Managing users

The user management feature allows you to manage the users within your tenant, that is create users, store user details, or configure login and security options.

Requirements

ROLES & PERMISSIONS:

“User management” permission type:

  • To view users: READ permission
  • To manage (create, edit, delete, disable/enable, delegate, manage permissions) all existing users: ADMIN permission
  • To create users: CREATE permission

“Own user management” permission type (has no influence on user management capabilities):

  • To view the own user: READ permission
  • To edit the own user: ADMIN permission

Note that each user created on the platform can edit its own information by default, regardless of the “Own user management” permissions. The purpose of the “Own user management” permission is to manage specific users created for technical purposes, for example, by microservices, and determine whether such users can be managed by respective services.

On tenant creation, there are default roles available that can be used as a sample configuration for the above mentioned permissions:

  • Global User Manager - Can access and modify the full user hierarchy
  • Shared User Manager - Can create new users as his own subusers and manage them (“feature-user-hierarchy” application subscription required)

Note that when subscribed to the “feature-user-hierachy” application, the CREATE permission allows to manage (display, create, edit, delete, disable/enable, delegate, manage permissions) underlying users. For details see Managing user hierarchies.

For users created via an external authorization server, updating the following settings in Cumulocity will have no effect (will be reset on the next user re-login):

  • user info (login alias, email, first name, last name, telephone)
  • global roles - configurable via SSO access mapping
  • application access - configurable via SSO access mapping
  • inventory roles assignments - configurable via SSO access mapping

Moreover, password reset in Cumulocity is disabled for users created through an external authentication server.

Info
Users which are using single sign-on cannot change the password of users which are managed by the platform.

To view users

To view all users in your tenant, click Users in the Accounts menu in the navigator.

Expanded view

A user list will be displayed, providing the following information for each user:

  • The username that is used to access the tenant.
  • The name and email of the user (if set).
  • The global roles assigned to the user.
  • The strength of the password set for the user

To filter the list by username, you can use the filter field at the left of the top menu bar. With the dropdown list you can filter by global roles. For details on filtering, see Filtering.

In order to apply the selected filters click Apply.

Initially, the User page only shows the top-level users. To see all users in your account at once, click Expand all at the right of the top bar. This will expand all top-level users, showing their sub-users. Click Collapse all to just show the top-level users again. For details on user hierarchies, refer to Managing user hierarchies.

To add a user

  1. Click Add user at the right of the top menu bar.

    Info
    If single sign-on is enabled for your tenant, a message will show up which reminds you that you are about to create a local user which will not be able to login via single sign-on. Create new users in My Cloud instead, accessible through the application switcher in the upper right corner, to enable them using the single sign-on feature.

  2. At the left of the New user window, provide the following information to identify the user:

    Field Description
    Username Serves as a unique user ID to identify the user at the system. Note that the username cannot be changed once the user has been created. This field is mandatory.
    Login alias In addition to the username, an optional alias can be provided to be used to log on. In contrast to the username, this alias may be changed if required. The login alias cannot be the same as the username. Note that the login alias is not supported for devices.
    Status Enable/disable the user account here. If the user account is disabled the user cannot login.
    Email A valid email address. This field is mandatory.
    First name First name of the user.
    Last name Last name of the user.
    Telephone A valid phone number. The phone number is required if the user is configured to use two-factor authentication.
    Owner Another user that manages ("owns") the new user. Select a user from the dropdown list and click Done to confirm. Refer to Managing user hierarchies for details on user hierarchies.
    Delegated by Can be activated to delegate user hierarchies and permissions to the user. Refer to Managing user hierarchies for details on delegation.

    For additional information see User options and settings.

  3. Select the login options for the user.

    • Two-factor authentication (SMS) - if selected, the user will receive a verification code via SMS which is required to complete the authentication. The SMS will be sent to the phone number configured above. For details refer to Two-factor authentication.
    • User must reset password on next login - if selected, you must provide a password which the user must reset on the next login. Enter a password and confirm it. While entering the password, the strength of the password will be checked. See To change your password for further information on password reset and strength.
    • Send password reset link as email - if selected, the user will receive an email message with a link to set a password. The email will be sent to the email address configured above. This option is only available during user creation.

  4. On the right of the page, select the global roles for the user. Details on global roles are described in Managing permissions.

  5. Click Save to save your settings.

The new user will be added to the user list.

Info
By default, manually created users always have the “Own user management” permissions set to active.

To edit a user

  1. Click the menu icon at the right of the respective row and then click Edit. All fields except Username and Send password reset link as email can be changed. For details on the fields, see To add a user.
  2. Click Change password to change the password.
  3. Click Save to apply your settings.

To copy inventory roles

  1. Click the menu icon at the right of the respective row and then click Copy inventory roles from another user.
  2. In the resulting dialog box, select if you want to merge the roles to be copied with the existing user roles (the default) or if you want to replace the existing user roles.
  3. Select the user from which you want to copy roles from the dropdown list.
  4. Click Copy.

The inventory roles will be copied from the selected user.

To delegate/undelegate user hierarchies

Click the menu icon at the right of the respective row and then click Delegate to delegate your user hierarchies and permissions to a user.

Click Undelegate to remove a delegation.

Refer to Managing user hierarchies for details on delegation.

To disable/enable a user

Click the menu icon at the right of the respective row and then click Disable to disable an active user, or click Enable to enable a user that has been disabled.

To delete a user

Click the menu icon at the right of the respective row and then click Delete.

To log out all users

In the event of a security incident involving the session tokens of your tenant’s users, you can invalidate any tokens currently in use.

To log out all users click Log out all users at the right of the top menu bar. This logs out all users currently logged in via OAI-Secure or single sign-on redirect. JWT tokens retrieved by all devices in the current tenant are also invalidated.

Note that, if basic authentication is used, users logged in via base64 token are not logged out.

Requirements
To log out all users, you must have ADMIN permission for the permission type “User management”.