Platform Users

On This Page

Overview

All users can view information for their own user profile and edit relevant properties, such as the password, email address, or first and last names.

A security administrator (any user with the Security Admin management policy, including the predefined security_admin user) can manage platform users and user groups: create new local users and groups, edit them, import users and groups from a supported identity provider (IdP), manage SSO authentication, and delete local or imported users and groups.

Only a security administrator can view full user information for all users and edit the secure properties such as the username, management policies, or groups. Security administrators manage users in the Identity page of the dashboard, as illustrated in the following image:

Dashboard Identity Users tab

Note
For username restrictions, refer to the Software Specifications and Restrictions.

Every user and user group must be assigned one or more management policies that determine user permissions to access resources and perform different operations. For more information, see the Security documentation.

A user can optionally be a member of one or more user groups. When a user is a member of multiple groups, one of the groups is defined as the user's primary group. The predefined group all_users cannot be a primary group. Users who are members of a user group with the IT Admin management policy but are not assigned this policy directly cannot access the application-cluster status dashboard. Instead, assign the IT Admin or IT Admin Read Only management policy directly to any user who requires such access.

Logging in

To use the platform, you must be logged in as a user with relevant permissions.

You can log in to the system, and authenticate your identity, by one of:

  • Username and password
  • SSO: In the login dialog, click Login with SSO. You are redirected to the external IdP for login with credentials, and after authentication you are returned to the platform. If you do not have any permissions, your system administrator can assign you the relevant management policies.

Possible errors on SSO login:

  • Account Already Exists: Your Security Admin may have changed the provider, and a stale instance of your user record still exists. Contact your Security Admin to remove your user from Keycloak (only) and log in again.
  • 500 Internal server error: This occurs when the Oauth2 application refused to acknowledge your current cookie session. Try clearing your browser cookies (_oauth2_cookie) and try again.

Predefined Users

The platform has several predefined users. You cannot modify the policies and groups of predefined users from the UI.

All Tenants

The following users are predefined for the default tenant and for any new tenant that you create:

pipelines
The predefined pipelines user has the default Data management policy. It is used by the platform's pipelines service to access ML pipeline data. Editing this user's profile might cause the monitoring service to stop working.
monitoring
The predefined monitoring user has the default Data management policy. It is used by the platform's monitoring service to access performance logs. Editing this user's profile might cause the monitoring service to stop working.
tenancy_admin

The predefined tenancy-administrator user has the IT Admin and Tenant Admin management policies, which enable performing cluster administration, including shutting down the cluster, monitoring events and alerts, triggering log gathering, and managing tenants.

Note
You must change the default password after the first login.
Default-Tenant Only

The following users are predefined only for the default tenant:

security_admin

The predefined security-administrator user has the Security Admin management policy, which enables managing users and user groups, including creating and deleting users and user groups, integrating the platform with a supported IdP, and assigning management policies.

Note
You must change the default password after the first login.
sys

The predefined sys user — known as "the backup user" — has the Application Admin and Data management policies and is used for performing backups.

By default, the sys user is disabled, and has a random password (generated during tenant creation). To allow backups of the system:

  1. Allow data access permissions on the Iguazio system - Login to Iguazio UI with your admin user. - In the Identity tab, find the user and press it. - Activate it and set a password.
  2. Follow the backup documentation
Backup Notes
  • Data backups aren't activated automatically on all systems. Contact Iguazio's support team to check the backup status for your cluster.
  • To allow backups when using Data-Access Policy Rules, ensure that as part of these rules, preferably at the start, you also grant the "sys" backup user access to the data.

Predefined Group

The platform has one predefined group:

Using an External Identity Provider (IdP)

A user with a Security Admin management policy, such as the predefined security_admin user, can import users and user groups from an external identity provider (IdP) into the platform. When an IdP is configured, it is used to authenticate the identity of all of its imported users in the platform. The imported IdP users and groups co-exist in the platform with the locally defined users and groups.

Configure IdP from the IdP tab on the dashboard's Identity page. Start by selecting an IdP from the drop-down list next to the Remote host settings label. (In v3.6.1, only Microsoft Active Directory is supported.)

Dashboard IdP remote-host Active Directory selection

Note
When you complete the IdP configuration (as detailed in the following sections), remember to select Apply Changes to save your configuration.

Configuring the Remote IdP Host Settings

In the Remote host settings configuration section, enter the required information for working with your selected IdP — the username and password of an IdP user with the necessary permissions, the address of the remote IdP host, and the root IdP user directory.

Dashboard IdP Remote Host Settings

You can optionally use the Person filter and/or the Group filter field to add a Microsoft AD LDAP syntax filter for synchronizing only with specific users or user groups respectively from the external IdP.

Example of a person filter
(&(objectClass=person)(|(sAMAccountName=username1)(sAMAccountName=username2)))

Example of a group filter
(&(objectClass=group)(|(cn=GROUP1)(cn=GROUP2)))

You can add multiple group search criteria to either or both of the filters.

For full details on filter syntax, refer to LDAP Synatx Filters

Configuring IdP Synchronization

In the Sync mode configuration section, select the mode for synchronizing the imported IdP users in the platform with the IdP after the initial import. You can also optionally set an interval for performing periodic synchronizations in the Periodic sync section.

Dashboard IdP synchronization confifguration

You can select between two alternative modes of synchronization — Partial or Full:

Note
In either mode, the synchronization is always done in one direction: changes done in the IdP are applied locally in the platform, but the IdP is never modified to apply local platform changes.
Partial synchronization

Synchronize addition and removal of users in the IdP after the initial import, but do not synchronize field changes for previously imported users and user groups. During partial synchronization, the currently configured IdP default management policies are applied to all new imported users and user groups, but the management policies of local, previously imported, IdP users and groups remain unaffected. For example:

  • The following local changes to imported users or user groups in the platform are not overwritten during partial synchronization:
    • A user record field (such as an email address or job title) was added or removed, or a value of an existing field has changed. For example, you can disable an imported IdP user locally in the platform by changing the value of relevant user field without affecting the user's status in the external IdP.
    • A user was added to or removed from an imported user group.
    • A user's or user group's management policies were modified.
  • The following IdP changes since the previous synchronization are not applied locally in the platform during partial synchronization:
    • A user record field was added or removed, or the value of an existing field has changed.
    • A user was added to or removed from an existing group.
  • The following IdP changes since the previous synchronization are also applied locally in the platform during partial synchronization:
    • A new user or user group was added. (The newly imported IdP users and groups are assigned the default IdP management policies that are configured in the platform at the time of the synchronization.)
    • An existing user or user group was deleted or renamed.
Full synchronization

Synchronize all IdP user and user group additions, removals, and record updates by overwriting the current imported IdP user and user-group information with the updated IdP information.

Note

  • Empty IdP user groups are not imported to the platform. When users are added to a group, the group is imported as part of the next full or partial IdP synchronization and the related user information is updated accordingly.

  • As part of the full-sync import, the currently configured IdP default management policies are applied to all imported users and user groups.

Modifying the IdP configuration (including an initial configuration) triggers an automatic synchronization cycle. Periodic synchronizations are triggered according to the configured periodic-sync interval (if configured), and you can also always trigger a manual synchronization by selecting the Sync option in the IdP tab. All synchronizations are done according to the configured IdP synchronization mode. However, note that modifying the IdP's remote host address or root user directory essentially changes the configured IdP, and the sync will come from a different address or directory. Imported users/groups will most likely be removed (unless they are also in the new sync source).

Configuring Default Management Policies

In the Default management policies configuration section, select one or more management policies that will be applied to every imported IdP user and user group. For more information about management policies, see Management Policies.

Dashboard IdP default management polcies configuration
Note
You must select at least one default management policy. You can always change the management policies of an imported user or group after the import.

Deleting Users

Before deleting a platform user, check the need to reallocate their resources and responsibilities. If the user is the running user of managed application services (such as Spark or Trino), a service administrator should either delete these services or reassign them to a different running user.

Accessing projects and other files of absent users

You can always access the saved projects, files, etc. of users that have left your organization. A user with the Security Admin management policy can create a user with UID=1. UID=1 is like a root user that can read any files.

See Also