Skip to content

User Management

PRO + ENTERPRISE Feature

Multi-user support requires a PRO or ENTERPRISE tier license.

Manage multiple users with role-based access control for your CertifyClouds deployment.

Overview

PRO tier enables multi-user support with:

  • Multiple user accounts
  • Role-based access control
  • SSO auto-provisioning
  • Account security features

User Roles

CertifyClouds supports two roles:

Role Permissions
Admin Full access to all features and settings
User View access to assets, compliance, alerts; cannot modify settings

Permission Matrix

Feature Admin User
View dashboard
View assets
Run asset discovery scans
View compliance
View alerts
View dependencies / blast radius
View audit logs
Configure alert rules
Map dependencies (PRO + ENTERPRISE)
Verify dependencies (PRO + ENTERPRISE)
Run rotation (PRO + ENTERPRISE)
Run full-stack rotation (PRO + ENTERPRISE)
Configure sync (PRO + ENTERPRISE)
Manage subscriptions
Manage users
Configure SSO
System settings

Credential-modifying actions require Admin

Any action that changes a credential or the data driving a rotation - rotation, full-stack rotation, dependency mapping/verification, and multi-cloud sync - requires the Admin role. Users have full read access (dashboards, assets, compliance, alerts, dependency blast-radius, audit logs) and can run asset discovery scans, but cannot perform write or destructive operations.

Managing Users

Create User

  1. Go to Settings → Users
  2. Click Add User
  3. Enter:
  4. Username: Unique identifier
  5. Email: User's email address
  6. Password: Initial password (must change on first login)
  7. Role: Admin or User
  8. Click Create

Edit User

  1. Go to Settings → Users
  2. Click the edit icon on a user
  3. Modify:
  4. Email address
  5. Role
  6. Account status (enabled/disabled)
  7. Click Save

Delete User

  1. Go to Settings → Users
  2. Click the delete icon on a user
  3. Confirm deletion

Warning

Deleting a user cannot be undone. Consider disabling the account instead.

Reset Password

  1. Go to Settings → Users
  2. Click on a user
  3. Click Reset Password
  4. Generate or enter new password
  5. Share with user securely

SSO User Provisioning

When SSO is configured, users can be auto-provisioned on first login.

Configure Auto-Provisioning

  1. Go to Settings → SSO Configuration
  2. Enable Auto-create users
  3. Set Default role for new SSO users
  4. Save

How It Works

  1. User clicks "Sign in with SSO"
  2. Authenticates with identity provider
  3. If user doesn't exist and auto-create is enabled:
  4. New account created with SSO identity
  5. Default role assigned
  6. User logged in
  7. If user exists:
  8. Existing account linked to SSO
  9. User logged in

SSO-Only Mode

Disable local password authentication:

  1. Go to Settings → SSO Configuration
  2. Enable SSO-only mode
  3. Save

Warning

Keep at least one admin account with local auth until SSO is fully tested.

Account Security

Password Requirements

Local accounts must meet a configurable complexity policy. Defaults and tuning options are documented in your customer deployment package; ask your administrator for the active policy.

Account Lockout

Accounts are temporarily locked after repeated failed login attempts. Threshold and lockout duration are configurable by your administrator (see your customer deployment package for tuning).

Unlock Account

Admins can manually unlock accounts:

  1. Go to Settings → Users
  2. Find the locked user
  3. Click Unlock Account

Session Management

Maximum session duration and idle timeout are configurable by your administrator.

Audit Trail

All user-related actions are logged:

  • User created/modified/deleted
  • Login attempts (success/failure)
  • Password changes
  • Role changes
  • Account locks/unlocks

View in Audit tab or filter by user.

Best Practices

Initial Setup

  1. Create individual accounts - Don't share admin credentials
  2. Use SSO - Integrate with corporate identity for better security
  3. Least privilege - Assign User role unless Admin is needed

Ongoing Management

  1. Regular reviews - Audit user list quarterly
  2. Disable inactive - Disable accounts for departed team members
  3. Monitor logins - Review audit logs for unusual activity

Security

  1. Enable MFA - Use SSO with MFA enforcement
  2. Strong passwords - Enforce complexity requirements
  3. Session limits - Configure appropriate timeouts

API Reference

User-management endpoints are part of the authenticated admin API. The full OpenAPI specification is available at /docs on your CertifyClouds deployment, and request/response schemas + example payloads are documented in your customer deployment package.