* draft rbac docs * tweaks * add a permissions topic * tweaks * more changes * draft permissions topic * more content on roles * links * typo * more conceptual info * Optimised images with calibre/image-actions * more content on roles * add more x-ref links * fix links * more content * links * typos * polishing * Update website/docs/user-group-role/access-control/permissions.md Co-authored-by: Jens L. <jens@goauthentik.io> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * separwate conceptual vs procedural in permissions * finished groups procedurals * new page * added link * Update website/docs/user-group-role/access-control/permissions.md Co-authored-by: Jens L. <jens@goauthentik.io> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * polish * edits from PR review * restructured view section to remove repetition * rest of edits from PR review * polished flows and stages * polish * typo --------- Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana Berry <tana@goauthentik.io> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> Co-authored-by: Jens L. <jens@goauthentik.io>
7 KiB
title |
---|
Manage users |
The following topics are for the basic management of users: how to create, modify, delete or deactivate users, and using a recovery email.
Create a user
If you want to automate user creation, you can do that either by invitations,
user_write
stage, or using the API.
- In the Admin interface of your authentik instance, select Directory > Users in the left side menu.
- Select the folder where you want to create a user.
- Click Create (for a default user).
- Fill in the required fields:
- Username: This value must be unique across your user folders.
- Path: The path where the user will be created. It will be automatically populated with the folder you selected in the previous step.
- Fill the optional fields if needed:
- Name: The display name of the user.
- Email: The email address of the user. Email addresses are used in email stages and to receive notifications, if configured.
- Is active: Define if the newly created user account is active. Selected by default.
- Attributes: Custom attributes definition for the user, in YAML or JSON format. These attributes can be used to enforce additional prompts on authentication stages or define conditions to enforce specific policies if the current implementation does not fit your use case. The value is an empty dictionary by default.
- Click Create
You should see a confirmation pop-up on the top-right of the screen that the user has been created, and see the new user in the user list. You can directly click the username if you want to modify your user.
View user details
In the Directory > Users menu of the Admin interface, you can browse all the users in your authentik instance.
To view details about a specific user:
-
In the list of all users, click on the name of the user you want to check.
This takes you to the Overview tab, with basic information about the user, and also quick access to perform basic actions to the user.
-
To see further details, click any of the other tabs:
- Session shows the active sessions established by the user. If there is any need, you can clean up the connected devices for a user by selecting the device(s) and then clicking Delete. This forces the user to authenticate again on the deleted devices.
- Groups allows you to manage the group membership of the user. You can find more details on groups.
- User events displays all the events generated by the user during a session, such as login, logout, application authorisation, password reset, user info update, etc.
- Explicit consent lists all the permissions the user has given explicitly to an application. Entries will only appear if the user is validating an explicit consent flow in an OAuth2 provider. If you want to delete the explicit consent (because the application is requiring new permissions, or the user has explicitly asked to reset his consent on third-party apps), select the applications and click Delete. The user will be asked to again give explicit consent to share information with the application.
- OAuth Refresh Tokens lists all the OAuth tokens currently distributed. You can remove the tokens by selecting the applications and then clicking Delete.
- MFA Authenticators shows all the authentications that the user has registered to their user profile. You can remove the tokens if the user has lost their authenticator and want to enroll a new one.
Modify a user
After the creation of the user, you can edit any parameter defined during the creation.
To modify a user object, go to Directory > Users, and click the edit icon beside the name. You can also go into user details, and click Edit.
Assign, modify, or remove permissions for a user
You can grant a user specific global or object-level permissions. Alternatively, you can add a user to a group that has the appropriate permissions, and the user inherits all of the group's permissions.
For more information, review "Permissions".
Add a user to a group
- To add a user to a group, navigate to Directory > Users to display all users.
- Click the name of the user to display the full user details page.
- Click the Groups tab, and then click either Add to existing group or Add to new group.
User credentials recovery
If a user has lost their credentials, there are several options.
Email them a recovery link
- In the Admin interface, navigate to Directory > Users to display all users.
- Either click the name of the user to display the full User details page, or click the chevron (the › symbol) beside their name to expand the options.
- To generate a recovery link, which you can then copy and paste into an email, click View recovery link.
A pop-up will appear on your browser with the link for you to copy and to send to the user.
Automate email to a user
You can use our automated email to send a link with the URL for the user to reset their password. This option will only work if you have properly configured a SMTP server during the installation and set an email address for the user.
- In the Admin interface, navigate to Directory > Users to display all users.
- Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the toptions.
- To send the automated email to the user, click Email recovery link.
If the user does not receive the email, check if the mail server parameters are properly configured.
Reset the password for the user
As an Admin, you can simply reset the password for the user.
- In the Admin interface, navigate to Directory > Users to display all users.
- Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the toptions.
- To reset the user's password, click Reset password, and then define the new value.
Deactivate or Delete user
To deactivate a user:
- Go into the user list or detail, and click Deactivate.
- Review the changes and click Update.
The active sessions are revoked and the authentication of the user blocked. You can reactivate the account by following the same procedure.
To delete a user:
:::caution This deletion is not reversible, so be sure you do not need to recover any identity data of the user. You may instead deactivate the account to preserve identity data. :::
- Go into the user list and select one (or multiple users) to delete and click Delete on the top-right of the page.
- Review the changes and click Delete.
The user list refreshes and no longer displays the removed users.