Managing hardware password manager groups – Lenovo ThinkVantage (Hardware Password Manager Deployment Guide) User Manual
Page 20
This tab lists any Remove User actions that have been performed on the user, including the name of the
device from which the user was removed and the date and time of the last status change.
Removing a user’s access to a Hardware Password Manager device
After a user has been enrolled on a Hardware Password Manager device, you can remove that enrollment
if the user should no longer have access to the device. To remove a user, create a remote action that is
applied to each device you specify. The next time when the device is connected to the Hardware Password
Manager server to update its policy, the user will be removed from the list of users for that device.
To remove a user from a Hardware Password Manager device:
1. Click HPM Enrolled Users in the toolbox (or click Tools ➙ ThinkVantage Hardware Password
Manager ➙ HPM Enrolled Users).
2. In the user list, select the user(s).
3. Click Revoke user on the toolbar.
4. In the Create Remote Action dialog box, clear the checkbox for one or more devices from which
you want to remove the user.
5. Click OK.
Managing Hardware Password Manager groups
Hardware Password Manager groups link user groups (as defined in the LDAP server) with Hardware
Password Manager devices. Hardware Password Manager groups are useful because they allow multiple
users to access one or more devices without individually enrolling each user on each device. When a
device is added to a group, all members of that group have the access to the device and can use an
intranet account to log in to the device.
When you open the HPM Groups tool, groups are listed in the LDAP tree view. Each group is created on your
LDAP server; you cannot create a group in ThinkManagement Console. However, you can edit groups (define
the group role) and drag devices into groups to associate those devices with the members of the groups.
Intranet account groups are distinguished by the role defined for the users in the group:
• User: an end user of a Hardware Password Manager device.
• Service Tech: an IT technician, authorized with limited access to the device for servicing. Access can be
limited to a time frame (duration), or the technician can be authorized with a certain number of logins.
• Administrator: an administrative user authorized to access devices.
For example, all members of a group that is defined with the Service Tech role can log in to devices in the
group for a specified number of times. If the role is defined so the user can only log in to the device two
times, access to the device expires for the user after the second login.
To edit a Hardware Password Manager group:
1. Click HPM Groups in the toolbox (or click Tools ➙ ThinkVantage Hardware Password Manager ➙
HPM Groups).
2. In the LDAP tree view, click a group name and click Edit Intranet Account Groupon the toolbar. Most
items in the Edit Intranet Account Group dialog box are not editable. You can select the role for the
group; if you select Service Tech ,you can limit the access to Hardware Password Manager devices.
3. Select the role from the combo box.
4. Select With expiration if you want to limit the access to the device for a period of time or a specific
number of logins. (This applies only to Service Tech users.)
12
Hardware Password Manager Deployment Guide