Learn to manage identities in Cipherscale. Understand the IAM basics. Effortlessly invite users, organize groups, and assign roles using natural language.
Identity is the first pillar of the Cipherscale Zero Trust model. Before you can apply policies, you must define the "Who." This mission covers inviting users, organizing them into groups, and assigning roles. In the Cipherscale AI-native model, you don't manually fill out user profiles; you tell the Intent Bar who belongs where, and the AI handles the configuration. Read Reference: Cipherscale Identity and Access Management for a deep dive into IAM.
The user's identity (email address) is authenticated against external identity providers. Google and Microsoft OAuth are enabled by default, and Single Sign On via SAML can be configured. When multiple external identity providers are in use, the User can select any authentication mechanism. User authentication is configured by navigating to Settings > Authentication
Maximize your efficiency by navigating to Teams before entering identity prompts. You’ll gain instant visibility into the Detail Panes to verify Copilot’s actions and receive tailored Prompt Catalysts to help guide your next steps.
When you invite a user, the system automatically sends the invitation email and sets their initial status to "Invited."
The Intent: What the AI Needs
-
Identifier: The user's email address.
-
Group Assignment: The Group they should join. A User can belong to multiple Groups.
-
When a user is assigned to more than one group, the following rules apply to their account:
-
Roles and Privileges: The user will inherit the role that has the most privileges among their assigned groups. For example, if a user belongs to three groups and one of them is assigned the Admin role, the user will inherit the Admin role.
-
Device Limits: The number of devices allowed for the user will be the maximum limit set among their assigned groups.
-
Access Policies: The access policy applied to the user will depend on the type of destination resource (private resource, SaaS application, or the internet) and the priority order of the policies. The first access policy that matches any of the groups assigned to that user will be the one that is enforced.
-
-
-
Role (Optional): Their administrative level (User or Admin). The User role is the default for end users who only need to connect via the Cipherscale app, not administer via the console. Roles can be assigned individually to a user or inherited through group membership.
Interaction Flow
An example Copilot interaction flow is shown below with a prompt that creates a new Group, invites a User, and assigns the User to the Group.
|
Step |
Participant |
Action/Content |
|---|---|---|
|
1. The Prompt |
Admin |
"Invite alex@example.com and put them in the Engineering group." |
|
2. The Draft |
AI Copilot |
I'll take care of both at once — inviting alex@example.com and adding them to the Engineering group! Create group 'Engineering' Creating the Engineering group to organize team members and assign appropriate permissions. {
Group Name:"Engineering",
Description:"Engineering team",
Role:"User"
}
|
|
3. Validation |
Copilot |
[Confirm] [Cancel] |
|
4. Validation |
Admin |
Cancel |
|
5. The Draft |
Copilot |
❌ Action cancelled It looks like the Engineering group doesn't exist yet. The system is ready to create it with the following settings:
Once the group is created, alex@example.com will be invited and added to it. Would you like me to proceed with these settings, or would you like to adjust anything (e.g., description or role)? |
|
6. The Prompt |
Admin |
change the group role to Admin |
|
7. The Draft |
Copilot |
Got it! I'll proceed with creating the Engineering group with the Admin role and then invite alex@example.com. Create group 'Engineering' Creating the Engineering group with Admin role as it doesn't currently exist in the system. {
Group Name:"Engineering",
Description:"Engineering team",
Role:"Admin"
}
|
|
8. Validation |
Copilot |
[Confirm] [Cancel] |
|
9. Validation |
Admin |
Confirm |
|
10. The Draft |
Copilot |
✅ Action confirmed, proceeding with execution of operation Invite user 'alex@example.com' to group 'Engineering' Inviting alex@example.com to the Engineering group and granting them the Admin role through group membership. {
User Email:"alex@example.com",
Group:"Engineering"
}
|
|
8. Validation |
Copilot |
[Confirm] [Cancel] |
|
9. Validation |
Admin |
Confirm |
|
10. Finalization |
AI Copilot |
✅ Action confirmed, proceeding with execution of operation Everything is set up! Here's a summary of what was done:
Alex will receive an invitation email. Once they accept it, their account will be activated with Admin permissions inherited from the Engineering group. |
Example User Prompts
Example Read / Query Intents
-
"Show my profile"
-
"Get details for user John"
-
"List all users"
-
"Show all invited users"
-
"Get user statistics"(online, offline, invited, deactivated counts)
-
"List all devices foralex@example.com"
-
"What roles does Alex have?"
Example Invite & Resend Intents
-
"Invitesarah@example.com"
-
"Resend invitation toalex@example.com"
Example Update Profile Intents
-
"Updatejohn@example.com's first name to John and last name to Smith"
-
"Set max devices to 3 for Alex"
Example Activate / Deactivate Intents
-
"Deactivate useralex@example.com"
-
"Reactivate useralex@example.com"
Example Roles Intents
-
"Assign Admin role to John"
-
"Remove Admin role fromalex@example.com"
Example Delete Intent
-
"Delete useralex@example.com"
Groups are the primary way to scale access policies. You can create groups, move users between groups, or change their permissions (Roles) with a single sentence.
The Intent: What the AI Needs
-
Group Name: What would you like to call the group?
-
Description (Optional): A brief description of the group.
-
Role (Optional): What role should the group have? If unspecified, the user role is used as the default.
Example Group Prompts
Example Read/Query Intents:
-
"List all groups"
-
"Show details for the Engineering group"
Example Create Intents
-
"Create a group called Finance"
-
"Create a group called DevOps with Admin role"
Example Update Intents
-
"Rename the IT group to Infrastructure"
-
"Update the description of the Default group to 'All general users'"
-
"Set max devices to 5 for the Engineering group"
Example Delete Intent
-
"Delete the IT group"
Example Combined User + Group Prompts
Adding users to groups
-
"Invitesarah@example.comand add her to the Finance group"
-
"Addjohn@example.comto the DevOps group"
Removing users from groups
-
"Removealex@example.comfrom the Default group"
Migrating users between groups
-
"Movejohn@example.comfrom the IT group to the Engineering group"
-
"Migrate all users from the Old Team group to the New Team group"
Creating groups and assigning users
-
"Create a group called Marketing with User role and invitetom@example.comandlisa@example.comto it"
-
"Create an Admin group called Leads and movesarah@example.cominto it"
Bulk invitations to a group
-
"Invitealice@example.com,bob@example.com, andcarol@example.comand add them all to the Engineering group"
Role + Group management
-
"Addjohn@example.comto the Finance group and assign him the Admin role"
-
"Remove the Admin role fromalex@example.comand move him to the Default group"
In Cipherscale, devices are not manually added by administrators. Instead, devices are registered automatically when a user installs the Cipherscale app on their device and signs in with their account.
Here's how a user (e.g., Alex) can get their device enrolled:
-
Alex installs the Cipherscale appon their device (available for Windows, macOS, Android, and iOS).
-
Alex signs inusing their account (alex@example.com) via the app.
-
The device is automatically registeredunder Alex's account upon sign-in.
Once enrolled, the device will appear in the system and can be managed.
Example Device Prompts
Example list devices intents
-
"List all devices"
-
"Show me all devices with Windows OS"
-
"Find devices with status active"
Example get device sessions intents
-
"Show sessions for device
John's MacBook" -
"Show sessions from the US for device
Jane's iPhonein the last 7 days"
Example list user's devices intents
-
"List all devices for alex@example.com"
-
"What devices does Alex have?"
Example deactivate device intents
-
"Deactivate device
John's MacBook" -
"Disable John's devices"
-
"Block access for device
Jane's iPhone"
Example reactivate device intents
-
"Reactivate device
John's MacBook" -
"Restore access for device ID
abc-123" -
"Re-enable
Jane's iPhone"
Example rotate device keys intents
-
"Rotate keys for device
John's MacBook" -
"Rotate security keys for all of Alex's devices"
Delete device
-
"Delete device
John's MacBook" -
"Delete all devices for alex@example.com"
Navigate to Teams using the Navigation Menu and use the Details Ribbon to verify the Copilot actions or view the current system state.
-
The Users Data Grid: Click Users on the Details Ribbon to view the data grid that displays the list of users with their Status, Role, Groups, Devices, and Last Connected date. The copy icon appears when hovering over a User's identity, making it easy to copy and paste the email into the Intent Bar for use with a prompt. Search allows quick filtering of the rows to show the matching user identities.
-
A Specific User's Data Grid: To view details for a specific user, click that user's email. You will see details such as the user's Status, Role, and Groups. Data Grids for the Access Policies and Devices associated with the user are also displayed. To go back to the Users Data Grid, click Users from the breadcrumb.
-
-
The Groups Data Grid: Click Groups on the Details Ribbon to view the data grid that displays the list of groups with their Users, Role, and IdP Group Mapping. The copy icon appears when hovering over a Group's name, making it easy to copy and paste the Group's name into the Intent Bar for use with a prompt. Search allows quick filtering of the rows to show the matching group names.
-
A Specific Group's Data Grid: To view details for a specific Group, click that group's name. You will see details such as the Group's Role, Device limit, and IdP group mapping. Data Grids for the Access Policies and Users associated with the group are also displayed. To go back to the Groups Data Grid, click Groups from the breadcrumb.
-
-
The Devices Data Grid: Click Devices on the Details Ribbon to view the data grid that displays the list of devices with the associated User, Status, Device IDand Last Connected date. The Device Name is set to the detected device's OS and version. The copy icon appears when hovering over a Device ID, making it easy to copy and paste it into the Intent Bar for use with a prompt.
You can also verify system state by using prompts in the Intent Bar. Example prompts for IAM verification are:
User — Policy & Resource Prompts
-
"What policies apply to alex@example.com?"
-
"What resources can alex@example.com access?"
-
"Does alex@example.com have access to the HR Portal?"
-
"Show all Allow policies for john@example.com"
-
"Show all Deny policies for john@example.com"
-
"What admission rules apply to alex@example.com ?"
-
"Does alex@example.com have a full tunnel policy?"
-
"What internet access points can alex@example.com reach?"
-
"What SaaS applications does john@example.com have access to?"
Group — Policy & Resource Prompts
-
"What policies are assigned to the Engineering group?"
-
"What resources can the Finance group access?"
-
"Show all Allow policies for the Default group"
-
"Show all Deny policies for the IT group"
-
"What admission rules are linked to the DevOps group?"
-
"What internet access points does the Engineering group have access to?"
-
"What SaaS applications can the Finance group access?"
-
"Which groups have access to the HR Portal resource?"
-
"Which groups are linked to the 'Business Hours' admission rule?"
Combined User + Group — Policy & Resource Prompts
-
"What policies and resources does alex@example.com have access to through the Engineering group?"
-
"Compare the access policies between the Finance group and the DevOps group"
-
"Which users in the Engineering group have access to the HR Portal?"
-
"List all resources accessible by users in the Default group"
-
"Does any user in the IT group have a Deny policy for internet access?"
-
"Show all policies that apply to John across all his groups"
-
"Which groups give Alex access to private resources?"
-
Email Conflicts: If you invite an email that is already active, the AI will notify you: "It looks like john@test.com already exists in the system! Would you like to Add john@test.com to another group?
-
Role Escalation: Changing someone to an "Owner" is a high-security action. The AI will respond with: The Owner role cannot be assigned through standard role assignment — it's a special role tied to tenant ownership and can only be transferred through the ownership transfer process. This must be done by clicking on the Account menu in the top right corner, selecting "My Account", and you'll find the ownership transfer functionality on that page via email address change.
Comments
0 comments
Article is closed for comments.