Every user in the Controller (across all Orgs) is associated with a unique email address. A user can be associated with one or more Orgs (tenants).
Local vs SSO Users¶
Users can either be "Local Users" or "SSO Users".
- Local Users: Lifecycle fully managed in the Controller.
- SSO Users: Lifecycle fully managed in the customer's Identity Provider (IdP).
Users can access/view their configured profile.
- Click on the Email Address on the top right
- Select Profile
The user can now view their profile which describes what they are allowed to do on the platform.
In this example, the user has
- Access to All Projects in an Organization
- Has the Role "Organization Admin"
In this example, the user has
- Access to the "Staging" Project
- Has the Role "Project Admin" for the "Staging" Project
The user onboarding workflows are different for Local versus SSO Users. Only "Organization Admins" have the privileges to handle user lifecycle management.
Every user in the Controller is associated with a unique email address. Users in an Org can have email addresses from different domains. This can be critical for Organizations that may
(a) Outsource operational tasks to a 3rd party entity especially for 24x7 coverage.
(b) Be required to provide Read Only access to an external auditor.
An admin of an existing Org can invite a new user to their Org. The new user is sent an email with a "temporary password" and instructions on how to access the Application Console. After logging in with the temporary password, the user will be required to create a new password for their account.
The temporary password is valid only for 72-hours.
Users that will access the Console are managed in the configured Identity Provider (IdP). Follow the documentation for SSO Integration for exact steps.
Users that only need to access the Controller programmatically using the APIs or CLI. This is well suited for CI systems such as Jenkins etc that will use the RCTL CLI to interact with the Controller.
- As an Org Admin, navigate to the Users menu under System
- Create New User
- Ensure "Console Access" is disabled
- Provide a username
To generate and download the "access key and secret" for the machine user, as an Org Admin
- Click on "Manage Keys"
- Copy/Paste the generated access key and secret
- Configure the RCTL CLI and test access to the controller
- Login as Organization Admin into the Console
- Provide the user's email address, first and last name
- Select the "Groups" the user needs to belong to.
By default, all local users belong to the "local users" group. Although access to this group allows the user to login into the Console, they will not have access to any resources.
Manage User Access¶
Logged in as an Organization Admin
- Click on the User
- The user details can be updated if required
- Click on Groups to update the user's group assignments
- Click on Projects to update the user's project assignments
Admins can view and manage the entire list of locally managed users in their Organization.
- In the Console, click on System
- Click on Users
The username column displays the unique email address the user has to use to access the Console and their full name if it was provided during user creation.
This column displays all the Projects the user is authorized to access, the assigned role for the project and the group they belong to.
This column displays the timestamp when the user last accessed the Controller.
A number of actions on the user can be performed. For example, the user can be deleted, user details edited etc.
Once users are created, admins are allowed to deactivate and delete users.
The user will be temporarily blocked from being able to access the Controller via all channels (browser, CLI or REST API). This action is fully reversible by an Organization or Project Admin.
The Organization admin can deactivate a user by removing them from all Projects. In the example below, notice the reference to "No Projects assigned".
When the deactivated user attempts to login, they will be presented with the following message.
The user will be permanently blocked from being able to access the Controller via all channels (browser, CLI or REST API). This action is NOT reversible and the user is permanently removed from the Org.
Deletion or deactivation of a user from one Org does not block the user from accessing other Orgs they are allowed to access.
Administrators can also view the list of users that access the Controller via Single Sign On (SSO). Since these users are managed in the configured Identity Provider, they cannot be removed. However, admins can tune/configure certain aspects of what the SSO user can do.
Admins can configure/tune a specific SSO user's kubeconfig validity. A good example is when temporary access for a certain time period needs to be provided to a specific user. Admins can also require SSO users to have an active, authenticated session with the Console before they can use the downloaded Kubeconfig file.
If required, admins can revoke a SSO user's existing Kubeconfig (e.g. user lost their laptop with the Kubeconfig file). Once revoked, the SSO user can download a new Kubeconfig to become productive again.
Local users are authenticated and authorized by the Console. Authentication of SSO Users is performed by the integrated IdP such as Okta, Ping etc.
All approved users in the Controller are required to create passwords that are a minimum of 8 characters in length.
MultiFactor Authentication (MFA)¶
We support and strong recommend the use of TOTP based MFA Authenticators to secure admin access to the Application and Ops Console. Once Admins enable MFA for their Org, all users in the Org will be required to use MFA. They will be automatically steered into a MFA enrollment workflow the next time they attempt to login.
After a successful login, the user session is valid for 24-hours and will be required to authenticate again.
Administrators can optionally configure and enable a policy to automatically lockout users after "x" consecutive invalid login attempts in the specified time period. The defaults are "5" consecutive, invalid attempts in a 15-min time period.
Self Service Password Reset¶
Users that have forgotten or misplaced their passwords can regain access to their Org via a self-service password reset workflow. They will be sent a password reset link via email (valid for 72-hours) that will allow them to reset their password.
In addition to browser based access to the Console, users can also access the platform via the RCTL CLI and REST APIs. Access to these channels is secured via a combination of "API Keys" and "Secrets".
End users accessing the Controller using SSO cannot access the Controller using API Keys and Secrets.
- API keys are uniquely generated for every user
- Users can have one or many API keys associated with their Identity
- Users can generate new APIs keys at any time.
- Users can also delete API keys anytime.
In order to manage their API Keys, users have to
- Click on "My Tools" and Select"Manage Keys"