Manage local users and roles

Contributors netapp-mwallis netapp-dbagwell

You can add, remove, and edit users of your Astra Control Center installation using the Astra Control UI. You can use the Astra Control UI or the Astra Control API to manage users.

You can also use LDAP to perform authentication for selected users.

Use LDAP

LDAP is an industry standard protocol for accessing distributed directory information and a popular choice for enterprise authentication. You can connect Astra Control Center to an LDAP server to perform authentication for selected Astra Control users. At a high level, the configuration involves integrating Astra with LDAP and defining the Astra Control users and groups corresponding to the LDAP definitions. You can use the Astra Control API or web UI to configure LDAP authentication and LDAP users and groups. See the following documentation for more information:

Add users

Account Owners and Admins can add more users to the Astra Control Center installation.

Steps
  1. In the Manage Your Account navigation area, select Account.

  2. Select the Users tab.

  3. Select Add User.

  4. Enter the user’s name, email address, and a temporary password.

    The user will need to change the password upon first login.

  5. Select a user role with the appropriate system permissions.

    Each role provides the following permissions:

    • A Viewer can view resources.

    • A Member has Viewer role permissions and can manage apps and clusters, unmanage apps, and delete snapshots and backups.

    • An Admin has Member role permissions and can add and remove any other users except the Owner.

    • An Owner has Admin role permissions and can add and remove any user accounts.

  6. To add constraints to a user with a Member or Viewer role, enable the Restrict role to constraints check box.

    For more information on adding constraints, see Manage local users and roles.

  7. Select Add.

Manage passwords

You can manage passwords for user accounts in Astra Control Center.

Change your password

You can change the password of your user account at any time.

Steps
  1. Select the User icon at the top right of the screen.

  2. Select Profile.

  3. From the Options menu in the Actions column, and select Change Password.

  4. Enter a password that conforms to the password requirements.

  5. Enter the password again to confirm.

  6. Select Change password.

Reset another user’s password

If your account has Admin or Owner role permissions, you can reset passwords for other user accounts as well as your own. When you reset a password, you assign a temporary password that the user will have to change upon logging in.

Steps
  1. In the Manage Your Account navigation area, select Account.

  2. Select the Actions drop-down list.

  3. Select Reset Password.

  4. Enter a temporary password that conforms to the password requirements.

  5. Enter the password again to confirm.

    Note The next time the user logs in, the user will be prompted to change the password.
  6. Select Reset password.

Remove users

Users with the Owner or Admin role can remove other users from the account at any time.

Steps
  1. In the Manage Your Account navigation area, select Account.

  2. In the Users tab, select the check box in the row of each user that you want to remove.

  3. From the Options menu in the Actions column, select Remove user/s.

  4. When you’re prompted, confirm deletion by typing the word "remove" and then select Yes, Remove User.

Result

Astra Control Center removes the user from the account.

Manage roles

You can manage roles by adding namespace constraints and restricting user roles to those constraints. This enables you to control access to resources within your organization. You can use the Astra Control UI or the Astra Control API to manage roles.

Add a namespace constraint to a role

An Admin or Owner user can add namespace constraints to Member or Viewer roles.

Steps
  1. In the Manage Your Account navigation area, select Account.

  2. Select the Users tab.

  3. In the Actions column, select the menu button for a user with the Member or Viewer role.

  4. Select Edit role.

  5. Enable the Restrict role to constraints check box.

    The check box is only available for Member or Viewer roles. You can select a different role from the Role drop-down list.

  6. Select Add constraint.

    You can view the list of available constraints by namespace or by namespace label.

  7. In the Constraint type drop-down list, select either Kubernetes namespace or Kubernetes namespace label depending on how your namespaces are configured.

  8. Select one or more namespaces or labels from the list to compose a constraint that restricts roles to those namespaces.

  9. Select Confirm.

    The Edit role page displays the list of constraints you’ve chosen for this role.

  10. Select Confirm.

    On the Account page, you can view the constraints for any Member or Viewer role in the Role column.

Note If you enable constraints for a role and select Confirm without adding any constraints, the role is considered to have full restrictions (the role is denied access to any resources that are assigned to namespaces).

Remove a namespace constraint from a role

An Admin or Owner user can remove a namespace constraint from a role.

Steps
  1. In the Manage Your Account navigation area, select Account.

  2. Select the Users tab.

  3. In the Actions column, select the menu button for a user with the Member or Viewer role that has active constraints.

  4. Select Edit role.

    The Edit role dialog displays the active constraints for the role.

  5. Select the X to the right of the constraint you need to remove.

  6. Select Confirm.

For more information