eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-26 01:25:02 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
404570a4d2e535ef6391250c9d2d74fe513386db
authentik/website/docs/users-sources/user/user_basic_operations.md
Dominic R 404570a4d2 website/docs: Reorganize policy documentation (#21133) 
* Reorganize policy documentation

* website/docs: address policy docs review feedback

* post-rebase

* website/docs: Reorganize policy documentation -- Revisions (#21601)

* apply suggestions

---------

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
2026-04-16 07:11:52 -04:00

222 lines
13 KiB
Markdown
Raw Blame History

---
title: Manage users
---
The following topics are for the basic management of users: how to create, modify, delete or deactivate users, and using a recovery email.
[Policies](../../customize/policies/index.md) can be used to further manage how users are authenticated. For example, by default authentik does not require email addresses be unique, but you can use a policy to [enforce unique email addresses](../../customize/policies/types/expression/unique_email.md).
## Create a user
> If you want to automate user creation, you can do that either by [invitations](./invitations.md), [`user_write` stage](../../add-secure-apps/flows-stages/stages/user_write.md), or [using the API](/api/reference/core-users-create).
1. In the Admin interface of your authentik instance, select **Directory** > **Users** in the left side menu.
2. In the **User folders** area, select the folder where you want to create a user.
3. Click **New User** (for a default user).
4. Fill in the required fields:
- **Username**: This value must be unique across your user folders.
- **Path**: The path where the user will be created. It will be automatically populated with the folder you selected in the previous step.
5. Fill the **_optional_** fields if needed:
- **Name**: The display name of the user.
- **Email**: The email address of the user. Email addresses are used in [email stages](../../add-secure-apps/flows-stages/stages/email/index.mdx) and to receive [notifications](../../sys-mgmt/events/notifications.md), if configured.
- **Is active**: Define if the newly created user account is active. Selected by default.
- **Attributes**: Custom attributes definition for the user, in YAML or JSON format. These attributes can be used to enforce additional prompts on authentication stages or define conditions to enforce specific policies if the current implementation does not fit your use case. The value is an empty dictionary by default.
6. Click **Create User**
You should see a confirmation pop-up on the top-right of the screen that the user has been created, and see the new user in the user list. You can directly click the username if you want to [modify your user](./user_basic_operations.md#modify-a-user).
:::info
To create a super-user, you need to add the user to a group that has super-user permissions. For more information, refer to [Create a Group](../groups/manage_groups.mdx#create-a-group).
:::
## Advanced queries for users {#advanced-queries}
You can create advanced queries to locate specific users within the list shown under **Directory** > **Users** in the Admin interface. Use the auto-complete in the **Search** field or enter your own queries to return results with greater specificity.
- **Field**: `username`, `path`, `name`, `email`, `path`, `is_active`, `type`, `attributes`
- **Operators**: `=`, `!=`, `~`, `!~`, `startswith`, `not startswith`, `endswith`, `not endswith`, `in`, `not in`
- **Values**: `True`, `False`, `None`, and more
- **Example queries**:
- search user by status: `is_active = False`
- search user by username: `username = "bob"`
- search user by email address: `email = "bob@authentik.company"`
- search user by attribute: `attribute.my_custom_attribute = "foo"`
:::info
1. To dismiss the drop-down menu option, click **ESC**.
2. If the list of operators does not appear in a drop-down menu you will need to manually enter it.
:::
## View user details
In the **Directory** > **Users** menu of the Admin interface, you can browse all the users in your authentik instance.
To view details about a specific user:
1. In the list of all users, click on the name of the user you want to check.
This takes you to the **Overview** tab, with basic information about the user and quick access to perform basic actions on the user.
2. To see further details, click any of the other tabs:
- **Session** shows the active sessions established by the user. If there is any need, you can clean up the connected devices for a user by selecting the device(s) and then clicking **Delete**. This forces the user to authenticate again on the deleted devices.
- **Groups** allows you to manage the group membership of the user. You can find more details on [groups](../groups/index.mdx).
- **User events** displays all the events generated by the user during a session, such as login, logout, application authorisation, password reset, user info update, etc.
- **Explicit consent** lists all the permissions the user has given explicitly to an application. Entries will only appear if the user is validating an [explicit consent flow in an OAuth2 provider](../../add-secure-apps/providers/oauth2/index.mdx). If you want to delete the explicit consent (because the application is requiring new permissions, or the user has explicitly asked to reset his consent on third-party apps), select the applications and click **Delete**. The user will be asked to again give explicit consent to share information with the application.
- **OAuth Refresh Tokens** lists all the OAuth tokens currently distributed. You can remove the tokens by selecting the applications and then clicking **Delete**.
- **MFA Authenticators** shows all the authenticators that the user has registered to their profile. You can remove the tokens if the user has lost their authenticator and wants to enroll a new one.
## Modify a user
After the creation of the user, you can edit any parameter defined during the creation.
To modify a user object, go to **Directory** > **Users**, and click the edit icon beside the name. You can also go into [user details](#view-user-details), and click **Edit**.
## Manage user permissions
You cannot directly grant a user any permissions. Instead, either assign the user to a role with the appropriate permissions, or add a user to a group that has the appropriate permissions (via the group's role/roles).
On the flipside, to grant permissions on a user object to a role, review ["Manage permissions"](../access-control/manage_permissions.md#assign-or-remove-permissions-for-a-specific-role).
## Add a user to a group
1. To add a user to a group, navigate to **Directory** > **Users** to display all users.
2. Click the name of the user to display the full user details page.
3. Click the **Groups** tab, and then click either **Add to existing group** (or **Add new group** first).
## Add a user to a role
1. To add a user to a role, navigate to **Directory > Users** to display all users.
2. Click the name of the user to display the full user details page.
3. Click the **Roles** tab, and then click either **Add to existing role** (or **Add new role** first).
:::info
Users also inherit roles from the groups they belong to. The **Roles** tab has two sub-tabs: **Assigned Roles** shows roles directly assigned to the user, while **All Roles** shows all roles including those inherited from groups. Inherited roles are marked with an "Inherited" label.
:::
## Bind a user to an application
These bindings control which users can access an application, and whether or not the application is visible in the user's **My applications** page. If no bindings for an application are defined, this means that all users and groups can access the application.
For instructions refer to [Manage applications](../../add-secure-apps/applications/manage_apps.mdx#bind-a-user-or-group-to-an-application).
## User credentials recovery
If a user has lost their credentials and needs to recover their account, there are two available options:
1. Create a recovery link and send it to the user
2. Have authentik send the user a recovery email
Both options require you to configure a recovery flow and set it as the **Default recovery flow** for the active brand.
If the user only needs their password reset, see these [instructions](#reset-a-password).
### Configure a recovery flow
To get started, you can [import](../../add-secure-apps/flows-stages/flow/index.md#import-or-export-a-flow) this example flow: [Recovery with email verification flow](../../add-secure-apps/flows-stages/flow/examples/flows.md#recovery-with-email-and-mfa-verification)
Then, set this as the default recovery flow for the active brand:
1. In the Admin interface, navigate to **System** > **Brands**, and select the active brand.
2. Under **Default flows**, set **Recovery flow** to the imported recovery flow: `default-recovery-flow`.
3. Click **Update**.
Now that you've configured a recovery flow, you can select one of the following options:
### 1. Create a recovery link
:::info Email stage not required
The example recovery flow includes an email stage. However, if you're manually sending the recovery link to the user, this email stage is not required and can be removed.
:::
1. In the Admin interface, navigate to **Directory** > **Users** to display all users.
2. Click the name of the user to display the full User details page.
3. To generate a recovery link, which you can then send to the user, click **Create recovery link**.
A pop-up will appear on your browser with the link for you to copy and to send to the user.
### 2. Email a recovery link
:::info Email stage required
This option is only available if the recovery flow has an [Email Stage](../../add-secure-apps/flows-stages/stages/email/index.mdx) bound to it. The example recovery flow includes an email stage.
:::
You can send a link with the URL for the user to reset their password via Email. This option will only work if you have [configured email](../../install-config/email.mdx) and set an email address for the user.
1. In the Admin interface, navigate to **Directory** > **Users** to display all users.
2. Click the name of the user to display the full User details page.
3. To send the email to the user, click **Email recovery link**.
If the user does not receive the email, check if the mail server parameters [are properly configured](../../troubleshooting/emails.md).
## Reset a password
### Admin resets a user's password
As an Admin, you can simply reset the password for the user.
1. In the Admin interface, navigate to **Directory** > **Users** to display all users.
2. Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the options.
3. To reset the user's password, click **Reset password**, and then define the new value.
### User resets their password
If a [Recovery flow](#configure-a-recovery-flow) has been applied to the brand, users can reset their own passwords in the [User interface](../user/user-interface.mdx).
## Deactivate or Delete user
### To deactivate a user:
1. Go into the user list or detail, and click **Deactivate**.
2. Review the changes and click **Update**.
The active sessions are revoked and the authentication of the user blocked. You can reactivate the account by following the same procedure.
### To delete a user:
:::caution
This deletion is not reversible, so be sure you do not need to recover any identity data of the user.
You may instead deactivate the account to preserve identity data.
:::
1. Go into the user list and select one (or multiple users) to delete and click **Delete** on the top-right of the page.
2. Review the changes and click **Delete**.
The user list refreshes and no longer displays the removed users.
## Impersonate a user
With authentik, an Admin can impersonate a user, meaning that the Admin temporarily assumes the identity of the user.
1. In the Admin interface, navigate to **Directory** > **Users** to display all users.
2. Click the name of the user to display the full User details page.
3. On the Overview tab, beneath **User Details**, in the **Actions** area, click **Impersonate**.
4. At the prompt, provide a reason why you are impersonating this user, and then click **Impersonate**.
:::info
An Admin can globally enable or disable impersonation in the [System Settings](../../sys-mgmt/settings.md#impersonation). By default, this option is set to true, meaning all users can be impersonated.
An Admin can also configure whether inputting a reason for impersonation is required in the [System Settings](../../sys-mgmt/settings.md#require-reason-for-impersonation).
:::
## Export users :ak-enterprise
You can export your authentik instance's user data to a CSV file. To generate a data export, follow these steps:
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Users** and click **Export**.
3. Set a [search query](#advanced-queries) as well as the ordering for the data export.
4. Click **Export** above the event list.
5. Confirm the export parameters in the confirmation dialog.
6. The export is processed in the background. When it's ready, you will receive a notification in the Admin interface's notification area.
7. In the notification, click **Download**.
To review, download, or delete past data exports, navigate to **Events** > **Data Exports** in the Admin interface.
Reference in New Issue View Git Blame Copy Permalink