Employees
A
Written by Arick Disilva
Updated over a week ago

Introduction to the Employees

The Employees screen is where all your employees and other users are listed. You can see when a user first/last logged in, which computer they logged in from, their status (i.e. active, idle, locked, etc.), if they are currently being monitored, or if they have two-factor (2FA) authentication enabled.

1. If you have selected one or more employees (by clicking the check mark in front of their names), you will see an Action menu. From the action menu you can lock, unlock, enable/disable monitoring, etc. See the Employee Action Menu section for more information.

2. Click the IMPORT button to import employees from a CSV file. See the Importing Employees section for more information.

3. Click the NEW EMPLOYEE button to add an employee. See the Adding a New Employee section for more information.

4. You can filter the report by employee states (e.g., Monitored, Locked Out, Deleted, Unlicensed, Access to Dashboard, etc.), roles, departments and LDAP groups (if Active Directory is enabled).

5. You can search for computers using the Search field.

6. You can export the report in PDF/CSV formats by using the PDF or CSV icon. You can access the report settings by clicking the Settings (Gear) icon. You can refresh the report by clicking the Refresh icon.

7. If Active Directory is enabled, you will see a small + icon. Click it to filter the report by LDAP attribute and value.

Here’s a description of the report columns:

  • Employee: shows the name of the employee. Clicking the name will take you to the employee's activity report.

  • Email: shows the email address of the employee.

  • Department: shows the department the employee belongs to. Clicking the department will take you to the department configuration page.

  • First online time: shows the date and time the user first came online.

  • First online from: shows the computer the user logged in from for the first time. Clicking the computer will take you to the computer's details page.

  • Last login time: depending on the computer's state, this column will display the following:

    • If the user is offline, it will show the date and time the user last logged in.

    • If the user is currently online, this column will show "Online" or "Idle" depending on the user's current activity level.

    • The column will display "Session locked" if the user locked their computer (i.e., used the Start Menu > User > Lock command), the screen saver was activated, the system went to sleep mode; or, if it's a remote desktop session (RDP), the user minimized the RDP window.

  • Last login from: shows the computer the user last logged in from. Clicking the computer will take you to the computer's details page.

  • Status: depending on what employee action was taken, the column will either display "Locked", "Deleted" or "Active". If this column shows “Locked”, it means either an admin used the “Lock” command from the Employee Action Menu, or the user triggered a behavior rule with the Lock Out User action. See the Employee Action Menu to learn how to lock/delete a user.

  • Monitored: shows if the user is currently being monitored or not. For users imported from Active Directory, you will see an (i) icon in the Monitored column as an indicator that monitoring will be enabled on the employee account after the first time they log in on a monitored computer. See the Employee Action Menu to learn how to enable/disable monitoring. You can also see which employees are “Unlicensed” in this column. Note that an unlicensed user is a user who is being monitored but not licensed.

You can also set up automated notification when monitored users/computers exceed your allotted license count from the Settings > License Alerts screen.

  • 2FA: shows if 2-Factor Authentication is enabled for the user.

Accessing the Employees Menu

image-154.png

1. Click the EMPLOYEES menu to access its screen.

Adding a New Employee

image-155.png

1. Click the NEW EMPLOYEE button near the top of the screen. A pop-up window will open where you can edit the employee’s profile details such as their personal information, account security, monitoring options etc. See the Entering / Editing Employee Profiles section to learn how to enter these details for a new employee.

You only need to add an employee if they are using the Revealed Agent. You do not need to add an employee who is using the Hidden Agent as they will be added automatically when the Agent is installed on their computer. However, you can still edit the employee’s profile once they are added by the Agent.

Adding Employee and Sending Invitation

At bottom of the New employee (if you are adding a new employee), Edit info (if you are editing an existing employee) or My profile (if you are editing your info) window, you will see a few buttons:

If you are adding a new employee:

1. Click the ADD USER & SEND INVITATION button to add the new employee and send them an invitation email. The email will look like this:

2. It will contain the links to download the Agent and their login credentials.

3. Click the ADD USER button to just add the user without sending an invitation. Note that, if you don’t send them an invitation and don’t assign them a password, the user won’t be able to login.

If you are editing an existing employee or your own profile:

1. Click the RESEND INVITATION button to resend the employee the invitation email. The email will look like this:

2. It will contain the links to download the Agent and their login credentials.

3. Click the APPLY CHANGES button to save any changes you have made to the profile.

Entering / Editing Employee Profiles

New Employee

If you are adding a new employee, a New Employee window will pop up where you will be able to enter the employee’s profile information.

Exiting Employee

To edit the profile of an existing employee:

1. Click the name of an employee from the List of Employees screen. You will be taken to then Employee’s screen.

2. Click the EDIT INFO button on an Employee’s screen.

3. An Edit info window will pop up where you will be able to edit the employee’s profile information.

See the sections below for an explanation of each tab on the profile window.

Personal Info

Under the Personal Details section of the PERSONAL INFO tab, enter the employee’s personal details such as names, email and phone no.

Be careful when changing the email address of an existing employee. Teramind uses the email as part of the employee's ID. If the employee is using a Hidden Agent and you change their email address, you might see duplicate employees on the Teramind Dashboard. If this happens, please remove the employee with the old email ID. You can remove an employee from the Employee Action Menu.

You can also upload a photo for the employee’s profile by clicking the photo area. Ideally, the image should be at least 128x128 pixel, in PNG or JPG format.

Under the Business Details section, you can assign the employee a department, position etc. If you enter the Rate, you will be able to see the user’s expense on various widgets and reports (e.g., the Productivity report, Employee Cost, etc.).

The LDAP attributes section is only shown if you have set up an Active Directory integration. The attributes are read-only. You cannot edit their values.

Account Information

On this tab, you can specify the user’s DEFAULT TASK (applicable if the employee is using a Hidden Agent. Check out the Tasks section to learn how to create tasks for your employees).

You can also set their ACCESS LEVEL. There are four types of access levels you can choose from:

  • Employee – cannot change any settings.

  • Infrastructure Admin - has access to the system settings but cannot browse any recordings.

  • Operational Admin - has access to the system settings, rules, computers, other users and access control settings of other users.

  • Administrator – is the most powerful access level. They can monitor all employees, other admins and change any settings with no restrictions.

Check out this article to learn more about account access levels.

On this tab, you can also enable/disable other account security settings, such as:

  • Allow self-history playback: if enabled, Will enable the user to playback their screen recordings (see Session Player for more information). If this option isn’t enabled, the user will be able to see just their Monitoring > Screen Snapshots report but won’t be able to play the video.

  • Allow viewing activity reports: if enabled, the user will be able to view the Monitoring > Web Pages & Applications report.

  • User can clock in and out using Web interface: if enabled, the user will be able to use the web clock-in feature (Time Tracking > Tracker) to log their task and time.

  • User can login to Teramind Dashboard: if enabled for a regular user, the user will be able to login to the dashboard and view:

The User can login to Teramind Dashboard option is hidden for the currently logged-in admin. It means, if you are an admin and you try disable this option you your profile (User Menu > My Profile > ACCOUNT INFO tab), you will not be able. This will prevent you from accidentally locking yourself out of the Teramind Dashboard.

If enabled for an admin, they admin will have access to all the features under their access level.

  • External user: if enabled, the system will treat this user as an Active Directory user and by default will use LDAP to synchronize their domain password from Active Directory. However, if you enable this option, you will notice that another option is shown, ‘Don't synchronize from LDAP’. If you enable this ‘Don’t synchronize…’ option, then the password will not be synchronized anymore. Also, note that, if the option is enabled the SET NEW PASSWORD option will not be shown the next time you edit the user. The Forgot your password? option (on the Dashboard login screen) will not work either. Also, if you are using the LDAP method to authenticate dashboard changes (Settings > Security > Dashboard Authentication > CONFIRMATION METHOD FOR DASHBOARD CHANGES), you will need to mark the user as External user.

  • Can see own online presence: This option is applicable to an administrator and privileged users (who have the permission). if enabled, the logged in user will be able to view their online status on the Online Employees widget, the List of Employees screen, etc. If disabled, the information such as “First online time”, “First online form”, etc. columns will not record the user’s status and they will be shown as empty:

Note that, if this option is enabled, then you will be able to toggle the User can clock in and out using Web interface setting (see below).

Note that if the Disable self session report option is checked but the employee is given the View sessions report access right (from the Configure > Access Controls screen), they will be able to see the sessions report for others but they will not be able to see their own report. Their name might still show up on the list of employees filter but there will be no data about them.

  • Disable daily digest report: Applicable to users with the Administrator access level. By default, all administrators receive a daily digest email which shows all the users’ activities such as emails sent, rules violated, etc. If you enable this option, then the admins will not receive the daily digest report. The report looks like this:

  • Disable self edit: Will disable the ability for the employee to edit their profile information such as names, email address, and phone number.

  • SET NEW PASSWORD: allows you to change the user’s account password. Note that, if you don’t assign a password to a user and click the ADD USER & SEND INVITATION or the RESEND INVITATION option, then a temporary password will be generated for them. See the Adding /Editing an Employee and Sending Invitation section for more information.

RBAC

By default, RBAC policy isn’t activated on On-Premise deployments. Please contact [email protected] to enable it on your On-Premise deployment.

The RBAC (stands for Role Based Access Control) tab allows you to turn a regular user (Employee access level) into a privileged user by assigning a Role access control policy to them. To do so:

1. Select a Role policy from the SELECT ROLE BASED POLICY TO GRANT USER ACCESS drop-down list. Check out the Creating a Role (RBAC) Policy section to learn how to create a Role policy.

2. Click the SELECT TARGETS button, the role will be added.

3. Click the GRANT ACCESS TO field and select users, computers, departments, Active Directory groups, shared lists, etc. from the list of objects. You can delete an object by clicking the X button next to it.

4. You can delete a role by clicking the X button located at the top-right corner of the role’s panel.

  • You can assign multiple role policies to a user. In such a case, the policies will be merged. It means the user will have all the permissions from all the assigned policies.

  • You cannot assign a role policy to an administrator.

  • A user cannot change their own role policy. However, if their policy allows for it, they can change other users’ role policies (see the List of Access Control Permissions section for more information).

  • If a user already has a List (regular) policy applied and you apply a role policy to them, the role policy will override the list policy. The user will have access permissions set on their role policy only.

Authentication

A logged in employee can enable/disable 2-Factor Authentication from their own profile (by clicking their name near the top-right corner of the Dashboard and selecting My Profile:

If 2FA is currently disabled, the employee can enable it by clicking the ENABLE button or vice versa. For step-by-step instructions on how an employee can configure their own 2FA, check out this article.

The options on the Authentication tab cannot be set by an administrator for another employee. However, you can force all admins to enable 2FA when they log in. For step-by-step instructions on forcing 2FA for administrators, see this article on our Knowledge Base.

Monitoring Option

On this tab, you can specify which monitoring profile to use for this employee. Or, you can manually change any of the monitoring settings. If you manually change the settings, a “Custom profile” will be automatically created and assigned to the user.

  • The Custom profile contains settings for the user you are currently editing. Each user can have their own, unique Custom profile.

  • The Custom profile is only available on this window. It’s not shown under the global monitoring profiles on the Monitoring Settings screen.

For more information about monitoring profiles and monitoring settings, check out the Monitoring Setting section.

Productivity Profile

Productivity profiles allow you to classify a user’s app or website activities as productive or unproductive. On Productivity Profile tab, you can see which productivity profile is currently being assigned to the employee. However, you cannot edit the profile from this tab. To learn more about productivity profiles and how to create/edit them, check out the Productivity Profiles section of the User Guide.

Importing Employees

You can make quickly add multiple employees by importing them.

image-163.png

1. Click the IMPORT button near the top of the Employees screen. You will be taken to the Import employee screen.

2. Click the UPLOAD CSV FILE button to upload a CSV file containing employee information.

3. If you want, you can click the DOWNLOAD SAMPLE CSV button to download a sample CSV file that shows you how the CSV file containing a list of employees should be formatted for importing into Teramind.

4. A table at the lower part of the screen will shows what CSV fields Teramind can import, their expected values and which fields are mandatory.

5. Turn on the Invite users by email to send out invitations to install the Teramind Agent to the newly added employees. When you start the import process, you will be asked to confirm:

This means, the server will ignore the PASSWORD column in the CSV file and generate a random password. The user will get an invitation email to log in (same as manually sending an invite):

If you do not use the Invite users by email option, then the PASSWORD column of the CSV file will be used. You will have to give the employee the password somehow. Otherwise, they will not be able to log in.

In both cases, the user will be asked to change their password when they log in for the first time.

6. After the import is completed, you will see the list of employees being added:

Employee Action Menu

You can perform various actions such as lock/unlock a user, delete/restore their profile or enable/disable monitoring for them.

mceclip1.png

1. Click the check mark in front of the employee names to select employees.

2. From the top-left corner of the screen, select the action you want to perform. Here are the actions you can perform:

  • Lock: locks a user’s computer. The Status column on the employees list will change to show it as locked. When a computer is locked, the user will not be able to use it.

  • Unlock: unlocks a user’s computer previously locked by the Lock menu option or by a rule’s ‘Lock Out User’ action.

The Lock/Unlock action only works on the Hidden Agent. By design, these actions will not be enforced on the Revealed Agent. Please also note that the lock feature isn’t a full protection from user tampering. It has the following limitations:

  • Only the selected user account will be locked out. If there are other users on the computer, they will be able to log in.

  • If the user may be able to log in using the Windows Recovery mode.

  • The user may be able to take out the disk and connect with another computer and access data.

  • Delete: deletes the selected user. Note that, when you delete a user, they are not permanently deleted, just hidden from the employee list and all monitoring reports. If you are on a Cloud deployment, deleting a user will also free up a license.

  • Restore: restores previously deleted employee(s).

  • Enable Monitoring: enables monitoring for a user.

  • Disable Monitoring: disables monitoring for a user. The Monitored column will change to show the user is no longer being monitored.

  • Bulk Edit: allows you to edit the profile information of the selected employees in bulk. Clicking the button will open the Bulk edit window where you can make the changes that will apply to the selected employees:

mceclip0__16_.png

Viewing an Employee’s Monitoring Reports

1. Click the name of an employee from the Employee column. You will be taken to the Employee’s page where you can see their detailed reports such as, Activity Log (similar to the Web Pages & Applications Report), Session Log, Time Worked, Alert Log etc.:

The employee’s ACTIVITY LOG tab doesn’t show any real-time data. It will show you the date/time when the report was last synced. However, if you choose the current date or the “Today” option from the date selector, a Click here for real-time data link will be shown. Clicking the link will take you to the Monitoring > Web Pages & Applications report where you will be able to view the real-time data.

The rest of the tabs are similar to their equivalent Monitoring Reports and simplified versions of other individual reports (e.g. the SESSIONS LOG tab is similar to the Monitoring > Sessions report, the TIME WORKED tab is a simplified version of the Productivity > Time Worked report, etc.).

2. You can also edit the employee’s profile, toggle monitoring, delete employee or view the assigned policies/rules policies from this this screen.

Viewing the Active Policies & Rules of an Employee

1. Click the ACTIVE POLICIES button from the Employee’s page. A pop-up window will open where you can view all the active policies and rules applied to the user:

Please note that:

  • You can click on a policy’s name to expand/collapse it.

  • You can click on a rule’s name to edit it.

  • Any policies or rules that are turned off on the Behavior > Policies screen will not show up on the list.

  • Any policies or rules that are applied to the Everyone option on the policy/rule's User field will not show up on the list.

  • Anomaly Rules aren't shown on this list.

Editing / Deleting an Employee

image-168.png

1. Click the EDIT INFO button from the Employee’s page. A pop-up window will open where you can edit their profile information. Check out the Entering / Editing Employee Profiles section to learn how to edit the profile.

2. Click the small, Red Trash Can icon to delete the employee. You can also delete/restore an employee from the Employee Action Menu. Note that, when you delete a user, they are not permanently deleted, just hidden from the employee list and all monitoring reports. If you are on a Cloud deployment, deleting a user will also free up a license.

Did this answer your question?