User and group management controls access and permissions in Itential Cloud. Use these tools to configure security settings and manage identity for your organization.
Users
To view and manage users, select Administration → Users from the sidebar.
The users table shows all user accounts in your Itential Cloud account. Each user belongs to an identity provider, which handles authentication. All Itential Cloud accounts include a built-in identity provider called Local. If you have single sign-on (SSO) configured, additional identity providers appear in the list.
The users table includes the following columns:
- Source: The identity provider that manages the user. Local indicates the built-in identity provider.
- Verified: Applies only to Local identity provider users.
- Unverified: The user received an invitation but hasn't signed in yet.
- Verified: The user has signed in at least once and verified their identity.
Add a new user
You can only add new users to a Local source. If you are using SSO, you must manage users through your identity provider. To add a new user in Cloud:
- Click + New User.
- Enter the user's first name, last name, and e-mail address.
- Click Add to add the user, or Cancel to back out.
Edit user account settings
To edit the settings for an existing Itential Cloud user:
-
Locate the desired user account in the Users Table.
-
Click the row of the user account, or select Edit from the More (⋮) menu. This will take you to the user's account details. From this page you can:
- Change groups the user belongs by toggling the group switches.
- Edit details about the user by selecting Edit from the More (⋮) menu.
-
Click Save to save your changes.
Reset a user's password
To reset the password for a user account from the local identity provider:
- Select Reset Password from the More (⋮) menu on either the user list page, or the user details page. An e-mail containing a link to reset the account password will be sent to the e-mail address associated with the account.
Password reset for accounts that are managed by an SSO identity provider must done through the identity provider.
Remove a user
The impact of removing a user from Itential Cloud depends on the identity provider that manages that user account.
If you remove a user managed by the Local provider, that user is permanently deleted from your Cloud account and will not be able to log in.
If you remove a user managed by an SSO provider, that user will be removed from your account, but they will still exist in your SSO provider. If you do not set up specific rules for blocking that user, they will be allowed to access their Itential Cloud account the next time they try to log in via the SSO identity provider.
To remove a user account from Itential Cloud:
- Select Remove User from the More (⋮) menu on either the user account list page, or the user details page.
Groups
Permissions are granted to Itential Cloud user accounts and Service Accounts via membership in groups. A group contains a collection of roles in which each role corresponds to a permission. A user account or Service Account that is associated with a group inherits any permissions granted by the roles assigned to that group.
To view and manage groups, select Administration → Groups from portal sidebar.
Default groups
Every Itential Cloud account comes with the built in admins and users groups.
| Group | Description |
|---|---|
| admins | By default, this group is configured to have all possible roles assigned to it. You must be careful about which users you assign to this group because they will have full permissions. |
| users | By default, this groups is configured with read-only roles assigned to it. |
While Itential Cloud provides these built in groups, you are free to modify or delete them to suit your organizational security needs.
Create a new group
To create a new group from the Groups page:
- Click the + New Group in the Groups page.
- Enter a name for the group, and an optional description.
- Click the Create button to create the group, or Cancel to back out.
Newly created groups have no users accounts, service accounts assigned to them, and have no roles assigned to them.
Edit a group
To edit an existing group from the Groups page:
- Locate the desired group in the Groups page.
- Click the row of the desired group, or select Edit from the More (⋮) menu.
This will take you to the details page for that group. The specific actions that can be taken from the Group Settings window are described below.
Assign users to a group
To assign members to a group:
- Locate the desired group in the Groups page.
- Click the row of the desired group, or select Edit from the More (⋮) menu.
- In the Group Settings window, click the Members tab.
- Select the checkbox of the desired user accounts.
- Click the Save button to save the changes, or click the Groups breadcrumb to back out.
Associating Service Accounts with groups is done through Service Accounts configuration.
Assign roles to a group
To select which roles are assigned to the group:
- Locate the desired group in the Groups page.
- Click the row of the desired group, or select Edit from the More (⋮) menu.
- In the Group Settings window, click the Roles tab. By default, all roles that are available across the different applications and environments available to your Itential Cloud account are displayed. If you want to show only those roles for a specific application, select the application name from the drop-down.
- Select the checkbox of the desired user accounts.
- Click the Save button to save the changes, or click the Groups breadcrumb to back out.
- Select the checkbox of the desired roles.
- Click the Save button to save the changes, or click the Groups breadcrumb to back out.
Delete a group
To delete a group from the Groups page:
- Locate the desired group in the Groups page.
- Click the row of the desired group, or select Delete Group from the More (⋮) menu.
⚠ Deleting a group is permanent and you cannot undo the operation.
Common tasks quick reference
Here's a quick reference for common user and group management tasks in Cloud.
| I want to... | Here's how |
|---|---|
| Add a new team member | Administration → Users → New User → Enter user details → Add |
| Grant someone access to a production environment | Find user in table → Add to production group → Save |
| Temporarily suspend access | Administration → Users → Select user row in the table → More (⋮) → Disable User |
| Remove inactive or departed employee | Administration → Users → More (⋮) → Remove User |
| Create access template | Administration → Groups → New Group → Enter group details → Save → Select group in row → Under Members, select users → Under Roles, select roles → Save |
| Bulk assign permissions | Administration → Users → Select user from table row → Toggle all groups on → Save |