User Management¶
PRO Feature
Multi-user support requires a PRO tier license.
Manage multiple users with role-based access control for your CertifyClouds deployment.
Overview¶
PRO tier enables multi-user support with:
- Multiple user accounts
- Role-based access control
- SSO auto-provisioning
- Account security features
User Roles¶
CertifyClouds supports two roles:
| Role | Permissions |
|---|---|
| Admin | Full access to all features and settings |
| User | View access to assets, compliance, alerts; cannot modify settings |
Permission Matrix¶
| Feature | Admin | User |
|---|---|---|
| View dashboard | ||
| View assets | ||
| Run discovery scans | ||
| View compliance | ||
| View alerts | ||
| Configure alert rules | ||
| Run rotation (PRO) | ||
| Configure sync (PRO) | ||
| Manage subscriptions | ||
| Manage users | ||
| Configure SSO | ||
| View audit logs | ||
| System settings |
Managing Users¶
Create User¶
- Go to Settings → Users
- Click Add User
- Enter:
- Username: Unique identifier
- Email: User's email address
- Password: Initial password (must change on first login)
- Role: Admin or User
- Click Create
Edit User¶
- Go to Settings → Users
- Click the edit icon on a user
- Modify:
- Email address
- Role
- Account status (enabled/disabled)
- Click Save
Delete User¶
- Go to Settings → Users
- Click the delete icon on a user
- Confirm deletion
Warning
Deleting a user cannot be undone. Consider disabling the account instead.
Reset Password¶
- Go to Settings → Users
- Click on a user
- Click Reset Password
- Generate or enter new password
- Share with user securely
SSO User Provisioning¶
When SSO is configured, users can be auto-provisioned on first login.
Configure Auto-Provisioning¶
- Go to Settings → SSO Configuration
- Enable Auto-create users
- Set Default role for new SSO users
- Save
How It Works¶
- User clicks "Sign in with SSO"
- Authenticates with identity provider
- If user doesn't exist and auto-create is enabled:
- New account created with SSO identity
- Default role assigned
- User logged in
- If user exists:
- Existing account linked to SSO
- User logged in
SSO-Only Mode¶
Disable local password authentication:
- Go to Settings → SSO Configuration
- Enable SSO-only mode
- Save
Warning
Keep at least one admin account with local auth until SSO is fully tested.
Account Security¶
Password Requirements¶
Local accounts must have passwords that meet:
- Minimum 12 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character
Account Lockout¶
After repeated failed login attempts:
| Setting | Default |
|---|---|
| Lockout threshold | 5 failed attempts |
| Lockout duration | 15 minutes |
Unlock Account¶
Admins can manually unlock accounts:
- Go to Settings → Users
- Find the locked user
- Click Unlock Account
Session Management¶
| Setting | Default | Description |
|---|---|---|
| Session duration | 8 hours | Maximum session length |
| Idle timeout | 60 minutes | Logout after inactivity |
Audit Trail¶
All user-related actions are logged:
- User created/modified/deleted
- Login attempts (success/failure)
- Password changes
- Role changes
- Account locks/unlocks
View in Audit tab or filter by user.
Best Practices¶
Initial Setup¶
- Create individual accounts - Don't share admin credentials
- Use SSO - Integrate with corporate identity for better security
- Least privilege - Assign User role unless Admin is needed
Ongoing Management¶
- Regular reviews - Audit user list quarterly
- Disable inactive - Disable accounts for departed team members
- Monitor logins - Review audit logs for unusual activity
Security¶
- Enable MFA - Use SSO with MFA enforcement
- Strong passwords - Enforce complexity requirements
- Session limits - Configure appropriate timeouts
API Reference¶
List Users¶
Create User¶
POST /auth/users
Content-Type: application/json
{
"username": "jsmith",
"email": "jsmith@company.com",
"password": "SecurePassword123!",
"role": "user"
}
Update User¶
PUT /auth/users/{user_id}
Content-Type: application/json
{
"email": "john.smith@company.com",
"role": "admin"
}