User administration with HighQ accounts

A System Administrator can manage users associated with Collaborate. Open
System Admin
from your profile menu, then click
User
admin
:
The
User administration
section provides several tools for managing existing users. By default, the
User administration
section displays a search form:
Enter search terms and select filters, then select
Search
.
  • Display Name
    - Enter the display name of the user here.
  • Domain
    - Type all or part of a domain name, then select from the list. Alternatively, select a domain from the left pane to add it directly to the text box.
  • Email address
    - Any part of the email address of the user or users to be managed: the prefix ("jsmith") or the suffix ("abc.com") or the entire email address.
  • Status
    - the search looks for active users, but this filter allows you to search for archived, inactive or locked users.
    • An
      active
      user can log in and access their Collaborate account and any sites they have access to.
    • An
      archived
      user can no longer log in and is no longer available as a member of any site.
    • An
      inactive
      user's account is suspended but they are not archived.
    • A
      locked
      user cannot access the instance as they made too many failed login attempts.
  • Created date
    - Search using the filters to see all users created on this HighQ instance over a custom period.
  • Last login date
    - Search using the filters to see users' last login dates for this instance.
  • Orphaned users
    - Users who were added to at least one site in the past but now have been removed from every site. An orphaned user can log in to Collaborate, but they will not have access to any content.
  • User roles
    - limit the search to the selected admin roles.
  • Never logged in
    - Users who were added to at least one site but never confirmed their account and never logged in to this HighQ instance, either because no invitation was sent, the user ignored an invitation that was sent, or the email invitation was trapped in the user's spam filter. (Inactive users are not the opposite of Active users.)
  • User registered for 2FA with app
    - Search for users who have registered for 2FA with an app.
  • User type
    - limit the search to the selected account type:
    All
    ,
    Internal
    ,
    External
    or
    Basic
    .
  • Users granted bypass of XSS protection
    - Filter for users with permission to add custom JavaScript to a site.
When the search is performed, a list of matching users is displayed at the bottom of the page:
You can change the order of the search results to follow the
Last login
dates. Click the sort icon next to
Last login
to sort the results in ascending order; click again to change to descending order.
note
This is helpful when finding users who have not logged in for a long time so they may be Archived.

Individual user actions

Above the list of users is a group of action buttons. To take an action, check the box next to a user and select the appropriate action.
note
Although a checkbox is shown next to each user, most actions can be taken for only one user at a time.
  • Reset
    - Reset sends an email with a reset password link to the selected user(s). As with all password reset requests, the user's password is not reset until the user clicks on the link in the email and then enters a new password on the reset password screen.
  • Invite
    - Invite sends an email invitation to the selected user(s). This invitation contains a link that allows the user to activate their account. If the user's account has already been activated, the link takes the user to the login page.
  • Roles
    - The Roles action allows a System Administrator to give the selected user certain system-level roles. The roles available are a function of whether the user is an internal or external user, and if they can bypass XSS protection.
    • External Users
      - External users are users associated with organisations not maintained by this HighQ instance. Two options are available: External Admin and External User.
      note
      Do not uncheck the
      External User
      box. Currently, making a user an External Admin does not grant them any extra rights.
    • Internal Users
      - Internal users are users associated with the organisations that maintain the instance of Collaborate. (This determination will be made automatically if the user's email domain is associated with the internal organisation.) 
For internal users choose an option:
  • System Admin
    - these users have full control over the system, can create new sites and can access any site (except for sites that are password protected or IP address restricted) and any data in those sites. This role should be given out sparingly.
  • Internal User
    (do not uncheck this box) - an internal user without any special rights.
  • Create Site
    - a user who can create new sites and is automatically granted Site Administration rights to those sites. This role can be given out more liberally than the Internal Admin role.
  • System Config Admin
    - a user able to configure a Collaborate instance. This role cannot access user management or site content.
  • System User Admin
    - a user able to manage users and groups on a Collaborate instance. This role cannot access system configuration or site content.
  • Active
    - make an archived or inactive user account active. When searching for archived users, do not forget to filter on
    Status
    =
    Archived
    .
  • Move
    - Moves the selected user(s) to a different organisation and associated email domain.
  • Export
    - export all users listed in the search results to an Excel file.
  • Unlock User
    - the user's account has been locked because they failed to enter their password correctly over several attempts, this allows the user to log in again with their existing password, instead of requiring the user to change their password using the reset option.
  • Archive
    - this performs two actions. First, it removes the user's access from every site. Second, the user is archived, which means the user is no longer be able to log in to HighQ and their name does not appear in the Quick Search when new users are added to a site.
    note
    If the archived user is added to another site in the future, their account is reactivated, but only for the site they are added to, not any previously accessed sites. Once you have archived a user, a system administrator can anonymise a user to ensure your instance complies with GDPR.
    Click here to find out more about GDPR. Search for the archived user in the list of users returned the option to anonymise is displayed.
    Click on
    Anonymise
    and the below window opens.
    Click
    Anonymise
    and the user details are removed from the listing and they are removed from the system.
  • Inactive
    - make an active user account inactive. Unlike archiving a user, an inactive user is not removed from sites and system groups. However, that user cannot log on until their account has been reactivated and  appears with the word
    Inactive
    after their name to other users. Make a user inactive if their access to HighQ should be suspended temporarily.
  • Reset 2FA
    - This option is available if 2FA is enabled. Click
    Reset 2FA
    and confirm the removal of two-factor authentication from the selected user account. The user may then reset access via email or an authenticator app.
  • Change to:
    - If you search with the
    Basic
    or
    Internal
    User Type filter, you may switch Internal users to Basic users, or Basic users to Internal users.

Individual user action links

When the list of matching users is presented, the following links may appear for each user:
  1. User name
    - The user's name is a link to their profile page. From the profile page, the System Administrator can edit the user's profile, including changing the prefix of the user's email address.
  2. Organisation
    - This is simply a link to the organisation administration page for that organisation, discussed here.
  3. Email address
    - The email address associated with the user.
  4. Last login
    - the date and time of the last time the user logged in to the site.
  5. Proxy login
    - A System Administrator may log in as any other user by clicking on the
    login
    button in this column. Once this occurs, from the system's perspective, the System Administrator acts as that other user and can take any actions that the other user could take. (The system records every time a System Administrator proxy logs in as another user.) To revert to their own account, the System Administrator will need to
    logout
    as the other user and manually log back in as themselves.
  6. Reset password link
    - This link does not appear for every user, only for users who have an unused reset password request (meaning the password request was sent out but the link in the email was not clicked) or for users who have been invited to HighQ but never completed the account registration process. This link permits the System Administrator to set the password for another user, but ONLY if the other user has not set their own password or reset their own password.
    For example, if the invitation or reset password email sent to the user is trapped in the user's spam filter, the user will not be able to access the invitation and authenticate their account. In that situation, the System Administrator would set the password for the user and communicate the password to that user verbally. Alternatively, the System Administrator can copy the link and send it to the user in a different way, so that it will not be caught in their spam filter. When a System Administrator clicks on that link, they see the regular
    Set Your Password
    screen.
  7. Site list
    - The Site list link shows a list of every site the user has been invited to or otherwise has access to, and when the user last accessed each site (if ever).
  8. System Groups
    - The Manage Groups link takes the System Admin to a page that lists every system group, shows which one the user is a member of, and permits the System Admin to change those.
  9. User registered for 2FA with app
    - Search for users who have registered for 2FA with an app.

Auto Login

Auto login provides access to a site, for example, an intranet, to many people without needing to create an account for each person or require those people to remember a password. In other words, a shared account. While the use of auto login for this purpose should generally be avoided, there are use cases that warrant its use. It is recommended that an auto-login user account only be given read permissions on any sites the auto-login user has been given access to.
Auto login links can be changed by completing a password reset for the respective user account. Once the password is reset, the auto login link will be changed in the User admin tool and cannot be reverted to the old URL.
If Auto login is active on your instance, you see an
Auto login
checkbox and Auto login URL in the Roles screen for a user:
note
This feature must be explicitly requested to be enabled on an instance.
Please speak to your Customer Success Manager.
If enabled, auto login allows anyone with the Auto login URL to paste that URL into their browser and automatically be logged in as that auto-login user, without needing to authenticate or enter a password.
Once a person has auto-logged in as another user, their access to Collaborate will be limited in certain ways.
  • In the upper right-hand corner of the page, there are no options to edit the auto-login user's profile.
  • There is no way to log out as that user, which also means there is no way to request a password reset as the auto-login user.
    • If the user whose account has been autologin enabled tries to manually log in to Collaborate using their email address and password, they will experience the same behaviour once they are logged in: their profile is not accessible and they cannot reset their password.

Adding Users

The
User administration
page includes the
Add user
tab:
Click
Add users
to open a page for creating one or more new users, exactly the same as the process for creating new users to add to a site.
note
You may also click
Bulk import
to import multiple users from an Excel template.

Self-Registered Users

Some users do not have a full Collaborate account and are created merely to receive files after having registered. Select
Self-registered users
on the
User admin
page:
This shows the email address of each self-registered user (full names are not available for these users), their status and last login date:
A System Administrator may manage these users with the buttons or the action icon on the right of each user entry. You can:
  • send a reset password email to a user or
  • archive the user, so that they can no longer access files that were shared with them or otherwise log in to Collaborate

Limits on user licences

Depending on your account type, you may have limits on the number of users you may add. Limits are set per instance for the number of Internal users, External users and Basic users.
note
As of the October 2022 release, designated system admins can receive alerts when the number of users reaches 80%, 90% and 100% of the purchased licenses. Please contact your HighQ support representative to activate these alerts.