ContextQMD
Back to Authentik

Manage users

website/docs/users-sources/user/user_basic_operations.md

latest12.4 KB
Original Source

The following topics are for the basic management of users: how to create, modify, delete or deactivate users, and using a recovery email.

Policies can be used to further manage how users are authenticated. For example, by default authentik does not require email addresses be unique, but you can use a policy to enforce unique email addresses.

Create a user

If you want to automate user creation, you can do that either by invitations, user_write stage, or using the API.

  1. In the Admin interface of your authentik instance, select Directory > Users in the left side menu.
  2. In the User folders area, select the folder where you want to create a user.
  3. Click Create (for a default user).
  4. Fill in the required fields:
  • Username: This value must be unique across your user folders.
  • Path: The path where the user will be created. It will be automatically populated with the folder you selected in the previous step.
  1. Fill the optional fields if needed:
  • Name: The display name of the user.
  • Email: The email address of the user. Email addresses are used in email stages and to receive notifications, if configured.
  • Is active: Define if the newly created user account is active. Selected by default.
  • Attributes: Custom attributes definition for the user, in YAML or JSON format. These attributes can be used to enforce additional prompts on authentication stages or define conditions to enforce specific policies if the current implementation does not fit your use case. The value is an empty dictionary by default.
  1. Click Create

You should see a confirmation pop-up on the top-right of the screen that the user has been created, and see the new user in the user list. You can directly click the username if you want to modify your user.

:::info To create a super-user, you need to add the user to a group that has super-user permissions. For more information, refer to Create a Group. :::

Advanced queries for users:ak-enterprise {#advanced-queries}

You can create advanced queries to locate specific users within the list shown under Directory > Users in the Admin interface. Use the auto-complete in the Search field or enter your own queries to return results with greater specificity.

  • Field: username, path, name, email, path, is_active, type, attributes

  • Operators: =, !=, ~, !~, startswith, not startswith, endswith, not endswith, in, not in

  • Values: True, False, None, and more

  • Example queries:

    • search user by status: is_active = False
    • search user by username: username = "bob"
    • search user by email address: email = "[email protected]"
    • search user by attribute: attribute.my_custom_attribute = "foo"

:::info

  1. To dismiss the drop-down menu option, click ESC.
  2. If the list of operators does not appear in a drop-down menu you will need to manually enter it. :::

View user details

In the Directory > Users menu of the Admin interface, you can browse all the users in your authentik instance.

To view details about a specific user:

  1. In the list of all users, click on the name of the user you want to check.

    This takes you to the Overview tab, with basic information about the user and quick access to perform basic actions on the user.

  2. To see further details, click any of the other tabs:

    • Session shows the active sessions established by the user. If there is any need, you can clean up the connected devices for a user by selecting the device(s) and then clicking Delete. This forces the user to authenticate again on the deleted devices.
    • Groups allows you to manage the group membership of the user. You can find more details on groups.
    • User events displays all the events generated by the user during a session, such as login, logout, application authorisation, password reset, user info update, etc.
    • Explicit consent lists all the permissions the user has given explicitly to an application. Entries will only appear if the user is validating an explicit consent flow in an OAuth2 provider. If you want to delete the explicit consent (because the application is requiring new permissions, or the user has explicitly asked to reset his consent on third-party apps), select the applications and click Delete. The user will be asked to again give explicit consent to share information with the application.
    • OAuth Refresh Tokens lists all the OAuth tokens currently distributed. You can remove the tokens by selecting the applications and then clicking Delete.
    • MFA Authenticators shows all the authenticators that the user has registered to their profile. You can remove the tokens if the user has lost their authenticator and wants to enroll a new one.

Modify a user

After the creation of the user, you can edit any parameter defined during the creation.

To modify a user object, go to Directory > Users, and click the edit icon beside the name. You can also go into user details, and click Edit.

Manage user permissions

You cannot directly grant a user any permissions. Instead, either assign the user to a role with the appropriate permissions, or add a user to a group that has the appropriate permissions (via the group's role/roles).

On the flipside, to grant permissions on a user object to a role, review "Manage permissions".

Add a user to a group

  1. To add a user to a group, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full user details page.
  3. Click the Groups tab, and then click either Add to existing group (or Add new group first).

Add a user to a role

  1. To add a user to a role, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full user details page.
  3. Click the Roles tab, and then click either Add to existing role (or Add new role first).

:::info Users also inherit roles from the groups they belong to. The Roles tab has two sub-tabs: Assigned Roles shows roles directly assigned to the user, while All Roles shows all roles including those inherited from groups. Inherited roles are marked with an "Inherited" label. :::

Bind a user to an application

These bindings control which users can access an application, and whether or not the application is visible in the user's My applications page. If no bindings for an application are defined, this means that all users and groups can access the application.

For instructions refer to Manage applications.

User credentials recovery

If a user has lost their credentials and needs to recover their account, there are two available options:

  1. Create a recovery link and send it to the user
  2. Have authentik send the user a recovery email

Both options require you to configure a recovery flow and set it as the Default recovery flow for the active brand.

Configure a recovery flow

To get started, you can import this example flow: Recovery with email verification flow

Then, set this as the default recovery flow for the active brand:

  1. In the Admin interface, navigate to System > Brands, and select the active brand.
  2. Under Default flows, set Recovery flow to the imported recovery flow: default-recovery-flow.
  3. Click Update.

Now that you've configured a recovery flow, you can select one of the following options:

:::info Email stage not required The example recovery flow includes an email stage. However, if you're manually sending the recovery link to the user, this email stage is not required and can be removed. :::

  1. In the Admin interface, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full User details page.
  3. To generate a recovery link, which you can then send to the user, click Create recovery link.

A pop-up will appear on your browser with the link for you to copy and to send to the user.

:::info Email stage required This option is only available if the default recovery flow has an Email Stage bound to it. The example recovery flow includes an email stage. :::

You can send a link with the URL for the user to reset their password via Email. This option will only work if you have configured email and set an email address for the user.

  1. In the Admin interface, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full User details page.
  3. To send the email to the user, click Email recovery link.

If the user does not receive the email, check if the mail server parameters are properly configured.

Reset the password for the user

As an Admin, you can simply reset the password for the user.

  1. In the Admin interface, navigate to Directory > Users to display all users.
  2. Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the options.
  3. To reset the user's password, click Reset password, and then define the new value.

Deactivate or Delete user

To deactivate a user:

  1. Go into the user list or detail, and click Deactivate.
  2. Review the changes and click Update.

The active sessions are revoked and the authentication of the user blocked. You can reactivate the account by following the same procedure.

To delete a user:

:::caution This deletion is not reversible, so be sure you do not need to recover any identity data of the user. You may instead deactivate the account to preserve identity data. :::

  1. Go into the user list and select one (or multiple users) to delete and click Delete on the top-right of the page.
  2. Review the changes and click Delete.

The user list refreshes and no longer displays the removed users.

Impersonate a user

With authentik, an Admin can impersonate a user, meaning that the Admin temporarily assumes the identity of the user.

  1. In the Admin interface, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full User details page.
  3. On the Overview tab, beneath User Details, in the Actions area, click Impersonate.
  4. At the prompt, provide a reason why you are impersonating this user, and then click Impersonate.

:::info An Admin can globally enable or disable impersonation in the System Settings. By default, this option is set to true, meaning all users can be impersonated.

An Admin can also configure whether inputting a reason for impersonation is required in the System Settings. :::

Export users :ak-enterprise

You can export your authentik instance's user data to a CSV file. To generate a data export, follow these steps:

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Directory > Users and click Export.
  3. Set a search query as well as the ordering for the data export.
  4. Click Export above the event list.
  5. Confirm the export parameters in the confirmation dialog.
  6. The export is processed in the background. When it's ready, you will receive a notification in the Admin interface's notification area.
  7. In the notification, click Download.

To review, download, or delete past data exports, navigate to Events > Data Exports in the Admin interface.