User management
Viewing / Updating a User
An admin is able to view and update certain attributes of a user through the Cloudentity UI or through API calls. Learn more from the User Service API Documentation
Creation
Using the UI, the admin is presented with a few basic fields
-
First and Last Names
-
Unverified Identifiers: the admin can add emails and mobile numbers but they will remain unverified until the owner of that Identifier responds with the appropriate code
-
MFA Method: this can be changed by the admin at any time. The user may or may not be able to change their MFA method based on entitlements and policies.
-
OTP Method: How to verify the user for password resets
-
Status: Users may be created active or inactive. An activation link is sent to the uid / identifier attribute value (which must be a valid email address) of an inactive user upon creation.
-
Identifier: A unique identifier for this user
-
Additional Demographics: Optionally the system may collect Gender, Date of birth, Address, City, Postal code, Country, Locale (e.g. en_US) and Locality (e.g. Country or Region)
Activation/Deactivation
By default, self registered users are set to an Inactive state until they verify their identifier (email or mobile). A onetime identifier is provided as an embedded link to the UI where the user sets a password and completes activation. While a user may also be activated directly by an admin using the Cloudentity UI or through an API call, it is important to understand that functionality may still be limited based on the verification of the the user identifier.
A user may also be deactivated by an admin through the UI or API and certain policies may be constructed to automatically deactivate a user. Upon successful deactivation, all of the user’s active sessions and any pending verification codes are immediately invalidated.
Deletion
While it is generally recommended to simply deactivate a user, an admin is able delete a user through the UI or an API call. Upon successful deletion, all of the user’s active sessions are immediately invalidated, and the user record is removed completely from the data store.
Additional Functionality
The UI and API provide additional features including managing the following:
-
Add Email/Mobile
-
Deactivate User
-
Remove user lock
-
Add access to organization
-
Remove access from organization
-
Revoke entitlement
-
Grant entitlement group
-
Revoke entitlement group
-
Grant permission
-
Revoke permission
-
Reset password
-
Reset auth secret
-
Remove all trusted devices
-
Delete User
Entitlements and Groups
Admins can use the UI to easily add and remove Entitlements and Entitlement Groups by scrolling down the user edit panel:
Bulk updates can be deployed using the User Service API.