Skip to main content

Manage local users

Contributors

You can create local users and assign them to local groups to determine which features these users can access. The Tenant Manager includes one predefined local user, named "root." Although you can add and remove local users, you can't remove the root user.

Note If single sign-on (SSO) is enabled for your StorageGRID system, local users will not be able to sign in to the Tenant Manager or the Tenant Management API, although they can use client applications to access the tenant's resources, based on group permissions.
Before you begin

Create a local user

You can create a local user and assign them to one or more local groups to control their access permissions.

S3 users who don't belong to any groups don't have management permissions or S3 group policies applied to them. These users might have S3 bucket access granted through a bucket policy.

Swift users who don't belong to any groups don't have management permissions or Swift container access.

Access the Create user wizard

Steps
  1. Select ACCESS MANAGEMENT > Users.

    If your tenant account has the Use grid federation connection permission, a blue banner indicates that this is the tenant's source grid. Any local users you create on this grid will be cloned to the other grid in the connection.

    image of blue banner on User page if this is the tenant source grid
  2. Select Create user.

Enter credentials

Steps
  1. For the Enter user credentials step, complete the following fields.

    Field Description

    Full name

    The full name for this user, for example, the first name and last name of a person or the name of an application.

    Username

    The name this user will use to sign in. Usernames must be unique and can't be changed.

    Note: If your tenant account has the Use grid federation connection permission, a cloning error will occur if the same Username already exists for the tenant on the destination grid.

    Password and Confirm password

    The password the user will initially use when signing in.

    Deny access

    Select Yes to prevent this user from signing in to the tenant account, even though they might still belong to one or more groups.

    For example, select Yes to temporarily suspend a user's ability to sign in.

  2. Select Continue.

Assign to groups

Steps
  1. Assign the user to one or more local groups to determine which tasks they can perform.

    Assigning a user to groups is optional. If you'd prefer, you can select users when you create or edit groups.

    Users who don't belong to any groups will have no management permissions. Permissions are cumulative. Users will have all permissions for all groups they belong to. See Tenant management permissions.

  2. Select Create user.

    If your tenant account has the Use grid federation connection permission and you are on the tenant's source grid, the new local user is cloned to the tenant's destination grid. Success appears as the Cloning status in the Overview section of the user's detail page.

  3. Select Finish to return to the Users page.

View or edit local user

Steps
  1. Select ACCESS MANAGEMENT > Users.

  2. Review the information provided on the Users page, which lists basic information for all local and federated users for this tenant account.

    If the tenant account has the Use grid federation connection permission and you are viewing the user on the tenant's source grid:

    • A banner message indicates that if you edit or remove a user, your changes will not be synced to the other grid.

    • As needed, a banner message indicates if users were not cloned to the tenant on the destination grid. You can retry a user clone that failed.

  3. If you want to change the user's full name:

    1. Select the checkbox for the user.

    2. Select Actions > Edit full name.

    3. Enter the new name.

    4. Select Save changes.

  4. If you want to view more details or make additional edits, do either of the following:

    • Select the username.

    • Select the checkbox for the user, and select Actions > View user details.

  5. Review the Overview section, which shows the following information for each user:

    • Full name

    • Username

    • User type

    • Denied access

    • Access mode

    • Group membership

    • Additional fields if the tenant account has the Use grid federation connection permission and you are viewing the user on the tenant's source grid:

      • Cloning status, either Success or Failure

      • A blue banner indicating that if you edit this user, your changes will not be synced to the other grid.

  6. Edit user settings as needed. See Create local user for details about what to enter.

    1. In the Overview section, change the full name by selecting the name or the edit icon Edit icon.

      You can't change the username.

    2. On the Password tab, change the user's password, and select Save changes.

    3. On the Access tab, select No to allow the user to sign in or select Yes to prevent the user from signing in. Then, select Save changes.

    4. On the Access keys tab, select Create key and follow the instructions for creating another user's S3 access keys.

    5. On the Groups tab, select Edit groups to add the user to groups or remove the user from groups. Then, select Save changes.

  7. Confirm that you selected Save changes for each section you changed.

Duplicate local user

You can duplicate a local user to create a new user more quickly.

Note If your tenant account has the Use grid federation connection permission and you duplicate a user from the tenant's source grid, the duplicated user will be cloned to the tenant's destination grid.
Steps
  1. Select ACCESS MANAGEMENT > Users.

  2. Select the checkbox for the user you want to duplicate.

  3. Select Actions > Duplicate user.

  4. See Create local user for details about what to enter.

  5. Select Create user.

Retry user clone

To retry a clone that failed:

  1. Select each user that indicates (Cloning failed) below the user name.

  2. Select Actions > Clone users.

  3. View the status of the clone operation from the details page of each user you're cloning.

For additional information, see Clone tenant groups and users.

Delete one or more local users

You can permanently delete one or more local users who no longer need to access the StorageGRID tenant account.

Note If your tenant account has the Use grid federation connection permission and you delete a local user, StorageGRID will not delete the corresponding user on the other grid. If you need to keep this information in sync, you must delete the same user from both grids.
Note You must use the federated identity source to delete federated users.
Steps
  1. Select ACCESS MANAGEMENT > Users.

  2. Select the checkbox for each user you want to delete.

  3. Select Actions > Delete user or Actions > Delete users.

    A confirmation dialog box appears.

  4. Select Delete user or Delete users.