Access management
It’s a good idea to manage access to your Magnolia PaaS subscription. You an easily handle this using the Access option in your Cockpit. Here, you can create and manage users, and create user groups for your subscription as well as perform administrative operations like password resets.
To manage access for users, go to the Access section via the user icon in the top-right corner of your screen.

Add new user
You can add a new user to your Magnolia PaaS subscription directly from the Cockpit under the Access section.
-
Click the user icon in the top right corner.
-
Choose Access from the dropdown menu.
-
Go to the Users tab.
-
Click Add.
-
Give the user a First Name.
-
Give the user a Last Name.
-
Input the user email.
-
If desired, click Active to immediately activate the user upon creation.
-
Add the desired roles for the user.
Roles list
PaaS Client API:
-
user-api-write
-
user-api-read
-
log-api-read
-
report-api-read
-
notification-api-read
-
cluster-api-read
-
subscription-api-read
Realm Management:
-
realm-admin
-
manage-realm
-
view-realm
-
query-realms
-
impersonation
-
manage-authorization
-
manage-users
-
view-users
-
query-users
-
manage-clients
-
create-client
-
query-clients
-
view-clients
-
manage-identity-providers
-
view-identity-providers
-
query-groups
-
manage-events
-
view-events
-
view-authorization
Rancher:
-
rancher_readonly
-
rancher_admin
Mplatform Frontend:
-
cockpit-support
-
cockpit-business
-
cockpit-user-manager
-
cockpit-developer
-
cockpit-devops
-
cockpit_admin
-
-
Don’t forget to click Add.
-
Create user group
You can create a new user to your Magnolia PaaS subscription directly from the Cockpit under the Access section.
-
Click the user icon in the top right corner.
-
Choose Access from the dropdown menu.
-
Go to the Groups tab.
-
Click Add.
-
Give the group a meaningful name.
-
Add the desired roles to the group.
Roles list
PaaS Client API:
-
user-api-write
-
user-api-read
-
log-api-read
-
report-api-read
-
notification-api-read
-
cluster-api-read
-
subscription-api-read
Realm Management:
-
realm-admin
-
manage-realm
-
view-realm
-
query-realms
-
impersonation
-
manage-authorization
-
manage-users
-
view-users
-
query-users
-
manage-clients
-
create-client
-
query-clients
-
view-clients
-
manage-identity-providers
-
view-identity-providers
-
query-groups
-
manage-events
-
view-events
-
view-authorization
Rancher:
-
rancher_readonly
-
rancher_admin
Mplatform Frontend:
-
cockpit-support
-
cockpit-business
-
cockpit-user-manager
-
cockpit-developer
-
cockpit-devops
-
cockpit_admin
-
-
Click the users that you want to add to the group.
If you accidentally click the wrong user, you can click them again and they’ll return to the Available group. -
Don’t forget to click Add.
-
Manage users
You can manage existing users directly from the Cockpit under the Access section. This includes:
Viewing user roles
The user list allows you to quickly understand the type of user and whether the user is active.
-
Active Active users are represented by a green badge.
-
Inactive Active users are represented by a gold badge.
You can also see the type of user, or rather how the user was created:
-
idp
: created and managed via your Identity Provider -
cockpit
: created in the cockpit -
magnolian
: a Magnolia user; this is typically Magnolia support or someone in the Magnolia PaaS team.

Understanding user roles
To better understand the roles assigned to each user:
-
Click the user icon in the top right corner.
-
Choose Access from the dropdown menu.
-
Scroll to the desired user.
-
Click Show roles.
-
The dialog displays the roles assigned to the selected user.
-
Available: roles that are not selected and therefore not assigned to the selected user.
-
Selected: roles that are selected and therefore assigned to the selected user.
-
Effective: reflects all assigned roles that are selected and those inherited from a user group.
PaaS Client API:
-
user-api-write
-
user-api-read
-
log-api-read
-
report-api-read
-
notification-api-read
-
cluster-api-read
-
subscription-api-read
Realm Management:
-
realm-admin
-
manage-realm
-
view-realm
-
query-realms
-
impersonation
-
manage-authorization
-
manage-users
-
view-users
-
query-users
-
manage-clients
-
create-client
-
query-clients
-
view-clients
-
manage-identity-providers
-
view-identity-providers
-
query-groups
-
manage-events
-
view-events
-
view-authorization
Rancher:
-
rancher_readonly
-
rancher_admin
Mplatform Frontend:
-
cockpit-support
-
cockpit-business
-
cockpit-user-manager
-
cockpit-developer
-
cockpit-devops
-
cockpit_admin
-
Reset user passwords
You can reset a user’s password directly from the Cockpit under the Access section.
- For your information
-
If you’re using SSO for your Magnolia PaaS subscription, you are unable to reset the password of those users logging in via single sign-on, as the password is managed via the oidc provider.
-
Click the user icon in the top right corner.
-
Choose Access from the dropdown menu.
-
Scroll to the desired user.
-
Click Edit.
-
In the dialog window, click Reset password.
When successful, a Password reset email is sent to the user. There, they will follow instructions to create a new password.
Group access AdminCentral
If using the SSO module for authentication, you need to ensure the groups created in the Cockpit are granted access via the configuration in the SSO module.
-
Create a group in the Cockpit.
No special roles are needed for AdminCentral access. -
Assign users to the group. These are the users who you want to be able to access AdminCentral.
-
In the SSO module, ensure the group name created in the Cockpit is defined in the
config.yaml
file. See the SSO module configuration section for more details.path: /.magnolia/admincentral callbackUrl: http://localhost:8080/.auth postLogoutRedirectUri: http://localhost:8080/.magnolia/admincentral authorizationGenerators: - name: groupsAuthorization groups: targetProperty: groups mappings: - name: COCKPIT_GROUP (1) targetGroups: (2) - editors targetRoles: (3) - editor
1 Where COCKPIT_GROUP
is the name of the group you created in the Cockpit.2 Defines the target group for the mapped group. For more, see Default groups. 3 Defines any particular target roles for the group. For more, see Default roles.