User Administration Guide

Manage User Accounts

User Security Management

User security management begins after employee and guest users are assigned to roles and have a user account to access to UKG Pro. Manage user security privileges on the User Administration page.

The User Administration page includes information needed to complete user security tasks such as the full name, the user name used in login credentials, account status, a link to view the default password, and the last login date and time for each user. Ensure that you have selected all needed columns to display on this page.

Select Search for all users to appear or use the Find By options to filter the list of users. Available employees and guest users appear in the search results based on the system administrator's security roles and qualifiers.

System Administrators may only complete these tasks for the UKG Pro users that they are qualified to see:

Add user accounts for employees
Add user accounts for guests (non-employees)
View user security information: full name, user name, user type, account status, employment status, default password, and last logged on date and time
Manage user roles and qualifiers
Change user security status to Active or Suspended
Reset user passwords to the default password
Delete user accounts

User Summary Page Information

The information included in the User Summary page assists the system administrator in validating the user.

From the User Administration page, select the user's Full Name link to access the User Summary page and view additional user information.

The User Summary page displays the following employee user information:

Employee full name and user account name
Default password
Last login date and last login time
Account status and employment status
Work information (for example, work phone, e-mail, job, supervisor, location, and any established organizational levels)
The User Summary page displays the following information for guest users:
Guest full name and user account name
Default password
Last login date and last login time
Account status
User details (for example, e-mail, phone number, extension)
Component company to which the user is associated

Names can be very similar and being able to view detailed work information can assure the system administrator that the correct user is selected before proceeding with any changes. Information on the User Summary page can only be edited for Guest accounts. Otherwise, information that displays on the User Summary page is view only and is not editable from this page.

Security Actions for User Accounts

From the User Administration page, summary information about employee and guest user accounts displays for one user account or a group of users.

Multiple users that meet the selection criteria can be viewed all at once. The same action can also be performed at one time for a group of users. For example, the status for all the selected users can be modified simultaneously. Check the box of the desired multiple users and then select an available action.

The available Actions buttons do not become available until a single user is selected or the box for all users is selected.

User Account Statuses

A user’s account status tells you whether an employee can log in to the portal.

The user account status can tell you why an employee may not be able to log in as well.


User Account Status	Description
Active	As long as users with an Active status know their user name and password (and can retrieve their valid access code for multi-factor authentication, when enabled), the user can log in.
Suspended	The user has been purposely locked out by an administrator. This can include new hires if System Settings are not set to Active Upon New Hire and terminated users if the system is configured to automatically Suspended Upon Termination. Users with a Suspended status cannot unlock their accounts using the Forgot Your Password link on the Login page. Only a system administrator can reactivate a suspended user account from the User Administration page.
Inactive	The user has been purposely inactivated by the system because their account has not had a successful login for more than 180 days. This policy includes users wholog in using single sign-on (SSO). Users who have not logged in with their default password within the first 30 days of their account being created, recreated or manually reset will also be inactivated. This policy does not include users who log in using single sign-on (SSO). Users with an Inactive status can use the Forgot Your Password link on the Login page to reset the user account back to Active status. System administrators can reactivate the account from the User Administration page.
Locked	The user inactivated the account by either (1) using the Forgot Your Password link and then answering their challenge questions incorrectly or (2) attempting to create a new password too many times that did not meet the minimum system criteria. At this point, the user is locked out. Only a system administrator can reactivate the account from the User Administration page.
Restricted	The user temporarily inactivated the account for 30 minutes after entering a username or password incorrectly 5 consecutive times. While temporarily restricted, the user cannot log in, reset a password, or use the Forgot Your Password Security Questions feature. After 30 minutes, the user can attempt to log in successfully or reset the password using the Forgot Your Password feature. A system administrator can reset a password for an account that is temporarily restricted, as needed.

User Account Status Actions

There are currently four actions that system administrators can perform on user accounts that can change the account status of the selected employee and guest users.


User Account Status	Action
Set Active	Changes account status to Active Does not reset password Does not reset logon timestamps Commonly referred to as 're-activating a user account'
Set Suspended	Changes account status to Suspended Does not reset password Commonly referred to as 'de-activating a user account'
Reset Password	Resets password to default Changes account status to Active Resets Last Logon date and time which is used for tracking account login activity Commonly referred to as 'resetting a user account'
Delete User	Deletes a user (employee or guest) account

Action - Set Active

The Set Active action sets user account access to active status and allows the employee or guest user access to the portal.

Action - Set Suspended

The Set Suspended action sets user account access to suspended status and prevents user access to the portal.

The employee user accounts can be activated immediately when adding a user or saved and activated at a later time.

The status on the User Administration page appears as 'suspended' for any employee account that was added and not activated during the Add User process.

Employee User Account Added with Suspended Status

Actions - Reset Password

The Reset Password action resets the account status to Active, the Last Logon date and time, the inactivity policy timers, and resets the password to the Default Password value for the user.

This value can be displayed by selecting the View Password link in the user's Default Password column.

Security Settings for View Default Password

The View Password link for the Default Password field from the User Administration page and User Summary page is securable in Web Access Rights for a selected role.

Web Access Rights for View Default Password

When Web Access Rights are enabled to the View Default Password object for a role, the View Password link displays on the User Administration and User Summary pages. After selecting the link, the default password is viewable.

View Password Link on the User Administration Page

If Web Access Rights are not enabled to the View Default Password, the link does not display on the User Administration or User Summary pages.

By limiting user access permissions to the View Default Password, this feature enhances security at the field level for viewing critical apersonal information.

Action - Delete User

The Delete User action deletes user accounts.

A confirmation message appears before deleting the selected users.

Note

If you deleted an employee user account in error, it can be added again by searching for the employee and adding roles and qualifiers using the Add User process (Menu > System Configuration > Security > User Administration). To add a Guest user again, re-enter all guest user information.

Change Account Status for Users

Change the security status for one or more users on the User Administration page. The security statuses available are Active and Suspended.

When preparing to change an employee user's account status, view employee information on the User Administration page or select the user's Full Name link to view the selected employee's complete user details and work information.

Actions available to change the employee user's account status include:

Set Active - Allows user access to UKG Pro
Set Suspended - Prevents user access to UKG Pro

Navigation:Menu > System Configuration > Security > User Administration

To manage security account status for selected employee users:

From the User Administration page, locate the user to change security account status. Select Search. The user matching the search criteria displays.

Note
The list of available users is based on your role's qualifiers. Users not part of your qualified employee group for this role are not available for selection.
To perform any of the available actions, check the box next to the Full Name link for one or more employees.
From the available Actions buttons, select either the Set Active or Set Suspended action to change the selected user account status.

Note
If you reactivate a suspended account that has already been in use, the user’s current password remains unchanged. For security purposes, there is no way to view the user’s current password. If the user cannot remember the existing password, you can reset the password back to the default value.
Select the Full Name link to view employee account details. The User Summary page appears.
Close the User Summary page. The User Administration page appears.

Administer User Passwords

Use the Reset Password action on the User Administration to reset a user's password.

When preparing to reset passwords, view employee information on the User Administration page or select the user's Full Name link to view the selected employee's complete user details and work information.

Navigation:Menu > System Configuration > Security > User Administration

From the User Administration page, locate the user(s) you wish to reset the user's password to the default password.
Check the box next to the selected user.
From the available Actions, select Reset Password.
Important Verify the password was reset by noting that the Last Logon field is now blank. This indicates that no previous logins have occurred since the password was reset. This action restarts the inactivity timer that is used to determine if a user account has not logged in for more than 180 days (or 30 days if the default password has not been changed).
Select the Full Name link of the selected user. The User Summary page appears.
Select the View Password link from the Default Password field to view the user's default password.

Note
If the Notify User Via E-mail on Password Reset setting is enabled on the Security Settings page (Menu > System Configuration > Security > Security Settings), the user will receive an e-mail about the password reset automatically. You can configure the contents of that e-mail from the Security Notifications page (Menu > System Configuration > Security > Security Notifications).

Add Roles to a User

Once a role has been assigned to the user and the user account created, you can add more roles, as needed.

You can also delete unnecessary roles from users to prevent unauthorized access to UKG Pro. All users must be assigned to at least one role. An error message appears if you try to remove all roles from a user.

Navigation:Menu > System Configuration > Security > User Administration

From the User Administration page, search for the user.
Select the Full Name link of the user.
Select the User Security drop-down menu.
Select the User Roles menu.
Select Add.
From the Role drop-down list, select the role to add to the selected user. Only roles not currently assigned to the selected user are available for selection.
Select Save.

Note If a role only has the User or Default Approver role type, qualifiers are not required. However, if the role has any other role type assigned, qualifiers are required before you can save.

Add Employee and Guest User Accounts

System Administrators can add, delete, activate, suspend, and reset passwords for user accounts. In addition, user roles and qualifiers can be assigned and managed on an individual level.

UKG Pro provides the ability to add two types of user accounts:

Employee - user accounts that are created for existing employees who require access to UKG Pro. When a group of employees require the same roles and qualifiers, system administrators can add multiple user accounts at the same time.
Guest (Non-Employee) - user accounts that are created for users outside of the organization who require access to UKG Pro (for example, an auditor or contractor). As a non-employee, Guest users do not have access to the Myself menu item.

User accounts can be activated immediately or they can be created in a suspended status and can be activated at a later time.

Important

The View Password link in the Default Password column is a securable object. System administrators viewing the User Administration page or the User Summary page must have the View permission assigned to the Default Password object to be able to select the View Password link and see the default password value for any employee or guest user (Menu > System Configuration > Security > Role Administration > select a role > Web Access Rights > Security > User Administration > View Default Password). Without permissions to the Default Password object, the View Password link does not display.

Add Users on the Start Page

Add users by selecting an existing employee or by entering information for a guest (non-employee) user on the Add User Start page.

Navigation:Menu > System Configuration > User Administration

Select Add. The Add User Start page appears.
- To create an Employee user account:
  - At the radio button, What Kind of User Do You Want to Create?, select Employee.
  - Check the box, Activate New Employee Accounts When I Save, if applicable.
  - At the Find By field, search for an employee(s).
  - Check the applicable employee box(es) to add a user account for the employee(s).
- To create a Guest (non-employee) user account:
  - At the radio button, What Kind of User Do You Want to Create?, select Guest.
  - Enter information about the Guest user in the User Details section.
  - Select one or more companies the Guest user can access.
Select Next.

Assign Roles on the Roles and Qualifiers Page

Assign access by selecting one or more role types, roles and qualifiers for Employee and Guest (non-employee) users on the Roles and Qualifiers page.

Menu System Configuration User Administration Add

From the Roles and Qualifiers page, select Add Role.
Select role type and a role for the user. To select role types and roles for an Employee user:
- Check the box, Exclude Users From Viewing Self in My Employees, if applicable.
- Check the box, Use This Role in Business Intelligence Reporting, if applicable.
- Select qualifiers to provide the user with access to qualifiers for the user's own information.
- Or to provide the user with access to specific qualifier information.
- To select role types and roles for a Guest (non-employee) user
  - Check the box, Use This Role in Business Intelligence Reporting, if applicable.
  - Select qualifiers to provide the user with access to specific qualifier information.
Select Next.
Select Add Role and repeat steps 2 and 3, if adding more roles for the user.
Select Next. The Add User Summary page appears.
Select Save.
The User Administration page appears.

View Additional Security Information for Employee Users

View additional user security information for employee users on the User Summary page.

The information that appears for an individual employee user includes:

Employee name and user account name
Default password, last logon date and last logon time
Account status and employment status
Work information (work phone, e-mail, job, supervisor, location, and organizational levels)

Important

The View Password link in the Default Password field is a securable object. System administrators viewing the User Security > User Summary page must have the View permission assigned to the View Default Password object to be able to select the View Password link and see the default password value for any employee or guest user (Menu > System Configuration > Role Administration > select a role > Web Access Rights > Security > User Administration > View Default Password). Without permissions to the Default Password object, the View Password link does not display.

Navigation:Menu > System Configuration > User Administration

Search for a user by using the Find By field. Search results appear.
Select the link in the Full Name column. The User Security > User Summary page appears.

View Additional Security Information for Guest Users

View or change user security information for guest users on the User Summary page.

The information that appears includes:

Guest name and user account name
Default password, last logon date, and last logon time
Account status
User details (for example, e-mail, phone number, extension)
Component companies the user has been granted access

Important

The View Password link in the Default Password field is now a securable object. System administrators viewing the User Security > User Summary page must have the View permission assigned to the View Default Password object to be able to select the View Password link and see the default password value for any employee or guest user (Menu > System Configuration > Role Administration > select a role > Web Access Rights > Security > User Administration > View Default Password). Without permissions to the Default Password object, the View Password link does not display.

Navigation:Menu > System Configuration > User Administration

Search for a user by using the Find By field. Search results appear.
Select the link in the Full Name column. The User Security > User Summary page appears.
Select Edit. The User Summary page appears with editable fields.
Enter updated information for the user.
Select Save. The User Summary page appears.

Delete Employee and Guest User Accounts

Delete employee and guest user accounts by selecting an existing user on the User Administration page.

Navigation:Menu > System Configuration > User Administration

In the Find by field, search for one or more employee or guest user(s).
Check the box for one or more employee or guest user.

Note A maximum of 500 users can be deleted at a time.
Select Delete. A confirmation message appears.
Select OK. The user account(s) are deleted.

Note If you deleted an employee user account in error, it can be added by searching for the employee and adding back roles and qualifiers. To add back a Guest user, you must re-enter all guest user information.

This document and all information contained herein are provided to you "AS IS" and UKG Inc. and its affiliates (collectively "UKG") make no representation or warranties with respect to the accuracy, reliability, or completeness of this document, and UKG specifically disclaims all warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose. The information in this document is subject to change without notice. The document and its content are confidential information of UKG and may not be disseminated to any third party. No part of this document or its content may be reproduced in any form or by any means or stored in a database or retrieval system without the prior written authorization of UKG. Nothing herein constitutes legal, tax, or other professional advice. All legal, tax, or other questions or concerns should be directed to your legal counsel, tax consultant, or other professional advisor. All company, organization, person, and event references are fictional. Any resemblance to actual companies, organizations, persons, and events is entirely coincidental.