Skip to content



Every user in the Controller (across all Orgs) is associated with a unique email address. A user can be associated with one or more Orgs (tenants).

Local vs SSO Users

Users can either be "Local Users" or "SSO Users".

  • Local Users: Lifecycle fully managed in the Controller.
  • SSO Users: Lifecycle fully managed in the customer's Identity Provider (IdP).

User Profile

Users can access/view their configured profile.

  • Click on the Email Address on the top right
  • Select Profile

Access User Profile

The user can now view their profile which describes what they are allowed to do on the platform.

Example 1

In this example, the user has

  • Access to All Projects in an Organization
  • Has the Role "Organization Admin"

View User Profile

Example 2

In this example, the user has

  • Access to the "Staging" Project
  • Has the Role "Project Admin" for the "Staging" Project

View User Profile

Onboarding Users

The user onboarding workflows are different for Local versus SSO Users. Only "Organization Admins" have the privileges to handle user lifecycle management.

Local Users

Every user in the Controller is associated with a unique email address. Users in an Org can have email addresses from different domains. This can be critical for Organizations that may

(a) Outsource operational tasks to a 3rd party entity especially for 24x7 coverage.

(b) Be required to provide Read Only access to an external auditor.

An admin of an existing Org can invite a new user to their Org. The new user is sent an email with a "temporary password" and instructions on how to access the Application Console. After logging in with the temporary password, the user will be required to create a new password for their account.

The temporary password is valid only for 72-hours.

SSO Users

Users that will access the Console are managed in the configured Identity Provider (IdP). Follow the documentation for SSO Integration for exact steps.

Machine Users

Users that only need to access the Controller programmatically using the APIs or CLI. This is well suited for CI systems such as Jenkins etc that will use the RCTL CLI to interact with the Controller.

  • As an Org Admin, navigate to the Users menu under System
  • Create New User
  • Ensure "Console Access" is disabled
  • Provide a username

Create Machine User

To generate and download the "access key and secret" for the machine user, as an Org Admin

  • Click on "Manage Keys"
  • Copy/Paste the generated access key and secret
  • Configure the RCTL CLI and test access to the controller

Create User

  • Login as Organization Admin into the Console
  • Provide the user's email address, first and last name
  • Select the "Groups" the user needs to belong to.

By default, all local users belong to the "local users" group. Although access to this group allows the user to login into the Console, they will not have access to any resources.

Create User

Manage User Access

Logged in as an Organization Admin

  • Click on the User
  • The user details can be updated if required
  • Click on Groups to update the user's group assignments
  • Click on Projects to update the user's project assignments

View User Details

Admins can view and manage the entire list of locally managed users in their Organization.

  • In the Console, click on System
  • Click on Users

View All Users


The username column displays the unique email address the user has to use to access the Console and their full name if it was provided during user creation.


This column displays all the Projects the user is authorized to access, the assigned role for the project and the group they belong to.

Last Access

This column displays the timestamp when the user last accessed the Controller.


A number of actions on the user can be performed. For example, the user can be deleted, user details edited etc.

Offboarding Users

Once users are created, admins are allowed to deactivate and delete users.

Deactivate User

The user will be temporarily blocked from being able to access the Controller via all channels (browser, CLI or REST API). This action is fully reversible by an Organization or Project Admin.

The Organization admin can deactivate a user by removing them from all Projects. In the example below, notice the reference to "No Projects assigned".

Deactivated User

When the deactivated user attempts to login, they will be presented with the following message.

Deactivated User

Delete User

The user will be permanently blocked from being able to access the Controller via all channels (browser, CLI or REST API). This action is NOT reversible and the user is permanently removed from the Org.


Deletion or deactivation of a user from one Org does not block the user from accessing other Orgs they are allowed to access.

SSO Users

Administrators can also view the list of users that access the Controller via Single Sign On (SSO). Since these users are managed in the configured Identity Provider, they cannot be removed. However, admins can tune/configure certain aspects of what the SSO user can do.

IdP Users

Kubeconfig Settings

Admins can configure/tune a specific SSO user's kubeconfig validity. A good example is when temporary access for a certain time period needs to be provided to a specific user. Admins can also require SSO users to have an active, authenticated session with the Console before they can use the downloaded Kubeconfig file.

IdP User Kubeconfig Settings

Revoke Kubeconfig

If required, admins can revoke a SSO user's existing Kubeconfig (e.g. user lost their laptop with the Kubeconfig file). Once revoked, the SSO user can download a new Kubeconfig to become productive again.

IdP User Revoke Kubeconfig


Local users are authenticated and authorized by the Console. Authentication of SSO Users is performed by the integrated IdP such as Okta, Ping etc.

Password Complexity

All approved users in the Controller are required to create passwords that are a minimum of 8 characters in length.

MultiFactor Authentication (MFA)

We support and strong recommend the use of TOTP based MFA Authenticators to secure admin access to the Application and Ops Console. Once Admins enable MFA for their Org, all users in the Org will be required to use MFA. They will be automatically steered into a MFA enrollment workflow the next time they attempt to login.

Session Expiration

After a successful login, the user session is valid for 24-hours and will be required to authenticate again.

Auto Lockout

Org Admins can optionally configure and enable an Org wide policy to automatically lockout users after "x" consecutive invalid login attempts in the specified time period. The defaults are "5" consecutive, invalid attempts in a 15-min time period.

Auto Lockout Policy

Auto Logout

Org Admins can optionally configure and enable an Org wide policy to automatically logout users after "x" minutes (default of 60-minutes) of no activity.

Auto Logout Policy

Self Service Password Reset

Users that have forgotten or misplaced their passwords can regain access to their Org via a self-service password reset workflow. They will be sent a password reset link via email (valid for 72-hours) that will allow them to reset their password.

API Keys

In addition to browser based access to the Console, users can also access the platform via the RCTL CLI and REST APIs. Access to these channels is secured via a combination of "API Keys" and "Secrets".

  • API keys are uniquely generated for every user
  • Users can have one or many API keys associated with their Identity
  • Users can generate new APIs keys at any time.
  • Users can also delete API keys anytime.

In order to manage their API Keys, users have to

  • Click on "My Tools" and Select"Manage Keys"

Manage Keys