Adding User and Group Accounts and Assigning Roles

This topic explains how to add a user or group account and assign a role for either Commander (for administrative users) or the Service Portal (for end users). It also shows how to edit, disable, and delete user accounts.

If you're using organizations, see Creating Organizations instead. Note that organizations are required for setting quotas.

In this topic:

Adding user or group accounts and assigning roles

You can add local users as well as users and groups from your directory service.

Commander integrates with both LDAP and Active Directory; see also Integrating Active Directory with Commander and Integrating LDAP with Commander.

Notes:  

  • Only users with the Superuser role can add other users with the Superuser role.
  • If a single user account is set up for a user who is already part of a group account that has been added to Commander, then the role and permissions assigned to the single user account take precedence.

Access through:

Configuration > Identity and Access

Available to:

Commander Roles of Superuser and Enterprise Admin

Administrator Access Rights

To add a user or group account:

  1. Click the Users tab.
  2. Click Add User.
  3. In the Add User dialog, complete the fields as required for a local user.

    Notes:  

    • The user's email address is used to notify the user about policy actions and to notify the user about service requests.
    • Passwords for local accounts are stored in Commander using 256 bit AES encryption.
  4. For a directory service user or group, in the User/Group Name field, enter a valid directory service user name with the format <username@domain> and click ellipses.

    The user's information from the directory service is displayed. You can't change this information in Commander.

    Note: The User Enabled option is selected by default. Clear this option only if you don't want this account enabled upon creation. In this case, the user won't be able to immediately sign in to Commander or the Service Portal.

  5. From the Role menu, select a role for the account.
  6. If you select a Service Portal role, in the Organization menu that appears, choose Not a Member of an Organization.

    Note: For the majority of cases, it's recommended that you add users as members of organizations. To add information on how to add a user as a member of an organization, see Creating Organizations instead.

  7. By default, a key pair is required to open a secure SSH connection to Amazon EC2 Linux and Solaris instances. See Enabling Key Pair SSH Connections to Amazon EC2 VMs to learn how to set this up. To associate key pair credentials with this user account, do one of the following:
    • Choose existing key pair credentials from the Key Pair Credentials list.
    • Click Add Credentials to create new key pair credentials.
  8. Click Add.

    The new user account is added to the list and is displayed on the information section.

    Note: You can select the new user in the list and click Account Details to get a detailed view of membership and permissions. See Viewing User Account Details for more information.

What's next?

If you're creating an administrative user, the next step is to assign access rights to allow the account to see and manage your virtual infrastructure. See Assigning Access Rights to Administrative Users.

Editing or disabling user accounts

You can change user account information and roles after the user accounts have been set up.

You can also enable or disable existing user accounts. You might want to disable a user if, for example, they are on temporary leave and don't require access. Only superusers can manage other superuser accounts.

Caution: Changing an account from a Commander role to a Service Portal role may result in the destruction of account-related data such as service requests, saved searches and scheduled tasks. A user can have both a Commander role and a Service Portal role. Therefore, we recommend that you add a Service Portal role to the user account, if possible, rather than replacing the role. To add a Service Portal role to an account that already has a Commander role, add the user to an organization.

Access through:

Configuration > Identity and Access

Available to:

Commander Roles of Superuser and Enterprise Admin

Administrator Access Rights

To edit or disable a user or group account:

  1. Click the Users tab.
  2. Optional: If you need to narrow the user list, enter text in the Search field to retrieve accounts with user names or email addresses matching what you type.
  3. Select a user and click Edit User.
  4. In the Edit Account dialog, make the changes you require:
    • For a local user account, you can change all fields with the exception of Username.
    • For a directory service account, you can change the user role and the User Enabled field only. All other changes to a directory service user account must be performed on the  relevant directory server.
    • For a directory service account, you can click Fetch Details to retrieve the latest account details from the directory service.

    If you're enabling or disabling a user account:

    • If User Enabled is checked, the user has access to Commander with all the privileges of the user role assigned to that user.
    • If User Enabled isn't checked, the user is registered in the system but doesn't have access to any functionality.
  5. Click Save.

Deleting user accounts

You can delete user accounts that are no longer required.

If the deleted user account has ownership of one or more services, you can leave the user's ownership as-is, remove the user's ownership, or give the user's ownership to another user. When you give the user's ownership to another user, if the deleted user was the primary owner or the IT contact of a service, then the new owner becomes the primary owner or the IT contact.

Note: You can't delete the user account that you are currently signed in with. In addition, one local superuser account is always maintained in the system and can't be deleted.

Access through:

Configuration > Identity and Access

Available to:

Commander Roles of Superuser and Enterprise Admin

Administrator Access Rights

To delete a user account:

  1. Click the Users tab.
  2. Select the user that you want to delete.
  3. Click Delete User.
  4. In the Delete User dialog, do the following:
    1. If the user owns any services, select one of the following options:
      • Leave User as Owner: The user is deleted but still owns the services.
      • Remove User as Owner: The user is deleted and no longer owns the services.
      • Replace User with Other Owner: The user account is deleted and ownership of its services is assigned to an other user that you specify.
    2. Click Yes.