5vYmVO4LBnTV%0AcneX%0A) 2. If you’re sure, click **Log out all**. ​ 3. Log in again next time you open Foundational. **## Log out** Simply click **Log out**! --- # Users The **Users** screen shows all members in your workspace, including their roles, status, and access levels. There are two user roles: **Admin** and **Read Only**. Only admins can add / remove users and edit SSO and authentication configurations. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823961146/c623475ac6a01af112fc9913be38/user+management+users+tab.png?expires=1781782200&signature=23534319345ebf37b574ffddaad56db671cd4deebf67f5be48681ebaa10bc258&req=dSglFcB4nIBbX%2FMW1HO4zbi7yltqB38XzMnTpcXtvkSZEmBqdvNZ61qSvClS%0ALznJIoPWv8%2Bkpp%2Bppgc%3D%0A) **## Add users** 1. At the top of the screen, click **Invite.** A new screen opens. ​ 2. Add the new user’s email, role and full name. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823961436/79c1c66195d55a92ca4be9eae756/user+management+invite+add+user.png?expires=1781782200&signature=0962040f3fe075f5d55fa0396b3e66a11b4ca68595ea251278a229b8dcd0f88d&req=dSglFcB4nIVcX%2FMW1HO4zcGaobN2olr%2BAFf%2BwmFxM9UPweim%2B%2FLKJniQ4YRI%0Ajl5d%0A) 3. Click **Invite**. The person receives an email. When they click a link in the email to accept, the user’s status changes from **Pending approval** to show the date they joined. If the person doesn’t see the email in their Inbox, ask them to check their Spam folder. **## Delete users** From the **User** screen, select the user, click the 3 dots and select **Delete User**. **## Disable users** From the **User** screen, select the user, click the 3 dots and select **Disable User**. **## Resend invite** From the **User** screen, select the user, click the 3 dots and select **Resend invitation email**. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823963430/cd65e12c96ce50760f6fe15714e9/user+management+resend+invite.png?expires=1781782200&signature=56de269a56074da53e9045472aab3bbef27f6757212b8f1d1a858e21344fb93d&req=dSglFcB4noVcWfMW1HO4zUAucaLtCG65h3sU6CaFZ3QhQq3gD32LDV28pGdG%0Aem3xaVa%2FskwK3R2mCV0%3D%0A) **## Find users** Enter a text string in the search bar. --- # Security Admins only. The **Security** screen shows workspace-level authentication and authorization configurations. There’s more than one way to manage security features in Foundational. - You can click **Manage** against each listed vulnerability (1-2 in the screenshot) and follow the on-screen options. ​ - Alternatively, select one of the quadrants in the **Security check** up section (3-6 in the screenshot), click **Manage** and follow the on-screen options. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1827393522/f9a6e567a47f7f346e1cae9b731f/user+management+security+screen+with+numbers.png?expires=1781782200&signature=2e8e995594b5193259665480f2c1a18d517d5cea4bc76bacb0b06c3a8925c250&req=dSglEcp3noRdW%2FMW1HO4zRNxalxSDVzUXhD9huutYEKAlNjl%2BKJok3nm9gDc%0AN%2FYLr%2FV94%2Fm%2BFLuuM70%3D%0A) | # | Screen Element | Description | | --- | -------------------------------- | ----------------------------------------------------------------------------------------- | | 1 | Vulnerability warnings | Click **Manage** to open up the options to mitigate the vulnerability. | | 2 | Show more | Click to ensure you see all identified vulnerabilities. | | 3 | Security check up - MFA | Shows the number of affected accounts. Click **Manage** to alter configurations. | | 4 | Security check up - Sessions | Shows the number of affected sessions. Click **Manage** to alter configurations. | | 5 | Security check up - Inactivity | Shows the number of affected users. Click **Manage** to alter configurations. | | 6 | Security check up - Restrictions | Shows the number of affected IPs and domains. Click **Manage** to alter configurations. | **## Force MFA** MFA is the best security measure you can take. By forcing MFA, all users in your account will be required to set up MFA on their next login. 1. From the **Security** main screen, at the section **Force MFA for all users,** click **Manage**. A new screen opens with with 2 tabs: **Summary** and **Configuration**. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823986762/0e1e64bbb6899021eda739563a9d/user+management+security+force+mfa.png?expires=1781782200&signature=3a05b6f8fa1fa5746fa271630b80e8daac374112923d35cf53a1c898ecde1ce8&req=dSglFcB2m4ZZW%2FMW1HO4zXgVahTrmFEckaWmEFBvFdlaWcbLrJnGRQ1iQ1xg%0AUZTY%0A) 2. The **Summary** tab shows which users have MFA. 3. The **Configuration** tab gives the options to: 1. Not enforce 2. Enforce 3. Force except enterprise SSO **## Control session timeouts** Idle session timeout ensures idle sessions don’t become targets for attack. 1. From the **Security** main screen, at the section **Enable Idle Session**, click **Manage** or click **Manage** in the **Sessions** quadrant (#4). ​ 2. Enable the toggle and set the number of days for the timeout. ​ 3. Click **Save**. **## Control the maximum number of concurrent sessions** Max concurrent sessions ensures users don’t open too many sessions, which can be unsafe. 1. From the **Security** main screen, at the section **Enable max concurrent sessions**, click **Manage** or click **Manage** in the **Sessions** quadrant (#4) ​ 2. Enable the toggle and set maximum number of days. ​ 3. Click **Save**. **## Enforce relogin** Setting a force relogin policy ensures user sessions don't last too long and risk becoming compromised. 1. From the **Security** main screen, at the section **Enable reforce login**, click **Manage** or click **Manage** in the **Sessions** quadrant (#4). ​ 2. Enable the toggle **Force Re-login** and set the number of days. ​ 3. Click **Save**. **## Restrict IPs and domains** IP restrictions let you tightly control which IP addresses can access your account. You can control access to IP addresses and domains. 1. From the **Security** main screen, at the section **Enable IP restrictions**, click **Manage**. A new screen opens with with 2 tabs: **IP** and **Domain**. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1824010788/f3d080c902807d8c37eba0929169/user+management+IP+restrictions.png?expires=1781782200&signature=6e74601537eec717f86e5a2a0dc427f88047ceb0c5811cff2a0921de25b5512b&req=dSglEsl%2FnYZXUfMW1HO4zcU9X1LgB3BX%2BGfe2%2FeEDPDH%2BL466X8lCwOPKkfP%0A8Swf%0A) 2. To restrict IP addresses, on the **IP** tab, enable the toggle. A new screen opens. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1824011094/36fc13cb57866538fd4cf5f7ebcb/user+management+IP+add.png?expires=1781782200&signature=ad04b5217067090e2ecffe819a2cecfc8adb063f83c9c439a09afeddf4e32229&req=dSglEsl%2FnIFWXfMW1HO4zXB2BRX7ufwArltfERXgizqSiyJ3ZYj9GwF2fHbo%0AjR47%0A) 3. Click **Add my IP** and save the change. 4. To restrict domains, on the **Domain** tab, enable the toggle. Only users with approved email domains can be invited to / join your account. Adding domains does not affect existing users. --- # SSO Admins only. Setting up SSO in Foundational is a key part of your setup and requires the Admin role in Foundational and admin permissions in your IdP. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1824004297/65d89d9f33923376cf776003383a/user+management+sso+tab.png?expires=1781782200&signature=ee583ce03f97711132bb6bfdd7afccb57ecc175a74ced8be3cbaf3623a082567&req=dSglEsl%2BmYNWXvMW1HO4zTPe56a6%2FRjTpFWhktcXU%2ByarwebSwemgekzVdkc%0ARQHT4uz453MlAKqZaO4%3D%0A) Generally, your IT support sets up SSO either as part of the [First time login](https://app.intercom.com/a/apps/pbbyfcys/knowledge-hub/all-content?activeContentId=14444297&activeContentType=article) process or very soon after that. To connect your IdP to Foundational, check out the article [Set up SSO SAML and OIDC](https://docs.foundational.io/en/articles/12807462-set-up-sso-saml-and-oidc). --- # Provisioning Admins only. The **Provisioning** screen shows setup options for automated user account management. Use this screen to configure your IdP to connect to Foundational. ​ Generally, your IT support sets up Provisioning either as part of the [First time login](https://docs.foundational.io/en/articles/12807345-first-time-login) process or very soon after that. To set up Provisioning, check out the article [Set up SCIM provisioning](https://docs.foundational.io/en/articles/12807578-set-up-scim-provisioning). --- # Audit logs The **Audit Logs** screen shows a detailed record of user actions, login events, and account changes across your workspace. Use this screen to: - Monitor user activity and access patterns. - Verify login events and performed actions. - Export logs for security review. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1824018815/31631b7266a372ec54bf6035e2ba/user+management+audit+logs.png?expires=1781782200&signature=adeba535cdd61212aa1c6cfad44288a75937cf321113839c35fef8195f06ff75&req=dSglEsl%2FlYleXPMW1HO4zeHSNfSbf3kMJJtn%2FmRiust2KjacKhSnr389Rpuf%0AdAwr%0A) **## Download audit logs** Click **Download** to download to .csv. **## Filter audit logs** Click the filter icon to open the pane and enter the text string. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1824020087/18c74eabc9598ae5d8e1c28ebd42/user+management+filter+audit+logs.png?expires=1781782200&signature=7b18c211bd540314f9a68c761a86db15743aa1c19d1e3552832a193ae665b79c&req=dSglEsl8nYFXXvMW1HO4zS6CyBrSjsQln0fay%2FVYK7e%2FP2MRASE%2BcJ5ochqL%0AiWnJDtw5PyllweD9KlI%3D%0A) --- # API tokens The **API Tokens** screen shows all existing tokens used for integrations or automation. Each token includes details such as description, role, type, expiry date, and creator. From this screen you can add and delete API tokens. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1824021165/9ec1417d3aa6d4320868a7a0a7a4/user+maangement+api+tokens.png?expires=1781782200&signature=4232845133c6128741c9b9a1931193f100ea9e3371a0a3d872236e3bca3b9de5&req=dSglEsl8nIBZXPMW1HO4zadAjd6oU3GfvMUj%2Fo0C%2BF0YUuGP%2F7pwkkBnFtmP%0Aj5mqFiPL1uAYhuTwbd4%3D%0A) For more details, check out the article [Create API Tokens](https://docs.foundational.io/en/articles/9920307-create-api-tokens). ​