Frequently Asked Questions
Our products are typically licensed on a per user basis. We offer both subscription and perpetual licenses to best suit your requirements.
Yes, we offer a 30-day trials on all of our products. Some of our solutions are easily installed and self-configurable while others require assistance from our technical team. To request a trial, please click here and select the product of interest. An account manager will contact you to ensure any questions are answered.
Yes, absolutely. Click here to request a software demonstration and one of our account managers will contact you to arrange a demonstration of how our products can meet your specific requirements.
Yes, we have full time support teams based out of our New York and Seattle offices. Support is typically available Monday – Friday, 9am – 5pm.
You can contact our support team via phone or e-mail.
Yes – by opening up applications > application catalog and selecting “Generic”, you will have the ability to configure web applications on your own. Of course, the Tools4ever technical team is always available to assist as well.
A typical deployment of HelloID requires approximately 4 hours to configure. The Tools4ever technical team will walk you through the basic configuration.
All you need to access HelloID is an internet connection and a browser. HelloID is supported on many web browsers and devices including:
- Internet Explorer
- Microsoft Edge
There are two methods of deployment. Tools4ever can host it in a secure Microsoft Azure Cloud infrastructure in North America. Alternately, it can be deployed on a local server if you prefer it behind your firewall.
Yes, HelloID can maintain credentials for users that may not exist in your Active Directory.
We currently have nearly 600 apps predefined and you have the ability to add more. The predefined list continues to grow with every release.
The apps displayed to the end-user are controlled by groups. We can mimic Active Directory groups or create local groups in HelloID.
You can define when and how the portal or apps are accessed. HelloID can adhere to your organizations access policies with restriction features such as time or day. For example, you may not want users to access data outside of the typical work week and can easily limit availability to Monday – Friday, 9 a.m. – 5 p.m.
You can also ensure access is not available outside of the network with restrictions on IP address.
If you are hosting in our Microsoft Azure cloud, we use redundant servers in multiple regions in North America to maximize up time. Your data never leaves the country of origin. We use RSA to encrypt data. In addition, we utilize a consulting firm to provide complete penetration testing on a quarterly basis. We can also enhance the normal login process with multi-factor authentication (MFA) capabilities such as Radius server, PIN via SMS, or Authenticator apps from Google or Microsoft.
With identities often being interwoven in the network, our transparent process automates and / or delegates access management to prevent the accumulation of permissions. This prevents unauthorized access and risk of data breach and insures users always have the correct access required.
With IAM, the onboarding can be automated, eliminating the need for manual intervention from IT or the helpdesk. Access rights are either created based on a Role Based Access Control (RBAC) model or granted and approved by managers and/or the data owners on a one off basis. This frees up the helpdesk to work on more important tasks instead of repetitive work such as user provisioning.
It is inefficient to have staff spending hours every day managing access, users and permissions. The risk of human error is mitigated when the process is automated.
IAM leaves a transparent access trail based on permissions that are granted and/or revoked in the network. With access governance, it is simple to ensure users have the correct access, no more, no less than needed. In addition, by assigning certain users as data owners, IAM adds layers of accountability to the process. RBAC ensures that rights are correct for every position and individual while discrepancies are available for review.
The length of implementation depends on the specific requirements of any particular organization. Before quoting a timeframe, we will assess the requirements and provide a detailed scope of services for your particular requirements.
Our unique approach to implementation has been the key to our success over 19 years in the industry. We implement IAM in phases to avoid users or IT having to adjust to drastic change overnight. The phases also allow our expert consultants to address any small challenges as they arise. With a phased implementation, we can ensure each module of IAM is working seamlessly before we move on to another. You can read more about why implementing in phases is optimal in this blog post.
IAM Access Governance replaces the copy-user, spreadsheets, user templates and other types of manual, and error-prone access management practices. Access rights are recorded in an easily managed RBAC model and rights are then issued, updates and withdrawn via this model. Access Governance offers a variety of methods to build the model such as role mining, and the ability to manage it via workflow requests and approvals. Validation of any discrepancy of rights can be accomplished via attestation and reconciliation.
There are certain attributes of a user such as; department title, location etc. that are picked up from the HR/SIS. We put these through IAM’s access governance model to determine the individual’s entitlements either in the network, Exchange, O365, Google or other systems as appropriate for their role. Essentially, in access governance, all of the attributes are mapped to entitlements in different systems. IAM translates their role attributes into resources.
For a partial list of systems we currently support, please click here. If you do not see a system you would like to connect with, please contact us to discuss.
Click here to see the prerequisites required for an IAM implementation.
Yes - it can create, delete and manage group memberships. The access governance and RBAC model used to provision resources can equally be used to assign appropriate group and DL memberships.
Yes - users can be created with a predefined expiration date. This is ideal for short-term employees, contractors, or students & staff in schools or universities. Additionally, email alerts can be automatically generated to alert managers prior to an account expiring.
Yes - an alert can be sent to IT or the helpdesk alerting them that a group manager or approver has left the organization. IAM makes it easy to detect the affected individuals or groups and easily update with the new manager’s information.
Yes – IAM has the capability to programmatically create AD groups based on attributes available from the HR / SIS system. For example, A group could be created based on the title “Office Administrator” and employee with that designation would automatically be added to the group.
Many factors affect the run time for a provisioning run including; number of employees, quantity of changes and total number of systems connected. Most of our clients are able to run the processes every hour. We also provide the ability to run processes on demand.
Tools4ever has developed connectors that tightly integrate with both G-Suite and Office 365. These connectors run every time the provisioning process runs and changes in both systems are implemented immediately. Any action, including licensing of modules can be addresses by our connectors.
Yes, employees can request access to applications, Active Directory groups, distribution lists & hardware via a web portal we call The Shop. Products can be made available globally or just for specific groups of users. Items can require one or more levels of approvals while others can be granted automatically.
Yes, you can customize an access policy to suit the specific requirements of your organization. You can choose the number of challenge questions, if users can create their own challenge questions, two-factor authentication and many other options. You can have multiple access policies within SSRRPM and assign different rule sets to different OU’s or AD groups.
If you are on a subscription license and it has expired, please contact your local office for assistance.
Yes, SSRPM can be accessed via a web interface and or a mobile app, currently available for iOS and Android. All you need to reset your password is an internet connection and your username.
There are currently three enrolment options for SSRPM:
- Auto-Enrollment: This is when data is collected from an HR System or Student Information System (SIS) and used to pre-populate answers in the SSRPM database, thus eliminating the need for employees to complete the enrollment process.
- Onboarding: This method utilizes a mechanism to give a unique ID and One Time Password (OTP) to the end user based on personal information from the HR or SIS. It ensures SSRPM is set up before network access is granted.
- Windows Pop-Up: A wizard pops up for end users to fill in answers to challenge questions. It cannot be closed unless this information is completed; ensuring enrolment in SSRPM.
Yes, SSRPM requires either an Access Database or a SQL Database (we recommend SQL). SQL Server Express and SQL 2000 or higher are supported.
The answers to challenge questions are very secure. We use SHA 256 with salting and obfuscation by default. Optionally, you can select a reversible encryption method which is required for our Helpdesk ID module.
No, but a service account is needed in the network that has sufficient rights to process an AD reset. It does not need to be a domain administrator.
Yes. SSRPM impersonates the end user when resetting their password. By using this method, SSRPM automatically enforces your AD password policy requirements in so far as complexity and history are concerned.
SSRPM, in conjunction with our Password Synch Manager (PSM), can be utilized to send password resets to other applications and platforms. Popular options are GSuite, O365, SAP and iSeries.
Password expiration notifications can be sent via email or SMS to end users in advance of their password expiration. As an administrator, you control the frequency and content of these alerts.
SSRPM tightly integrates with Active Directory. When you add users in AD, they are automatically given an SSRPM account. When you disable or delete users in AD, their account is deleted in SSRPM. You can restrict SSRPM to only look at specific OU’s or groups in AD if there are specific personnel you wish to exclude.
- In Active Directory, there is currently no easy way to determine, on a global basis, who is a member of a group or who manages a group.
- Without spending a considerable amount of time, it is also difficult to determine the group memberships for the individual user.
- When it comes to the NTFS structure, reporting on who has access to what, who is permissioned to files or folders and if they are actually using the access is especially difficult.
- Administrators typically need to spend large blocks of time to audit Active Directory and the file system.
Yes, you can choose which containers in the NTFS structure and Active Directory are evaluated and what information you would like displayed. For example, ownership can be limited to specific files or folders. While reports are fully customizable in their content, there are some popular reports that most customers like to use such as:
- Grants: Shows successful access by user and type – read, write delete, etc.
- Denies: Displays unsuccessful attempts to access a resource.
- Ownership: Which user owns a particular file or folder.
- Non-usage: Who has rights to a file or folder but does not use them
ERAM collects and correlates all of the file system’s ACL settings and audit information with Active Directory data regarding users and groups. This creates an easy to navigate, up to date database containing all user and file information. Collection can be executed periodically or scheduled to run automatically, ensuring the gathered database is current for your needs.
ERAM’s collection agent allows you to answer questions such as:
- Who can access which folders?
- What data does a particular employee have access to?
- Where is the most dangerous pollution located in the file system?
Without the correct tools, answering these questions significantly consumes system administrators’ time and effort. ERAM Collection solves these questions, providing system administrators fast yet detailed insight into effective rights and usage per user and per file.
ERAM is a central collection agent, and it gathers information from the NTFS file structure and file servers and also gathers information from Active Directory. From this, it provides the ability to run reports. These reports can provide a bidirectional view; not only data and groups to people, but people and groups to data.
ERAM is a complete solution for optimal file system management. No longer will you have to struggle with outdated and polluted access controls. Your IT department retains insight into the most current access rights and their usage at any moment. More importantly, your “data owners” maintain responsibility for managing access to their resources - with as many request/approval processes as possible resolved via self-service. Self-service will help your IT department see a noticeable reduction in tedious helpdesk tickets. Implementing ERAM is very simple, taking only a few hours. ERAM equips your organization with access control for unstructured data with the sophistication of document management solutions, all without the large investment, or any required migrations.
ERAM’s bidirectional view answers the questions; who can access specific resources -share, file or folder and, to what resources a specific user can access?
ERAM creates an audit trail of who accessed what file, when, how and from which IP address. It also shows what type of access a user has such as read write or delete.
ERAM makes recommendations such as removing access rights for users who are not accessing data. It determines who the data owners are and what access rights are actually used.
Yes, you can select a user from Active Directory and determine what files in the file structure they can access. You can also do the reverse and select a file in the file structure and determine which users have access to that file and how they obtained access. ERAM allows you see what specific actions were performed by what user and on what file e.g. read, write, create, delete. It can also determine file ownership.
HelloBI is the reporting module of ERAM. It uses all the information gathered by the collecting agent to compile comprehensive reports and analytics in an easy to act upon format – all driven by ERAM’s Collection-built database. System Administrators can optimize data management with these reports and analysis.
ERAM’s data analytics provide an optimal starting point for any restructuring of an organization’s file and share management. ERAM provides user-friendly tools to efficiently manage your organization data and group structures. Uniform request and approval processes allow employees to independently manage data access according to established, compliant procedures via self-service capabilities without helpdesk intervention.