User management

User's can be added to a Conductor organization and provided with a set of roles dictating the actions they can take across all clusters in an organization or to a specified set of 1 or more cluster(s). Only users with an admin role have the ability to add new users to an existing organization.

Note

Adding additional users to an organization is only supported in Conductor Enterprise.

Invite new users

Console

1. In the left sidebar of the Conductor console, navigate to the Users tab.
2. In the upper-right corner of the page, click the + Add User button.
3. Provide the name of the user to invite.
4. Enter the email address where the user invite will be sent. This email cannot be edited after the user is created.
5. Set role assignments for the User. See User roles for more details.
6. In the lower-left corner, select Create to invite the user to the organization.

If you have created an SSO connection for your organization, you will still follow the above process to invite users to the organization.

CLI

diagrid product use conductor 

# Example of inviting new user with admin role
diagrid user create --email user@gmail.com --name user --role cra.diagrid:admin

User roles

Roles in Conductor define the access level of the user within the organization. Roles can be applied at two levels: global or scoped. Global roles apply the role permissions to all clusters in an organization. Scoped roles limit the selected role permissions to a one or more specific cluster resources.

Viewer

This role has read-only access to clusters, applications, notifications, and user settings. The user can drill down into cluster details, application details, alerts, and notifications. But the user is not allowed to edit and change anything, apart from their user details.

Note: A scoped viewer role applies all of the following access in the same manner but is limited to a single cluster resource, including the cluster subresources.

A user with a Viewer role can access the following:

• Cluster details
• Application details
• Agent logs
• Advisor
• Alerts and notification channels
• Notifications

A user with a Viewer role cannot access the following:

• Agent manifest
• Organizational details
• User management
• API Keys
• Edit any resources other than personal details.

Editor

The editor role includes all the permissions of the viewer role, but additional permissions allow the manipulation of clusters and resource-related alerts. In addition to the permissions of the viewer role, a user with an editor role can do the following:

Note: A scoped editor role applies all of the following access in the same manner but is limited to a single cluster resource and subresources.

• Create and update cluster connections
• Delete cluster connections
• Download Agent manifest
• Install and edit Dapr configurations
• Upgrade Dapr versions
• Rollout applications
• Create and delete API Keys

A user with an Editor role cannot access the following:

• Organizational details
• User management

Admin

The admin role includes all the permissions of the editor role, but additional permissions allow it to manage organizational settings and user accounts. In addition to the permissions of the editor role, a user with the admin role can do the following:

Note: There is no scoped admin role for a single resource because an admin user does not gain any additional permissions within a single cluster over the editor permissions.

• View and change organization details
• Invite new users to the organization
• Update user roles
• Reset passwords
• Delete users