Working with User Accounts
One of an Administrator’s most important tasks is managing access to the resources in your Altinity.Cloud environment. Fortunately, the Altinity Cloud Manager (ACM) makes it easy to work with user accounts.
Account management is vital to keeping your data and applications secure. We cover two specific topics here:
Beyond these specifics, the Altinity.Cloud Security Guide has a more generate discussion of security topics and best practices. We encourage you ta take a look; there’s some great material there.
For now, if you’ve got orgadmin
access, read on….
Creating a User Account
Users with orgadmin access can manage accounts through the Altinity Cloud Manager. Click the Accounts tab on the left to see the Accounts page:
Figure 1 - The accounts page
From the Accounts page, click the button. You’ll see the Account Details dialog, which has three tabs (or maybe four):
- Common Information
- Environment Access
- Cluster Access (if the new account’s role is envuser)
- API Access
We’ll cover each of these next.
The Common Information tab
Basic information about the new account is on the Common Information tab.
Figure 2 - The Common Information tab
Field details
Name
The name of the new account.
The email for the account.
Password
The password for this account. It must be at least 12 characters long, and the two passwords must match. The SAVE button will be disabled until the passwords match and are long enough.
Role
The role for the account. See the Role-Based Access and Security Tiers page for complete details on the available roles.
Suspended
If selected, this account is suspended and no logins will be accepted.
The Environment Access tab
This straightforward tab lets you define which environments are accessible to this account.
Figure 3 - The Environment Access tab
Click the checkboxes for all the environments that should be accessible to this account. The account role determines what actions this account can take with Environments and Clusters.
The Cluster Access tab
This tab only appears if this account has envuser access. This similarly straightforward tab lets you define which clusters are accessible to this account. The only clusters listed here are clusters in the environments you selected on the Environment Access tab.
Figure 4 - The Cluster Access tab
Click the checkboxes for all the clusters that should be accessible to this account. The account will have read, edit, and delete access to the selected clusters.
The API Access tab
Figure 5 - The API Access tab
This tab lets you define the API keys available for this account and the domains allowed to use those keys. Be aware that the API Keys section shown in Figure 5 may not appear for some user roles. For complete details, see the discussion of the API Access tab on the Altinity API Guide page.
Defining Login settings for your organization
You can define login settings for your entire organization. We’ll look at more general settings first, then we’ll look at how to configure an identity provider to manage users.
General login settings
Click the button in Figure 1 to set login properties for all accounts in your organization. You’ll see this dialog, opened to the General tab:
Figure 6 - The General tab of the Login Settings dialog
(We’ll cover the User Sync tab below in the section Configure automatic user registration below).
The options are:
Opened
If selected, user registration can be performed through the identity provider. In other words, the ACM will automatically create an account for a previously unknown user authenticated through the identity provider. If not selected, this environment is closed and every new user must be created by an Administrator.
Block password logins
If selected, only Auth0 logins will be accepted; a user cannot log in directly with a username and password.
Block API access
If selected, all API access to your Altinity.Cloud account will be blocked.
Allow password for admins
Note: We strongly advise that you not use this option. This allows admins to log in with a password, which fails to stop the exposure of passwords. We recommend that you require Auth0 logins for all users, including admins. If for some reason your identity provider is not available, contact Altinity support so we can restore access for an admin account. (After authenticating whoever is contacting us, of course.)
Enable 2FA for password logins
This option is enabled if anyone is allowed to log in with a password. (In Figure 2 above, no one is allowed to use passwords, so the option is disabled.) Turning on 2FA sends an email to users every time they ask to log in. First of all, the user will see this dialog in the ACM:
Figure 7 - The 2FA login message in the ACM
The user will receive an email with a login link, something like this:
Figure 8 - The 2FA login email
Clicking the link in the email logs the user in. As you would expect, this link can only be used once.
Synchronizing users with an identity provider
If you use an identity provider, you can set up your Altinity.Cloud account to create a new Altinity.Cloud account for a previously unknown user who authenticated through your identity provider. If you’re an Okta customer, read on; otherwise you’ll need to contact Altinity support to configure Altinity.Cloud for your provider. If you’re curious about the technical details, see the Auth0 integration page.
Okta customers can automatically create users authenticated by Okta. Click the button as shown in Figure 1 above, then go to the User Sync tab in the dialog:
Figure 9 - The User Sync tab of the Login Settings dialog with no options selected
Initially no options are selected in the dialog as shown in Figure 9. If you select Deny access if not in Okta and/or Enable Okta role sync, the dialog will look like this:
Figure 10 - The User Sync tab of the Login Settings dialog
The options are:
Deny access if not in Okta
If enabled, only users authenticated by Okta are allowed to access your Altinity.Cloud account.
Enable Okta user sync
This option lets you map user roles in Okta to user roles in your Altinity.Cloud account. You define those mappings at the bottom of the panel.
Okta Domain
The domain for your Okta account. Do not include https://
in front of this value, and don’t include .okta.com
at the end.
Okta API Token
The API Token generated at Okta.com for your Okta account. The prompt below the entry field contains a link to the Okta documentation for creating API tokens.
Pairing Okta roles and Altinity.Cloud roles
The area at the bottom of the dialog lets you define pairs of roles, one from Okta roles and one from Altinity.Cloud. Depending on the new user’s role, you can also define which Altinity.Cloud environments they can access.
In Figure 10 above, there are two role pairs: admin
is paired with orgadmin
, and average_joe
is paired with envuser
. if a new Altinity.Cloud user is created from an Okta user with the admin
in Okta, they will have the orgadmin
role in Altinity.Cloud and will have access to every environment in the account.
The second role pair above creates a new user with the envuser
role. Selecting envuser
as the paired role displays a list of all the environments in your Altinity.Cloud account. You can select which environments the new user can access. If Figure 10, all new envuser
accounts can access the altinity-maddie-tf
and altinity-minikube-monday
environments.
As you would expect, clicking the button lets you add a new role pair, and clicking the icon deletes one.