Add User and Group Accounts and Assigning Roles
This topic explains how to add a user or group account and assign a Commander role. It also shows how to edit, disable, and delete user accounts of both Admin Portal and Service Portal users.
For information on adding Service Portal users, see Create Organizations instead.
Add user or group accounts and assigning Commander roles
You can add local users as well as users and groups from your directory service.
Commander integrates with both LDAP and Active Directory; see also Integrate Active Directory with Commander and Integrate LDAP with Commander.
- Only users with the Superuser role can add other users with the Superuser role.
- If a single user account is set up for a user who is already part of a group account that has been added to Commander, then the role and permissions assigned to the single user account take precedence.
Access: | Configuration > Identity and Access |
Available to: | Commander Roles of Superuser and Enterprise Admin Administrator Access Rights |
- Click the Users tab.
- Click Add.
- In the Add User dialog, complete the fields as required for a local user.
- The user's email address is used to notify the user about policy actions and to notify the user about service requests.
- Passwords for local accounts are stored in Commander using 256 bit AES encryption.
- For a directory service user or group, in the User/Group Name field, enter a valid directory service user name with the format <username@domain> and click .
The user's information from the directory service is displayed. You cannot change this information in Commander.
The User Enabled option is selected by default. Clear this option only if you don not want this account enabled upon creation. In this case, the user won't be able to immediately sign in to Commander.
- Click Role, then select a role for the account.
- By default, a key pair is required to open a secure SSH connection to Amazon EC2 Linux and Solaris instances. See Enable Key Pair SSH Connections to Amazon EC2 VMs to learn how to set this up. To associate key pair credentials with this user account, do one of the following:
- Choose existing key pair credentials from the Key Pair Credentials list.
- Click Add Credentials to create new key pair credentials.
- Click Add.
The new user account is added to the list and is displayed on the information section.
You can select the new user in the list and click View Details to get a detailed view of membership and permissions. See View User Account Details for more information.
Edit or disable user accounts
You can change user account information and roles after the user accounts have been set up.
You can also enable or disable existing user accounts. You might want to disable a user if, for example, they are on temporary leave and don't require access. Only superusers can manage other superuser accounts.
Changing an account from a Commander role to a Service Portal role may result in the destruction of account-related data such as service requests, saved searches and scheduled tasks. A user can have both a Commander role and a Service Portal role. Therefore, we recommend that you add a Service Portal role to the user account, if possible, rather than replacing the role. To add a Service Portal role to an account that already has a Commander role, add the user to an organization.
Access: | Configuration > Identity and Access |
Available to: | Commander Roles of Superuser and Enterprise Admin Administrator Access Rights |
- Click the Users tab.
- Optional: If you need to narrow the user list, enter text in the Search field to retrieve accounts with user names or email addresses matching what you type.
- Select a user and click Edit User.
- In the Edit Account dialog, make the changes you require:
- For a local user account, you can change all fields with the exception of Username.
- For a directory service account, you can change the user role and the User Enabled field only. All other changes to a directory service user account must be performed on the relevant directory server.
- For a directory service account, you can click Fetch Details to retrieve the latest account details from the directory service.
If you're enabling or disabling a user account:
- If User Enabled is checked, the user has access to Commander with all the privileges of the user role assigned to that user.
- If User Enabled isn't checked, the user is registered in the system but doesn't have access to any functionality.
- Click Save.
Delete user accounts
You can delete user accounts that are no longer required.
If the deleted user account has ownership of one or more services, you can leave the user's ownership as-is, remove the user's ownership, or give the user's ownership to another user. When you give the user's ownership to another user, if the deleted user was the primary owner or the IT contact of a service, then the new owner becomes the primary owner or the IT contact.
You cannot delete the user account that you are currently signed in with. In addition, one local superuser account is always maintained in the system and can't be deleted.
Access: | Configuration > Identity and Access |
Available to: | Commander Roles of Superuser and Enterprise Admin Administrator Access Rights |
- Click the Users tab.
- Select the user that you want to delete.
- Click Delete User.
- In the Delete User dialog, do the following:
- If the user owns any services, select one of the following options:
- Leave User as Owner: The user is deleted but still owns the services.
- Remove User as Owner: The user is deleted and no longer owns the services.
- Replace User with Other Owner: The user account is deleted and ownership of its services is assigned to an other user that you specify.
- Click Yes.
- If the user owns any services, select one of the following options: