# Creating User Accounts

Cryoserver has multiple level of user accounts, in this guide we'll setup two different level's of users - Privileged and Data Guardian user types. We'll briefly go into these user types below, if you'd like to dig into more detail please see the [Managing Users](/managing-users.md) section.

### 🕵 What is a Privileged User?

**Privileged Users** are also called e-Discovery Users, are users who are able to search across the archive and do their e-discovery investigations. This user can search across all emails in that Cryoserver system (or that Cryoserver company, when in multi-tenant mode) unless one or more searchable restricted domains are added. Any searches made by Privileged users will raise an audit transcript that is sent to the Data Guardian(s).

### 👮 What is a Data Guardian User?

A Data Guardian is, in Cryoserver, an email address to which transcripts of administrator access and privileged user searches will be sent. At least one data guardian must be added, before adding any privileged or local user accounts.

{% hint style="info" %}
**Note:** For versions 9.0.2 and above, different guardians for each of administrative or privilege usage audit transcripts can be specified.
{% endhint %}

### Setting up a Privileged User

Let's proceed to setup a privileged user for our archive.

1. Navigate to **Basic Configuration** > **Local User Accounts**.
2. Click the **Create New Account** button.
3. Enter / Select the required values in the fields. Refer to the table below for field names and descriptions.
4. Review all the values that you have entered / selected and click **Save Changes**.

<mark style="color:green;">The user account will be created and the password for the account will be displayed on the screen.</mark>

### Setting up a Data Guardian User

Now that we've setup a privileged user that can search the entire archive, let's setup a Data Guardian to police those actions.

1. Navigate to **Basic Configuration** > **Data Guardians**.
2. Look for the **Data Guardians** Section
3. Enter / Select the required values in the fields. Refer to the below field descriptions.
4. Click **Add**
5. Review all the values and click **Save**.

<mark style="color:green;">The data guardian will be created and they will now have access to data guardian features.</mark>

{% tabs %}
{% tab title="Privileged Fields" %}

<table><thead><tr><th width="243.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Username</strong></td><td>Refers to the unique username of the account. It is recommended that the name is different to a user’s network login id name and you append _admin / _priv / _basic to the username to ensure that it is different to a user’s standard login name, and it also indicates the type of user.</td></tr><tr><td><strong>First Name</strong></td><td>Refers to the first name of the user.</td></tr><tr><td><strong>Last Name</strong></td><td>Refers to the last name of the user.</td></tr><tr><td><strong>Admin Level</strong></td><td>Refers to the type of user being created.</td></tr><tr><td><strong>Account Status</strong></td><td>Specifies whether the account is active or not.</td></tr><tr><td><strong>Last log-in date</strong></td><td>Refers to the date on which the user last logged into the account.</td></tr><tr><td><strong>Account creation date</strong></td><td>Refers to the date on which the account was created.</td></tr><tr><td><strong>Primary Email Address</strong></td><td>Refers to the email address to which all emails, to the user, from Cryoserver will be sent.  This will include reset Password and Forward-to-inbox emails. Once a new account is saved, a random password is assigned and emailed to the new user’s primary email address. If Cryoserver is unable to send this email, then the password will be displayed on this screen.</td></tr><tr><td><strong>Authentication type</strong></td><td>Refers to any of the 3 authentication types which the user will be required to fulfill to log into the account</td></tr><tr><td><strong>Searchable Domains</strong></td><td><p>Refers to the domains, to send and receive emails, to which you want to restrict the Privileged user(s).</p><p><mark style="color:yellow;">Leave this field blank for un-restricted searches.</mark></p></td></tr><tr><td><strong>Exclude Addresses</strong></td><td>Refers to the email addresses which you want to prevent from being included in search results. Leave this field blank for un-restricted searches.</td></tr><tr><td><strong>Requires another Priv User/Data Guardian to authorise searches</strong></td><td>Specifies whether the user account needs authorization for searches, from another privileged user or data guardian</td></tr><tr><td><strong>Other Auditors</strong></td><td>Refers to the email addresses, in addition to the data guardians, on which you want to receive summary search transcripts.</td></tr></tbody></table>
{% endtab %}

{% tab title="Data Guardian Fields" %}

| Field                                  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Transcript reference retain period** | Number of days the details of each email viewed by a Privilege User, and summarised under a transcript reference, will be held in **Cryoserver**. The default is 0 (the transcript reference details will never be deleted). If a value other than 0 is used, then the Data Guardian will not be able to review a Privilege User search that was performed more than that number of days ago.                                                                                                                                |
| **Data Guardians**                     | <p>Email address(es) that will be the data guardians. who will oversee the activities of Administrators and Privilege users. <mark style="color:yellow;">Recommended Data Guardians are:</mark></p><ul><li><mark style="color:yellow;">HR Manager</mark></li><li><mark style="color:yellow;">Compliance Manager/Officer</mark></li><li><mark style="color:yellow;">IT Manager</mark></li><li><mark style="color:yellow;">CEO / Senior staff members</mark></li><li><mark style="color:yellow;">Union Leader</mark></li></ul> |
| **Priv Transcripts**                   | Specifies whether or not the data guardian will receive privileged user transcripts.                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| **Admin Transcripts**                  | Specifies whether or not the data guardian will receive administrator transcripts.                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| **Enable user identity switching**     | Specifies whether or not a data guardian is allowed to switch identity.                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| **Require Password Re-entry**          | Specifies whether or not re-entering a password is required to switch identity. If a password re-entry is needed, then the password of the original login (usually your LDAP Network password) may be entered OR the password of the account you are switching to.                                                                                                                                                                                                                                                           |
| **Auto Logout**                        | Time, in minutes, after which the user ser will be logged out of their session. This can be set individually for each user type.                                                                                                                                                                                                                                                                                                                                                                                             |
| {% endtab %}                           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| {% endtabs %}                          |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.cryoserver.com/quick-start/creating-user-accounts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.