• Administrator overview
• Managing users and permissions
  • User roles and access permissions
  • Creating users
  • Editing users
  • Unlocking a user account
  • Resending a user activation link
  • Deleting or deactivating users
  • Using groups
  • Managing departments
  • Managing passwords and password policies
  • Setting account-wide access policies
  • Changing a resource owner
  • Using Single Sign-On (SSO)
    • Using Single Sign-on (SSO) with Azure Active Directory (AAD)
    • Configuring an ADFS claim rule for SSO
• Managing account-wide settings
  • Adding container registries
• Managing public IP addresses
• Managing WANs
  • Overview: VPNs
    • Creating a VPN
      • VPN configuration parameters
        • AWS VPC: VPN configuration example
        • Azure VPN: VPN configuration example
        • Cisco ASA: VPN configuration example
        • Cisco IOS: VPN configuration example
        • Juniper SRX: VPN configuration example
        • pfSense: VPN configuration example
        • strongSwan: VPN configuration example
  • Overview: Skytap on Azure ExpressRoute connections
    • Creating a Skytap on Azure ExpressRoute connection
    • Creating a customer-managed Skytap on Azure ExpressRoute connection
  • Testing the WAN
    • Troubleshooting VPN test failures
  • Connecting an environment network to a WAN
  • Configuring WAN access controls
  • Editing an existing WAN connection
  • Disable a WAN
• Managing Metered RAM and storage usage
  • How usage is calculated
  • Viewing current usage and enabling pay-as-you-go capacity
  • Reserved capacity for Skytap on Azure
  • Reserved capacity for Skytap on IBM Cloud
  • Setting usage limits
  • Setting up notifications
  • VM pinning
• Reporting overview
  • Viewing and exporting user information
  • Viewing and exporting group information
  • Generating department reports
  • Generating audit reports
    • Configuring the webhook service for audit data
  • Viewing usage data
    • Using labels for in-depth reporting
    • Creating usage label categories
    • Configuring the webhook service for usage data
  • Enabling other users to generate reports
• Security best practices
• Other best practices
• Sharing templates with users in other Skytap accounts
• Finding the source environment from a sharing portal URL
• Including your logo in the Skytap interface

Setting access policies

To change the access policy settings, in the navigation menu, click Manage > Security Policies, and then click the Access policy tab.

IP-based access

IP-based access blocks traffic to Skytap from all IP addresses outside of a designated range. For example, you may want to limit access for your customer account to IP addresses in the company network.

To enable IP-based access

1. Create a name for this access policy.

2. Set the range of IP addresses that is allowed.

   Notes

   • Both minimum and maximum addresses are included in the range of allowed addresses.
   • Make sure all of the IP addresses you use are in the list of allowed addresses. You may have multiple IP addresses if you use a VPN, or if you have a firewall rule that directs different types of network traffic out of different end points.
   • SRA access may be blocked in Microsoft Azure regions if IP-based access is enabled.
3. Click Add. IP addresses within this range are permitted to access the account.
4. You can use the following options to modify your access restrictions:
   • Allow access from IP addresses of VMs on the Skytap infrastructure – Automatically allows access to Skytap from VMs running in Skytap. This permits users to access their Skytap assets from the VM.
   • Apply restrictions to Sharing Portals – Permits only IP addresses within the specified IP address ranges to access Skytap environments using sharing portal connections generated from a sharing portal.

Browser activation

Browser activation lets administrators create an additional security layer by requiring users to verify their accounts before they can sign in from an unregistered browser. When enabled, all users see this screen when they sign in from an unregistered browser:

Browser activation is required by default.

When a user clicks Send Activation Link, an activation email is sent to the address associated with that user account. When the user clicks the activation link in the email, the user must enter a valid password; afterward, the browser is activated (via a saved cookie) and is ‘trusted’ by the customer account.

Users who don’t have a valid email address in their profile never see the activation email and won’t be able to sign in to their accounts. Those users should contact their administrator to update their email address, which automatically sends an email validation link (to find your account administrator, see Finding your primary administrator).

For new users, clicking on the initial user activation link also activates their default browser.

API access

To enable security tokens for API access

1. Click Require security tokens for API requests to enable API security tokens for users.

   When this feature is enabled:

   • Users can generate unique security tokens to access Skytap using the REST API.
   • Users must use their API security token to authenticate API requests. The API won’t accept requests that are authenticated with the user’s account password.
   • Users can view and regenerate their security tokens from the My Account page. For instructions, see Finding your user name and API security token.

   • Admins can delete user security tokens from the Edit User page (accessed from the Users page on the Admin panel).

     Notes

     • We strongly recommend that you require security tokens for API access. If this feature is disabled, users can authenticate to the API using their standard user name and password.
     • API security tokens are more secure than password-based authentication.
     • API security tokens are difficult to guess and can be changed independently of account passwords.
     • For more information about the API, see Skytap REST API.

2. Optionally, click Enable API token expiration to set new API tokens to automatically expire after the number of days you specify.

   Notes

   • Enabling this setting changes the token expiration time for all users.
   • By default, API tokens for new accounts automatically expire after 90 days for all new Skytap accounts.