Manage users
For each tenant and organizational unit, you can add users and manage their user roles.
Manage users in a tenant
A tenant is the highest unit in the tenancy structure of the Chef 360 Platform. Each tenant is logically separated from the other and no data is shared between two tenants. Each tenant can have one or more organizational units within it. All users are created and stored in a tenant.
Add a user to a tenant
To create a user and add them to a tenant, follow these steps:
Create a new user:
chef-platform-auth-cli user-account identity create-identity --body '{ "kind": "local", "email": "<EMAIL_ADDRESS>", "password": "<PASSWORD>", "firstName": "<FIRST_NAME>", "lastName": "<LAST_NAME>" }' --profile "<PROFILE_NAME>"
Replace:
<EMAIL_ADDRESS>
with the new user’s email address.<PASSWORD>
with a password for the new user. If you don’t provide a password, an email is sent to the user asking them to create a password.<FIRST_NAME>
with the new user’s first name.<LAST_NAME>
with the new user’s last name<PROFILE_NAME>
with your profile. Your profile must have theorg-admin
role to create new users.
The response is similar to the following:
{ "item": { "email": "test@example.com", "firstName": "test" "id": "20f9246e-998f-488f-b03b-8bd808802921", "kind": [ "Local" ], "lastName": "doe", "userTypes": [ { "status": "enabled", "type": "local" } ] } }
By default, this new user isn’t part of any organization. To add the user to an organization and assign roles to them, see the user management documentation.
Manage users in an organization
Each user can log into the Chef 360 Platform and perform actions based on their user role and organization. A single user account can access different organizational units in the same tenant.
You must have a profile with the org-admin
or tenant-admin
role to add users and assign user roles.
List users in an organization
Get a list of users associated with an organization:
chef-platform-auth-cli user-account user list-users --profile <PROFILE_NAME>
Replace <PROFILE_NAME>
with the profile associated with the organization that you are querying.
The response contains an array of users with their email address, first name, user ID, last name, and other information.
Add a user to an organization
You can add new users to an organization and assign them roles.
Follow these steps to add a user to an organization:
Add the user to the organizational unit:
chef-platform-auth-cli user-account user add-user --body '{"email": "<EMAIL_ADDRESS>"}' --profile <PROFILE_NAME>
Replace
<EMAIL_ADDRESS>
with the user’s email address.If the user already exists, they’re added to the organization. If the user doesn’t exist, it creates the user, sends an email to the user asking them to set a password, and then adds them to the organization.
The user is added to the organization associated with the specified profile and given the default role of
viewer
.
Assign roles to users
The Chef 360 Platform supports built-in system roles and user-defined custom roles. Built-in system roles are available in each tenant and are applicable for all organizational units within it. User-defined custom roles can be used by advanced users to create roles that fit their business needs. No two roles within an organizational unit can have the same name. Each role comprises of some policies. Each policy provides privileges to users who have roles containing that policy.
To assign a role to a user, you’ll need the user’s ID, the role name, and the role ID.
Follow these steps to assign a user to an organization and role:
Get the a list of system-defined and user-defined roles in the organization:
chef-platform-auth-cli authz role find-role --definedBy system --profile <PROFILE_NAME>
Replace
<PROFILE_NAME>
with your user profile that’s associated with the organization that you’re adding the user to.The response is similar to the following:
{ "items": [ { "definedBy": "system", "description": "", "id": "5fcb0235-156-4ece-8857-404a5d39a290", "level": "org", "meantFor": "user", "name": "tenant-admin", "status": "enabled" }, { "definedBy": "system", "description": "", "id": "e96523ea-5890-4489-9979-0C3ecaaf06", "level": "org", "meantFor": "user", "name": "tenant-viewer", "status": "enabled" }, { "definedBy": "system", "description": "", "id": "ff808dde-da38-41d2-bd2c-3202fcbb9166", "level": "org", "meantFor": "user", "name": "org-admin", "status": "enabled" } ] }
Get the list of all users in the organization:
chef-platform-auth-cli user-account user list-users --profile <PROFILE_NAME>
Replace
<PROFILE_NAME>
with your user profile that’s associated with the organization that you’re adding the user to.The response is similar to the following:
{ "items": [ { "email": "user-1@example.com", "firstName": "Test", "id": "37a06d11-983b-47b9-be6f-c033219082d4", "kind": [ "local" ], "LastName": "User-1", "userTypes": [ { "status": "enabled", "type": "local" } ] }, { "email": "user-2@example.com", "firstName": "test" "id": "d2655d0-†Зе3-4c08-bef2-bf940d34ea3", "kind": [ "local" ], "lastName": "User-2", "userTypes": [ { "status": "enabled", "type": "local" } ] } ] }
Assign the role to the user using the role name, role ID, and user ID:
chef-platform-auth-cli user-account user assign-role --body '{ "name": "<ROLE_NAME>", "roleId": "<ROLE_ID>" }' --userId "<USER_ID>" --profile <PROFILE_NAME>
Replace:
<PROFILE_NAME>
with your user profile that’s associated with the organization that you’re adding the user to<ROLE_NAME>
with the role name assigned to the user<ROLE_ID>
with the role ID assigned to the user<USER_ID>
with the ID of the user
The response is similar to the following:
{ "code": 201, "message": "assign-role successful" }
After role assignment completes, the new user can log in and register their device.
Get user roles
Each user can have multiple roles. Use the following procedure to get a user’s roles:
Run the
list-users
command to get the user ID for all the users:chef-platform-auth-cli user-account user list-users --profile <PROFILE_NAME>
Replace
<PROFILE_NAME>
with the profile associated with the organization you are querying.Get the roles assigned to the user using their user ID:
chef-platform-auth-cli user-account user list-roles --userId "<USER_ID>" --profile <PROFILE_NAME>
Replace:
<USER_ID>
with the user’s ID. For example,19069f49-1919-4a28-a145-36e24bfc6a3b
.<PROFILE_NAME>
with the profile associated with the organization you are querying.
The response is similar to the following:
{ "items": [ { "definedBy": "system", "id": "8413fd6c-ed2a-42ba-8336-7217ac335825", "name": "org-viewer", "status": "enabled" }, { "definedBy": "system", "id": "ff808dde-da38-41d2-bd2c-3202fcbb9166", "name": "org-admin", "status": "enabled" } ] }