An official website of the United States government US flag signifying that this is a United States federal government website

Managing users

Managing users

In the GovCloud environment (what's this?)

Only single sign-on user accounts are allowed. Service accounts, such as deployer credentials, are to be generated only via the service account managed service to ensure that they are scoped to a particular space with limited access.

No local accounts to UAA shall be created for user access.

Creating users

The preferred way to add new users is to invite them. If you need to create a user manually, follow the instructions for the provision-user-space CLI plugin.

Changing passwords

First ask the user to try resetting their own password.

If a user logs in using their agency’s account system, the only way to reset that password is for them to use their agency’s normal password reset process.

If they log in with a cloud.gov account that has its own password (including ORGNAME_deployer accounts), you can change their password for them, using

uaac target uaa.cloud.gov

Additional access

Organizations and spaces

You can grant the user access to additional organizations and spaces by giving them additional roles. See the instructions for changing them.

Managing Admins

Make sure you have a copy of the cg-scripts repository so you have access to several utility scripts.

Creating Admins

First, target and get a token for the main CloudFoundry UAA, and make the user a CloudFoundry admin using their GSA email address.

cd /path/to/cg-scripts
uaac target <CF_UAA_FQDN>
uaac token client get admin -s <CF_UAA_ADMINCLIENT_PASSPHRASE>
./make-cf-admin.sh <EMAIL_ADDRESS>

Secondly, target and get a token for the Ops UAA, and then make the user a Concourse admin using their GSA email address.

uaac target <OPS_UAA_FQDN>
uaac token client get admin -s <OPS_UAA_ADMINCLIENT_PASSPHRASE>
./make-ops-admin.sh <EMAIL_ADDRESS>

Removing Admins

First, target and get a token for the main CloudFoundry UAA, and remove the user as a CloudFoundry admin using their GSA email address.

cd /path/to/cg-scripts
uaac target <CF_UAA_FQDN>
uaac token client get admin -s <CF_UAA_ADMINCLIENT_PASSPHRASE>
./make-cf-admin.sh -r <EMAIL_ADDRESS>

Secondly, target and get a token for the Ops UAA, and then remove the user as a Concourse admin using their GSA email address.

cd /path/to/cg-scripts
uaac target <OPS_UAA_FQDN>
uaac token client get admin -s <OPS_UAA_ADMINCLIENT_PASSPHRASE>
./make-ops-admin.sh -r <EMAIL_ADDRESS>