Skip to main content

Managing Users & Permissions

Permissions levels:

Penfield role-based access control (RBAC) model enables authorization of users based on roles with different sets of permissions.

Role NamePermissions
adminHas full access to all views and can manage users, settings, and reporting.
analystCan view data limited to their own and team but cannot modify configurations or settings.
automation engineerCreates and manages automation and workflows with limited access to views and settings.

Access the admin backend (kratos-admin)

User signup, and account recovery are disabled from the UI and can only be done from the admin endpoint which is hosted in the cluster but not exposed.

In order to access it, port-forward the service from the kubernetes cluster by:

kubectl port-forward svc/kratos-admin -n kratos 4040:80

Port 4040 (or any local port you prefer) can be used but the port 80 (port being forwarded to) can not be changed.

Manage users

Create user

After the port-forwarding, we can use the /identities endpoint to create users.

curl --request POST -sL --header "Content-Type: application/json" --request POST --data '{
"schema_id": "admin",
"traits": {
"email": ""
}' http://localhost:4040/identities

This POST will return a response with the new user’s id, and you will need it for creating the recovery link.

With user’s ID, admin API allows us to create a recovery link for the user. Change the identity_id in the below request to create a recovery link:

curl --request POST -sL --header "Content-Type: application/json" --request POST --data '{
"expires_in": "24h",
"identity_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}' http://localhost:4040/recovery/link

Use the recovery link to create credentials. You can send the recovery link directly to the users to generate credentials.


Recovery link are one time unique links, once you open it then it cannot be opened by any other user.

List all users

A get request allows us to see all the users and you can find the user’s id (identity_id) for existing users.

curl http://localhost:4040/identities

Remove user account

With user’s ID(identity_id), the API allows us to delete user from kratos admin backend. Be careful while deleting users this is not reversible action, Once user gets deleted it cannot be recovered, only new user can be created once deleted. Change the identity_id in the below request to remove valid user.

curl --request DELETE -sL --header "Content-Type: application/json" --request DELETE http://localhost:4040/identities/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx