Access management

It’s a good idea to manage access to your PaaS subscription. You an easily handle this using the Access option in your Cockpit. Here, you can create and manage users, and create user groups for your subscription as well as perform administrative operations like password resets.

To manage access for users, go to the Access section via the user icon in the top-right corner of your screen.

dropdown access

Manage users

You can manage existing users directly from the Cockpit under the Access section. This includes:

Adding a user

You can add a new user to your PaaS subscription directly from the Cockpit under the Access section.

  1. Click the user icon in the top right corner.

  2. Choose Access from the dropdown menu.

  3. Go to the Users tab.

  4. Click Add.

    1. Give the user a First Name.

    2. Give the user a Last Name.

    3. Input the user email.

    4. If desired, click Active to immediately activate the user upon creation.

    5. Add the desired roles for the user.

      Roles list

      Table 1. PaaS Client API v2
      Role Description

      user-api-read

      Read access to user management features such as users, groups, and logs.

      user-api-write

      Write access to user management features such as users, groups, and logs.

      This means you can have access to save and delete actions in the Cockpit.

      logs-read

      Read access to logs excluding audit logs.

      logs-api-audit-read

      Read access to audit logs.

      report-api-read

      Read access to reports.

      notification-api-read

      Read access to notifications.

      cluster-api-read

      Read access to Kubernetes configuration for your subscription cluster.

      subscription-api-read

      Read access to your high-level subscription data such as name and account information.

      Table 2. Rancher
      Role Description

      rancher_readonly

      Read only access to Rancher configuration.

      rancher_admin`

      Admin access to Rancher configuration.

      Table 3. PaaS Client API v1
      Role Description

      Cockpit-support

      Predefined set of roles associated with the support group.

      Cockpit-business

      Predefined set of roles associated with the business group.

      Cockpit-user-manager

      Predefined set of roles associated with the user management group.

      Cockpit-developer

      Predefined set of roles associated with the developer group.

      Cockpit-devops

      Predefined set of roles associated with the devops group.

      Cockpit_admin

      Predefined set of roles associated with the admin group.

    6. Don’t forget to click Add.

      create new user

User types and roles

The user list allows you to quickly understand the type of user and whether the user is active.

  • Active Active users are represented by a green badge.

  • Inactive Active users are represented by a gold badge.

  • Unverified Unverified users are represented by a red badge.

You can also see the type of user, or rather how the user was created:

  • idp: created and managed via your Identity Provider.

  • Cockpit: created in the Cockpit.

  • magnolian: a Magnolia user; this is typically Magnolia support or someone in the PaaS team.

user type and status

User roles

User roles define what users are allowed to do and what section of the Cockpit they can access.

  • Available: roles that are not selected and therefore not assigned to the selected user.

  • Selected: roles that are selected and therefore assigned to the selected user.

  • Effective: reflects all assigned roles that are selected and those inherited from a user group.

Roles list

Table 4. PaaS Client API v2
Role Description

user-api-read

Read access to user management features such as users, groups, and logs.

user-api-write

Write access to user management features such as users, groups, and logs.

This means you can have access to save and delete actions in the Cockpit.

logs-read

Read access to logs excluding audit logs.

logs-api-audit-read

Read access to audit logs.

report-api-read

Read access to reports.

notification-api-read

Read access to notifications.

cluster-api-read

Read access to Kubernetes configuration for your subscription cluster.

subscription-api-read

Read access to your high-level subscription data such as name and account information.

Table 5. Rancher
Role Description

rancher_readonly

Read only access to Rancher configuration.

rancher_admin`

Admin access to Rancher configuration.

Table 6. PaaS Client API v1
Role Description

Cockpit-support

Predefined set of roles associated with the support group.

Cockpit-business

Predefined set of roles associated with the business group.

Cockpit-user-manager

Predefined set of roles associated with the user management group.

Cockpit-developer

Predefined set of roles associated with the developer group.

Cockpit-devops

Predefined set of roles associated with the devops group.

Cockpit_admin

Predefined set of roles associated with the admin group.

To edit the roles assigned to each user:

  1. Click the user icon in the top right corner.

  2. Choose Access from the dropdown menu.

  3. Scroll to the desired user.

  4. Editing roles depends on the user type:

    • For IDP users

    • Cockpit created users

    1. Click Edit roles next to your desired user.

    2. Click the role(s) you want to assign to the user.

    3. Click Save.

    1. Click Edit next to your desired user.

    2. Scroll down to the Roles section.

    3. Click the role(s) you want to assign to the user.

    4. Click Save.

Editing a user

  1. Click the user icon in the top right corner.

  2. Choose Access from the dropdown menu.

  3. Scroll to the desired user.

  4. Click Edit.

  5. In the dialog window, edit the user as needed.

  6. Don’t forget to click Edit.

Deleting users

  1. Click the user icon in the top right corner.

  2. Choose Access from the dropdown menu.

  3. Scroll to the desired user.

  4. Click Delete.

  5. In the dialog window, click Delete to confirm that you definitely want to delete the user.

Reset user passwords

You can reset a user’s password directly from the Cockpit under the Access section.

For your information

If you’re using SSO for your PaaS subscription, you are unable to reset the password of those users logging in via single sign-on, as the password is managed via the oidc provider.

  1. Click the user icon in the top right corner.

  2. Choose Access from the dropdown menu.

  3. Scroll to the desired user.

  4. Click Edit.

  5. In the dialog window, click Reset password.

    When successful, a Password reset email is sent to the user. There, they will follow instructions to create a new password.

    reset password

Create user group

You can create a new user to your PaaS subscription directly from the Cockpit under the Access section.

  1. Click the user icon in the top right corner.

  2. Choose Access from the dropdown menu.

  3. Go to the Groups tab.

  4. Click Add.

    1. Give the group a meaningful name.

    2. Add the desired roles to the group.

      Roles list

      Table 7. PaaS Client API v2
      Role Description

      user-api-read

      Read access to user management features such as users, groups, and logs.

      user-api-write

      Write access to user management features such as users, groups, and logs.

      This means you can have access to save and delete actions in the Cockpit.

      logs-read

      Read access to logs excluding audit logs.

      logs-api-audit-read

      Read access to audit logs.

      report-api-read

      Read access to reports.

      notification-api-read

      Read access to notifications.

      cluster-api-read

      Read access to Kubernetes configuration for your subscription cluster.

      subscription-api-read

      Read access to your high-level subscription data such as name and account information.

      Table 8. Rancher
      Role Description

      rancher_readonly

      Read only access to Rancher configuration.

      rancher_admin`

      Admin access to Rancher configuration.

      Table 9. PaaS Client API v1
      Role Description

      Cockpit-support

      Predefined set of roles associated with the support group.

      Cockpit-business

      Predefined set of roles associated with the business group.

      Cockpit-user-manager

      Predefined set of roles associated with the user management group.

      Cockpit-developer

      Predefined set of roles associated with the developer group.

      Cockpit-devops

      Predefined set of roles associated with the devops group.

      Cockpit_admin

      Predefined set of roles associated with the admin group.

    3. Click the users that you want to add to the group.

      If you accidentally click the wrong user, you can click them again and they’ll return to the Available group.
    4. Don’t forget to click Add.

      create user group

Group access AdminCentral

If using the SSO module for authentication, you need to ensure the groups created in the Cockpit are granted access via the configuration in the SSO module.

  1. Create a group in the Cockpit.

    No special roles are needed for AdminCentral access.
  2. Assign users to the group. These are the users who you want to be able to access AdminCentral.

  3. In the SSO module, ensure the group name created in the Cockpit is defined in the config.yaml file. See the SSO module configuration section for more details.

    path: /.magnolia/admincentral
    callbackUrl: http://localhost:8080/.auth
    postLogoutRedirectUri: http://localhost:8080/.magnolia/admincentral
    authorizationGenerators:
      - name: groupsAuthorization
        groups:
          targetProperty: groups
          mappings:
            - name: /COCKPIT_GROUP (1)
              targetGroups: (2)
                - editors
              targetRoles: (3)
                - editor
    1 Where /COCKPIT_GROUP is the name of the group you created in the Cockpit. If using Keycloak, the leading / is mandatory.
    2 Defines the target group for the mapped group.
    3 Defines any particular target roles for the group.

Add Organisation

You can create an Organisation so that you can group access to certain parts of your PaaS project based on a business unit or organisation. You can define access to clusters, domains, and namespaces this way and explicitly choose the users that are part of the unit.

  1. Click the user icon in the top right corner.

  2. Choose Access from the dropdown menu.

  3. Go to the Organisations tab.

  4. Click Add.

    1. Give the organisation a meaningful name.

    2. Give the organisation a meaningful description.

    3. Choose the Cluster Ids for which you want to grant access.

    4. Choose the Domains for which you want to grant access.

    5. Choose the Namespaces for which you want to grant access.

    6. Click the users that you want to add to the organisation.

      If you accidentally click the wrong user, you can click them again and they’ll return to the Available group.
    7. Don’t forget to click Add.

      create business unit

Feedback

PaaS

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the Magnolia PaaS docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules