Managing Users

Creating Users in a UAA Instance

You can create users locally in UAA for authentication and assign them to the required groups from the UAA dashboard.

Before You Begin

  • Log in to Predix.io.

About This Task

When you create a UAA instance, an admin client is automatically created for you so that you can configure your UAA instance. The admin client is assigned all the required authorities and scopes by default.
Note: The admin client is not assigned the authority to be able to change the user password by default. If you need the ability to update or change the user password, you must add the uaa.admin authority to your admin client. You can use the UAA command-line interface (UAAC) to add the uaa.adminauthority to your admin client. For more information on installing the command-line interface, see https://github.com/cloudfoundry/cf-uaac.

If you prefer using the UAAC to create the users, see uaas-managing-users.html#task_j3f_mbl_rdb.

Use the following procedure to create users locally through the UAA dashboard.

Procedure

  1. In the Console view, select the Space where your services are located.
  2. In the Services Instances page, select the UAA instance that you need to configure.
  3. Select the Configure Service Instance option.
  4. In the UAA Dashboard login page, specify your admin client secret and click Login.
  5. In the UAA Dashboard, select the User Management tab.
    The User Management tab has two sections, Users and Groups. The Groups section displays the groups that you created in your UAA instance.
  6. Click on the Create User button to open the New User form.
  7. Specify the following values in the New User form:
    FieldDescription
    Regular UserChoose this option to set up local users in your UAA. The Regular User is not configured through any external Identity Provider (IdP).
    Shadow User

    Choose this option to create a local user in UAA corresponding to the user defined in your external IdP. The Shadow User option is useful if you need to white list users to authenticate only a subset of users setup in your identity provider. To setup individual shadow users, ensure that the option to create shadow users is not selected while configuring a new IdP.

    User NameSpecify the user name. If you are setting up a shadow user, this value must match the user name defined in your IdP.
    EmailSpecify the email address. If you are setting up a shadow user, this value must match the user name defined in your IdP.
    PasswordSpecify the password. An administrator can set password policies to define the permitted structure of the password. For more information, see create-pswd-policies.html#task_gdk_f43_fx.

    This option is not required if you are setting up a shadow user.

    Given NameSpecify the first name of the user.
    Family NameSpecify the last name of the user.
    OriginSpecify the name of the IdP that this user is configured in. The Origin option is available only if you are setting up a Shadow user.
    GroupsSelect the groups to associate the user with. For more information on groups, see uaas-managing-users.html#task_vgj_vcy_1x.
    ActiveSelect this option to allow your Regular or Shadow user to login.
    VerifiedSelect this option to indicate that this Regular or Shadow user is a verified user.

    Verified users are the users who are verified using an autogenerated email invite sent from UAA at the time of account creation.

Using UAAC to Create Users in a UAA Instance

Optional procedure to create users in a UAA instance using the UAAC instead of UAA dashboard. .

About This Task

For applications accessing your UAA instance, you can create additional clients and users with required scopes.

Note: The admin client is not assigned the authority to be able to change the user password by default. If you need the ability to update or change the user password, you must add the uaa.admin authority to your admin client. You can use the UAA command-line interface (UAAC) to add the uaa.adminauthority to your admin client. For more information on installing the command-line interface, see https://github.com/cloudfoundry/cf-uaac.

Procedure

  1. Create a new user.
    uaac user add <my-user> --emails <my_user>[email protected] --password <my_password>
  2. Create the groups in your UAA instance.

    For more information on available groups, see https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#scopes-authorized-by-the-uaa.

    For example:

    uaac group add scim.read
uaac group add scim.write
  3. Add the new user to the required groups.

    For example:

    uaac member add zones.<my_uaa_instance>.admin <my-user>
uaac member add scim.read <my-user>
uaac member add scim.write <my-user>
uaac member add clients.write <my-user>
uaac member add clients.read <my-user>
uaac member add clients.admin <my-user>
uaac member add clients.secret <my-user>
  4. Verify that the user is created with the correct scope.
    uaac token owner get <my-oauth-client> <my-user>
uaac token decode

Creating Groups in a UAA Instance

If you design your application to authorize using specific scopes, you can create groups corresponding to those scopes in UAA and assign users to those groups. When the users log into your web application, the application redirects them to UAA. If a user is in the specified group and you chose to authorize the web application with that scope, the web application gets a signed token that contains that scope.

About This Task

Predix platform services have scopes specific to each service. When you create users for these services, you can create groups corresponding to these scopes to provide permissions specific to a service. After creating groups, you can assign users to the required groups.

For example, if you use the Time Series service, you must create the timeseries.zones.<instance_id>.user and timeseries.zones.<instance_id>.ingest groups for users with data ingestion permission.

For a list of scopes for all platform services, see uaas-managing-clients.html#reference_ec1_t3d_bx.

Use the following procedure to create groups in UAA:

Procedure

  1. In the Console view, select the Space where your services are located.
  2. In the Services Instances page, select the UAA instance that you need to configure.
  3. Select the Configure Service Instance option.
  4. In the UAA Dashboard login page, specify your admin client secret and click Login.
  5. In UAA Dashboard, select the User Management tab.
    The User Management tab has two sections, Users and Groups. The Groups section displays the groups that you have created in your UAA instance.
  6. Click on the Create Group option to open the New Group form.
  7. Specify the following values in the New Group form:
    FieldDescription
    Display NameSpecify the name of the group.
    DescriptionSpecify the description of the group.