Add BlueXP members and service accounts
Suggest changes
PDFs
BlueXP identity and access management (IAM) enables you to add members to your organization and assign them one or more roles across your resource hierarchy. A role contains a set of permissions that enables a member to perform specific actions at a specific level of the resource hierarchy. You can associate new user accounts and service accounts, manage member roles, and more.
|
Ensure two members have the Organization admin role to avoid losing access to your BlueXP organization. |
To manage users and their permissions, you must be assigned one of the following roles:
-
Organization admin
Users with this role can manage all members
-
Folder or project admin
Users with this role can manage members only of a designated folder or project
_Folder or project admin_ can view all members on the *Members* page but manage permissions only for folders and projects they have access to. link:reference-iam-predefined-roles.html[Learn more about the actions that a _Folder or project admin_ can complete].
Add members to your organization
You can add two types of members to your organization: a user account and a service account. A service account is used by applications to perform tasks via the BlueXP API without human intervention. A user account is typically used by a person to log in to BlueXP and manage resources.
Users must sign up for BlueXP before being added to an organization or assigned a role. However, you can create service accounts directly from BlueXP.
To manage users and their permissions, you must have the Organization admin role or the Folder or project admin role. Remember that users with the Folder or project admin role can only manage members for the folder or projects of which they have admin permissions.
-
Direct the user to visit NetApp BlueXP website to sign up.
Once users sign up, they complete the Sign up page, check their email, and log in. If BlueXP prompts users to create an organization, they close it and notify you of their account creation. You can then add the user to your existing BlueXP organization.
-
In the upper right of the BlueXP console, select
> Identity & Access Management. -
Select Members.
-
Select Add a member.
-
To add the member, complete the steps in the dialog box:
-
Entity Type: Keep User selected.
-
User's email: Enter the user's email address that is associated with the BlueXP login that they created.
-
Select an organization, folder, or project: Choose the level of your resource hierarchy that the member should have permissions for.
Note the following:
-
You can only select from the folders and projects for which you have admin permissions.
-
Selecting an organization or folder grants the member permissions to all its contents.
-
-
Select a category and then select a Role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.
-
If you selected a folder or project, you can choose from any role other than Organization admin.
-
-
Add role: If you want to provide access to additional folders or projects within your organization or grant the user further permissions in the selected area, select Add role, specify another folder or project or a different role category and then choose a role.
-
-
Select Add.
NetApp BlueXP sends the user an email with information on how to access BlueXP.
-
In the upper right of the BlueXP console, select
> Identity & Access Management. -
Select Members.
-
Select Add a member.
-
To add the member, complete the steps in the dialog box:
-
Entity Type: Select Service account.
-
Service account name: Enter a name for the service account.
-
Select an organization, folder, or project: Choose the level of your resource hierarchy that the member should have permissions for.
Note the following:
-
You can only select from the folders and projects for which you have admin permissions.
-
Selecting an organization or folder grants the member permissions to all its contents.
-
-
Select a category then select a Role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.
-
If you selected a folder or project, you can choose from any role other than Organization admin.
-
-
Add role: If you want to provide access to additional folders or projects within your organization or grant the user further permissions in the selected area, select Add role, specify another folder or project or a different role category and then choose a role.
-
-
Download or copy the client ID and client secret.
BlueXP displays the client secret only once. Copy or download it and store it securely.Note that you can recreate the client ID and client secret later on as needed.
-
Select Close.
View organization members
You can view a list of all members in your BlueXP organization. To understand which resources and permissions are available to a member, you can view the roles assigned to the member at different levels of your organization's resource hierarchy. Learn how to use roles to control access to BlueXP resources.
You can view both user accounts and service accounts from the Members page.
|
|
You can also view all of the members associated with a specific folder or project. Learn more. |
-
In the upper right of the BlueXP console, select
> Identity & Access Management. -
Select Members.
The Members table lists the members of your organization.
-
From the Members page, navigate to a member in the table, select
and then select View details.
Remove a member from your organization
You might need to remove a member from your organization—for example, if they leave your company.
Removing a member removes their permissions but keeps their BlueXP and NetApp Support Site accounts.
-
From the Members page, navigate to a member in the table, select
then select Delete user. -
Confirm that you want to remove the member from your organization.
Recreate the credentials for a service account
Create new credentials if lost or when updating security credentials becomes necessary.
When you recreate the credentials, you delete the existing credentials for the service account and create new ones. You cannot use the previous credentials.
-
In the upper right of the BlueXP console, select
> Identity & Access Management. -
Select Members.
-
In the Members table, navigate to a service account, select
and then select Recreate secrets. -
Select Recreate.
-
Download or copy the client ID and client secret.
BlueXP displays the client secret only once. Copy or download it and store it securely.
Manage a user's multi-factor authentication (MFA)
If a user has loses access to their MFA device, you can either remove or disable their MFA configuration.
If you remove their MFA configuration, the user needs to set up MFA again when they log in to BlueXP. If the user has only lost access to their MFA device temporarily, they can use the recovery code that they saved when they set up MFA to log in to BlueXP.
If they do not have their recovery code, temporarily disable MFA to allow login. When you disable MFA for a user, it is disabled for only eight hours and then re-enabled automatically. The user is allowed one login during that time without MFA. After the eight hours, the user must use MFA to log in to BlueXP.
|
|
You must have an email address in the same domain as the affected user to manage that user’s multi-factor authentication. |
-
In the upper right of the console, select
> Identity & Access Management. -
Select Members.
The members of your organization appear in the Members table.
-
From the Members page, navigate to a member in the table, select
and then select Manage multi-factor authentication. -
Choose whether to remove or to disable the user's MFA configuration.