Adding User and Group Accounts and Assigning Roles

This topic explains how to add a user or group account and assign a role for access to either Commander (for administrative users) or the Service Portal (for end users). It also shows how to edit, disable and delete user accounts.

If you're using organizations, see Creating Organizations for Multi-Tenancy instead. Note that organizations are required for setting quotas.

Adding user or group accounts and assigning roles

Access through:

Configuration menu > Identity and Access > Users tab

Available to:

Commander Roles of Superuser and Enterprise Admin

Administrator Access Rights

You can add local users, and you can add users and groups from your directory service.

Commander integrates with both LDAP and Active Directory; see also Integrating Active Directory with Commander and Integrating LDAP with Commander.

Notes:

  • Only users with the Superuser role can add other users with the Superuser role.
  • If a single user account is set up for a user who is already part of a group account that has been added to Commander, then the role and permissions assigned to the single user account take precedence.

To add a user or group account:

  1. On the Users page, click Add User.
  2. In the Add User dialog, complete the fields as required for a local user.

    Notes:

    • The user's email address is used to:
    • Passwords for local accounts are stored in Commander using 256 bit AES encryption.
  3. For a directory service user or group, in the User/Group Name field, enter a valid directory service user name with the format <username@domain> and click ellipses.

    The user's information from the directory service is displayed. You can't change this information in Commander.

    The User Enabled option is selected by default. Clear this option only if you don't want this account enabled upon creation. In this case, the user won't be able to immediately log in to Commander or the Service Portal.

  4. From the Role menu, select a role for the account.
  5. If you select a Service Portal role, in the Organization menu that appears, choose Not a Member of an Organization.

    If you're using organizations, see Creating Organizations for Multi-Tenancy instead.

    Add User dialog

  6. By default, a key pair is required to open a secure SSH connection to Amazon EC2 Linux and Solaris instances. See Enabling Key Pair SSH Connections to Amazon EC2 VMs to learn how to set this up. To associate key pair credentials with this user account, do one of the following:
    • Choose existing key pair credentials from the Key Pair Credentials list.
    • Click Add Credentials to create new key pair credentials.
  7. Click Add.

    The new user account is added to the list and is displayed on the information pane.

What's next?

You can select the new user in the list and click Account Details to get a detailed view of membership and permissions. See Viewing User Account Details for more information.

If you're creating an administrative user, the next step is to assign access rights to allow the account to see and manage your virtual infrastructure). See Assigning Access Rights to Administrative Users.

Editing or disabling user accounts

Access through:

Configuration menu > Identity and Access > Users tab

Available to:

Commander Roles of Superuser and Enterprise Admin

Administrator Access Rights

You can change user account information and roles after the user accounts have been set up.

You can also enable or disable existing user accounts. You might want to disable a user if, for example, they are on temporary leave and don't require access. Only superusers can manage other superuser accounts.

Caution: Changing an account from a Commander role to a Service Portal role may result in the destruction of account-related data such as service requests, saved searches and scheduled tasks. A user can have both a Commander role and a Service Portal role. Therefore, we recommend that you add a Service Portal role to the user account, if possible, rather than replacing the role. To add a Service Portal role to an account that already has a Commander role, add the user to an organization.

To edit or disable a user or group account:

  1. On the Users page, if you need to narrow the user list, enter text in the Search field to retrieve accounts with user names or email addresses matching what you type.
  2. Select a user and click Edit User.
  3. In the Edit Account dialog, make the changes you require:
    • For a local user account, you can change all fields with the exception of Username.
    • For a directory service account, you can change the user role and the User Enabled field only. All other changes to a directory service user account must be performed on the  relevant directory server.
    • For a directory service account, you can click Fetch Details to retrieve the latest account details from the directory service.

    If you're enabling or disabling a user account:

    • If User Enabled is checked, the user has access to Commander with all the privileges of the user role assigned to that user.
    • If User Enabled isn't checked, the user is registered in the system but doesn't have access to any functionality.
  4. Click Save.

Deleting user accounts

Access through:

Configuration menu > Identity and Access > Users tab

Available to:

Commander Roles of Superuser and Enterprise Admin

Administrator Access Rights

You can't delete the user account that you have logged in with. In addition, one local superuser account is always maintained in the system and can't be deleted.

  1. On the Users page, from the list of users, select the user that you want to delete.
  2. Click Delete User.
  3. In the Delete User dialog, you can do the following:
    • If the user account owns one or more services, select one of the options available:
      • Leave User as Owner: The user account is deleted from Commander but the user is still the owner of the services.
      • Remove User as Owner: The user account is deleted and the user is removed as an owner from all services.
      • Replace User with Other Owner: Enter the account of the specified owner. If the user being deleted was the primary owner, the new owner becomes the primary owner. If the user being deleted was the IT contact, the new owner becomes the IT contact.
    • If the user account isn't the owner of any services, confirm the deletion.
  4. Click Yes.