Working with User Accounts

Managing users and their roles and permissions

One of an Administrator’s most important tasks is managing access to the resources in your Altinity.Cloud environment. Fortunately, the Altinity Cloud Manager (ACM) makes it easy to work with user accounts.

Account management is vital to keeping your data and applications secure. We cover two specific topics here:

Beyond these specifics, the Altinity.Cloud Security Guide has a more generate discussion of security topics and best practices. We encourage you ta take a look; there’s some great material there.

For now, if you’ve got orgadmin access, read on….

Creating a User Account

Users with orgadmin access can manage accounts through the Altinity Cloud Manager. Click the Accounts tab on the left to see the Accounts page:

The accounts page

Figure 1 - The accounts page

From the Accounts page, click the button. You’ll see the Account Details dialog, which has three tabs (or maybe four):

We’ll cover each of these next.

The Common Information tab

Basic information about the new account is on the Common Information tab.

The Common Information tab

Figure 2 - The Common Information tab

Field details

Name

The name of the new account.

Email

The email for the account.

Password

The password for this account. It must be at least 12 characters long, and the two passwords must match. The SAVE button will be disabled until the passwords match and are long enough.

Role

The role for the account. See the Role-Based Access and Security Tiers page for complete details on the available roles.

Suspended

If selected, this account is suspended and no logins will be accepted.

The Environment Access tab

This straightforward tab lets you define which environments are accessible to this account.

The Environment Access tab

Figure 3 - The Environment Access tab

Click the checkboxes for all the environments that should be accessible to this account. The account role determines what actions this account can take with Environments and Clusters.

The Cluster Access tab

This tab only appears if this account has envuser access. This similarly straightforward tab lets you define which clusters are accessible to this account. The only clusters listed here are clusters in the environments you selected on the Environment Access tab.

The Cluster Access tab

Figure 4 - The Cluster Access tab

Click the checkboxes for all the clusters that should be accessible to this account. The account will have read, edit, and delete access to the selected clusters.

The API Access tab

The API Access tab

Figure 5 - The API Access tab

This tab lets you define the API keys available for this account and the domains allowed to use those keys. Be aware that the API Keys section shown in Figure 5 may not appear for some user roles. For complete details, see the discussion of the API Access tab on the Altinity API Guide page.

Defining Login settings for your organization

You can define login settings for your entire organization. We’ll look at more general settings first, then we’ll look at how to configure an identity provider to manage users.

General login settings

Click the button in Figure 1 to set login properties for all accounts in your organization. You’ll see this dialog, opened to the General tab:

The General tab of the Login Settings dialog

Figure 6 - The General tab of the Login Settings dialog

(We’ll cover the User Sync tab below in the section Configure automatic user registration below).

The options are:

Opened

If selected, user registration can be performed through the identity provider. In other words, the ACM will automatically create an account for a previously unknown user authenticated through the identity provider. If not selected, this environment is closed and every new user must be created by an Administrator.

Block password logins

If selected, only Auth0 logins will be accepted; a user cannot log in directly with a username and password.

Block API access

If selected, all API access to your Altinity.Cloud account will be blocked.

Allow password for admins

Note: We strongly advise that you not use this option. This allows admins to log in with a password, which fails to stop the exposure of passwords. We recommend that you require Auth0 logins for all users, including admins. If for some reason your identity provider is not available, contact Altinity support so we can restore access for an admin account. (After authenticating whoever is contacting us, of course.)

Enable 2FA for password logins

This option is enabled if anyone is allowed to log in with a password. (In Figure 2 above, no one is allowed to use passwords, so the option is disabled.) Turning on 2FA sends an email to users every time they ask to log in. First of all, the user will see this dialog in the ACM:

The 2FA login message

Figure 7 - The 2FA login message in the ACM

The user will receive an email with a login link, something like this:

The 2FA login email

Figure 8 - The 2FA login email

Clicking the link in the email logs the user in. As you would expect, this link can only be used once.

Synchronizing users with an identity provider

If you use an identity provider, you can set up your Altinity.Cloud account to create a new Altinity.Cloud account for a previously unknown user who authenticated through your identity provider. If you’re an Okta customer, read on; otherwise you’ll need to contact Altinity support to configure Altinity.Cloud for your provider. If you’re curious about the technical details, see the Auth0 integration page.

Okta customers can automatically create users authenticated by Okta. Click the button as shown in Figure 1 above, then go to the User Sync tab in the dialog:

The User Sync tab of the Login Settings dialog with no options selected

Figure 9 - The User Sync tab of the Login Settings dialog with no options selected

Initially no options are selected in the dialog as shown in Figure 9. If you select Deny access if not in Okta and/or Enable Okta role sync, the dialog will look like this:

The User Sync tab of the Login Settings dialog

Figure 10 - The User Sync tab of the Login Settings dialog

The options are:

Deny access if not in Okta

If enabled, only users authenticated by Okta are allowed to access your Altinity.Cloud account.

Enable Okta user sync

This option lets you map user roles in Okta to user roles in your Altinity.Cloud account. You define those mappings at the bottom of the panel.

Okta Domain

The domain for your Okta account. Do not include https:// in front of this value, and don’t include .okta.com at the end.

Okta API Token

The API Token generated at Okta.com for your Okta account. The prompt below the entry field contains a link to the Okta documentation for creating API tokens.

Pairing Okta roles and Altinity.Cloud roles

The area at the bottom of the dialog lets you define pairs of roles, one from Okta roles and one from Altinity.Cloud. Depending on the new user’s role, you can also define which Altinity.Cloud environments they can access.

In Figure 10 above, there are two role pairs: admin is paired with orgadmin, and average_joe is paired with envuser. if a new Altinity.Cloud user is created from an Okta user with the admin in Okta, they will have the orgadmin role in Altinity.Cloud and will have access to every environment in the account.

The second role pair above creates a new user with the envuser role. Selecting envuser as the paired role displays a list of all the environments in your Altinity.Cloud account. You can select which environments the new user can access. If Figure 10, all new envuser accounts can access the altinity-maddie-tf and altinity-minikube-monday environments.

As you would expect, clicking the button lets you add a new role pair, and clicking the icon deletes one.