Managing Users & Permissions
Permissions levels:
Penfield role-based access control (RBAC) model enables authorization of users based on roles with different sets of permissions.
| Role Name | Permissions |
|---|---|
| admin | Has full access to all views and can manage users, settings, and reporting. |
| analyst | Can view data limited to their own and team but cannot modify configurations or settings. |
| automation engineer | Creates and manages automation and workflows with limited access to views and settings. |
Access the admin backend (kratos-admin)
User signup, and account recovery are disabled from the UI and can only be done from the admin endpoint which is hosted in the cluster but not exposed.
In order to access it, port-forward the service from the kubernetes cluster by:
kubectl port-forward svc/kratos-admin -n kratos 4040:80
Port 4040 (or any local port you prefer) can be used but the port 80 (port being forwarded to) can not be changed.
Manage users
Create user
After the port-forwarding, we can use the /admin/identities endpoint to create users.
curl --request POST -sL --header "Content-Type: application/json" --data '{
"schema_id": "admin",
"traits": {
"email": "user@example.com"
}
}' http://localhost:4040/admin/identities
This POST will return a response with the new user’s id, and you will need it for creating the recovery link.
Create a recovery link to setup password (create/reset password)
With user’s ID, admin API allows us to create a recovery link for the user. Change the identity_id in the below request to create a recovery link:
curl --request POST -sL --header "Content-Type: application/json" --data '{
"expires_in": "24h",
"identity_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}' http://localhost:4040/admin/recovery/link
Use the recovery link to create credentials. You can send the recovery link directly to the users to generate credentials.
Recovery link are one time unique links, once you open it then it cannot be opened by any other user.
List all users
A get request allows us to see all the users and you can find the user’s id (identity_id) for existing users.
curl http://localhost:4040/admin/identities
Remove user account
With user’s ID(identity_id), the API allows us to delete user from kratos admin backend. Be careful while deleting users this is not reversible action, Once user gets deleted it cannot be recovered, only new user can be created once deleted. Change the identity_id in the below request to remove valid user.
curl --request DELETE -sL --header "Content-Type: application/json" http://localhost:4040/admin/identities/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx