Users

Last modified on September 7, 2022

The Users page of the Admin UI is where you can view and manage all users in your organization. The users table lists at-a-glance information about each user, including name, type (user or service account), provisioning type (managed by an identity provider or strongDM), permission level, email address, and access type (role membership or temporary access).

User Types

There are two types of users in your strongDM organization: users and service accounts.

A user is an entity that represents any individual member of your organization who can log in to the strongDM GUI and CLI on their local machine or to the Admin UI. In the User Management area, each user may be added to one or more roles (up to a maximum of 20). The roles assigned to a user determine what resources the user can access.

A service account is a slightly different type of entity that allows for programmatic access to strongDM resources. See Service Accounts for more details.

How to invite a user

You can invite a user to join your strongDM organization. All you need to know is their name and email address.

  1. In the Admin UI, go to Access > Users.
  2. Click Add user.
    Add User Button
    Add User Button
  3. Enter the email address, first name, and last name. To invite multiple users, click Add row.
    Provide information to invite users
    Provide information to invite users
  4. Click Send invitations.

The user(s) will receive an email with instructions on how to join strongDM.

How to add a service account

You can add service accounts to your organization with the Add service button. Unlike a user account, a service account requires only a display name—not a full name and email address.

User labels

All users and services accounts are shown on the users page with either the user’s name and email address, or the service account’s display name. In addition, you may see a special indicator beside a user or service account’s name.

  • An eye icon indicates a high-traffic user whose queries are not visible in the Admin UI logs but are available via the command line.
  • The lock icon indicates that the user is locked out.
  • The Service Account label helps to distinguish a Service Account from a user account.

Managed users

If provisioning is configured for your organization, users are shown as managed by an identity provider, such as Azure AD or Okta, or by strongDM if they are not managed by an identity provider.

Remote Identities

Remote Identities allow users to authenticate to SSH or Kubernetes resources using the identity of the strongDM user connecting to it rather than our standard leased credential method. Each user is allowed to have one Remote Identity.

How to set Remote Identities

  1. Go to the Settings tab of the user or service account.
  2. In the Remote Identity field, enter any string that is not already in use. The Remote Identity is the name to be used to authenticate to SSH CA and Kubernetes resources that are configured to use Remote Identities. Each Remote Identity must be unique and the identity must already exist and be configured on the resource in order for a connection to be made.

Suspend a user

You can revoke a user’s access to infrastructure by suspending their account. In the Admin UI, there are two ways to suspend a user: use the quick Actions button on the Users page; or update the user’s settings.

Suspend from the Users page

  1. In the Admin UI, go to Access > Users.
  2. Locate the user you wish to suspend and click the Actions button beside their name. This button lets you take quick action on a user without having to go into the user’s details.
    Suspend User Button
    Suspend User Button
  3. Select Suspend user.
    Suspend User
    Suspend User
  4. Click Confirm suspension.
    Confirm Suspension Message
    Confirm Suspension Message

Suspend from the User’s Settings tab

  1. On the Users page, click the name of the user you wish to suspend.
    Example User to Suspend
    Example User to Suspend
  2. Go to the Settings tab and click Suspend user.
    User Settings
    User Settings
  3. Click Confirm suspension.
    onfirm Suspension Message
    onfirm Suspension Message

Permission Level

Permission level determines what administrative actions are available to the user for their organization in the Admin UI. The permission level dictates the user’s ability to add resources to the organization, edit those resources, or manage other users.

Permission level types

There are four permission levels:

  • Account Administrator: A user who has full administrative access to the entire organization. Only Account Administrators can create roles and grant access to datasources and servers.
  • Database Administrator: A user who can configure and manage resources (such as datasources, servers, clusters, clouds, and websites).
  • Team Lead: A user who can manage users within a particular role. This permission level is designed for managers who are in charge of a team but don’t necessarily control the infrastructure they use. Team Leads can invite new users exclusively to the role they manage, and those users will inherit the same access as the Team Lead.
  • User: The default for any person invited to the account. users can query and access the datasources and servers to which they have been granted access.

On the Users page, in addition to the assigned Permission Level, users also may be shown with a (non-SSO) label. This label indicates that Single Sign-on (SSO) is configured for your organization, but the user was created with the Allow non-SSO users option selected, which permits the user to log in with a password.

How to assign permission level

There are several ways to assign permission level in the Admin UI:

  • Click the Actions button beside the user’s name and select Set permission level.
  • Click into the user’s name to view their details, and set the desired permission level on the Settings tab.
    Set Permission Level
    Set Permission Level
  • Use bulk operations to set permission level for multiple users.

Roles

Roles determine what resources a user can access. On the Users page, the Roles column displays the name of any role(s) that have been assigned to the user. If no roles have been assigned to the user, the column shows no roles.

How to set roles

There are several ways to assign roles to users in the Admin UI:

  • Click the Actions button beside the user’s name, and select Set roles.
  • Click into the user’s name and set the desired role(s) on the Roles tab.
    User Details
    User Details
  • Use bulk operations to set roles for multiple users.

Temporary Access

Temporary access allows users to gain access to certain resources for a limited amount of time. For example, if Bob needs 30 minutes of read-only access to the production Redis replica to diagnose a customer issue, Alice can grant temporary access to Bob, which closes any active connections automatically the moment the grant expires.

Temporary access grants occur at the user level rather than role level and are the only way to grant access directly to users.

How to grant temporary access

  • Click the Actions button beside the user’s name and select Grant temporary access.
  • Click into the user’s name and use the dialog on the Temporary Access tab to select which resources the user can access and when access expires.

About the Users Page

Actions

Clicking the Actions button for a user will pop the actions you can take on the selected user, without having to go into the user’s details.

User Actions
User Actions

With one click, you can select one of the following actions to take:

  • Edit details
  • Set roles
  • Remove from all roles
  • Grant temporary access
  • Set permission level
  • Send password reset email
  • Suspend user
  • Delete user

The Search field allows you to find users and service accounts in your organization according to name, email, role membership, permission level, status, provisioning type, and tags. You can either type into the Search field or use the Role and Permission Level filter drop-down menus to narrow your search. The table header displays the number of results returned by the active search and filter query.

You can enter any text or string into the Search field, such as name, email address, or parts of a name or email. The Admin UI checks against all first names, last names, and emails in your organization.

Enter any text into the Search field
Enter any text into the Search field

User search filters

User filters display users according to their status (active or suspended), access (locked out or not), provisioning type (managed by strongDM or by an identity provider), or tag.

You can type or copy/paste the following filters into the Search field, with or without other text. Do not use quotes or tick marks.

FilterDescriptionExample Search
locked:falseShows users who are not locked outlocked:false service finds all service accounts that are not locked out.
locked:trueShows all locked out userslocked:true finds all locked out users.
managed:falseShows users managed and provisioned by strongDMmanaged:false finds all user accounts managed by strongDM instead of the configured IdP.
managed:trueShows users managed and provisioned by a third-party identity provider (for example, Azure AD or Okta)managed:true Okta finds all Okta-managed user accounts.
suspended:falseShows all active userssuspended:true John finds all active users named John.
suspended:trueShows all suspended userssuspended:true @strongdm finds all suspended users whose email address includes “@strongdm.”
tags:title=valueShows users with the specified tag; supports wildcards (*)tags:env=prod or tags:env=pr* finds all Users with the env=prod tag. Tag values containing commas must be inside quotes (for example, tags:region="useast,uswest")

By default, the Users page filters out suspended users. The suspended:false filter is applied automatically when you visit the Users page.

Default User Page Filter
Default User Page Filter

Role, Permission level, and Managed by filters

Additionally, you may narrow the search results by selecting a filter from the Role, Permission Level and Managed by drop-down menus located to the right of the Search field.

Select Role to automatically populate filters based on role assignment.

Role Membership Filter
Role Membership Filter

Select Permission level to automatically populate filters based on permission level.

Permission Level Filter
Permission Level Filter

If provisioning is enabled for your organization, select Managed by to automatically populate filters based on provisioning type (managed by either strongDM or an identity provider).

Provisioning Filter
Provisioning Filter

Save your favorite search and filter queries

The parameters of your search and filter queries are reflected in the page URL, allowing you to bookmark your favorite searches and filters in your web browser.

For example, when filtering users based on the Account Administrator permission level, the URL becomes https://app.strongdm.com/app/admin?permissionLevel=admin.

Note that when filtering users by role, the URL includes the role ID parameter, rather than the role name (for example, https://app.strongdm.com/app/admin?roleID=r-603258af61aab3c1).

Bulk operations on multiple users

Bulk operations allow you to conduct a single operation on multiple users at a time. Using the checkboxes, you can select up to 25 users. Then, using the dialog buttons, you have the option to set the users’ permission level, set the users’ role(s), or remove the users from all valid Roles. Once you do a bulk operation, the users remain selected and highlighted. You can click Deselect all to remove the selection.

Users Page Showing Two Selected Users
Users Page Showing Two Selected Users

Set permission level for multiple users

To set the same permission level for multiple users, follow these steps:

  1. Select the checkbox beside each user’s name.
  2. Click the Set permission level button in the dialog.
  3. Select the permission level you want to set, and then click Confirm.
    Set permission level
    Set permission level

Set Roles for multiple users

Some users may have no roles or need their roles changed. To set the same role for multiple users, follow these steps:

  1. Select the checkbox beside each user’s name.
  2. Click the Set Roles button in the dialog.
  3. Select the checkbox for each role(s) you want to assign.
  4. Click Apply roles.
    Set Roles for Selected Users
    Set Roles for Selected Users

Remove multiple users from all roles

You can remove users from valid roles by following these steps:

  1. Select the checkbox beside each user’s name.
  2. Click the Remove from all roles button in the dialog.
  3. Click Confirm remove.

Note that if provisioning is enabled for your organization, and users and roles are managed by an identity provider (IdP) like Okta or Azure AD, you cannot remove IdP-managed users from IdP-managed roles from within the Admin UI. In fact, the Admin UI does not even show IdP-managed roles because they are be considered invalid.

Message Indicating Users Can't Be Removed from Roles
Message Indicating Users Can't Be Removed from Roles

You will have to remove users from such roles from the IdP’s portal. You can, however, remove IdP-managed users from strongDM-managed roles.

Remove Users from All Roles
Remove Users from All Roles

Switch to Dark mode

For a change of scenery, you can use the switch at the top of the page to toggle between Light mode and Dark mode.

Admin UI in Light Mode
Admin UI in Light Mode
Admin UI in Dark Mode
Admin UI in Dark Mode
Top