Skip to main content

Manage users

Use these procedures to create, modify, deactivate, delete, and recover users.

Policies can be used to further manage how users are authenticated. For example, by default authentik does not require email addresses be unique, but you can use a policy to enforce unique email addresses.

Create a user

If you want to automate user creation, you can do that either by invitations, user_write stage, or using the API.

  1. In the Admin interface of your authentik instance, select Directory > Users in the left menu.

  2. In the User folders area, select the folder where you want to create a user.

  3. Click New User, and then select either Internal User or External User.

  4. Fill in the required fields:

    • Username: This value must be unique across all users.
    • Display Name (optional): The display name of the user.
    • Email (optional): The email address of the user. For more information, see the email documentation.
    • Active (optional): Whether the user account is active. Selected by default.
    • Path: The path where authentik creates the user. The field is populated with the folder selected in the previous step.
    • Attributes: Custom user attributes in YAML or JSON format. The default value is an empty dictionary.
  5. Click Create. A confirmation notification appears in the upper-right corner, and the new user appears in the user list. Click the username to modify the user.

info

To create a super-user, you need to add the user to a group that has super-user permissions. For more information, refer to Create a Group.

Advanced queries for users

You can use AKQL to filter the user list in Directory > Users. For the user fields, operators, examples, and keyboard shortcuts, see the AKQL reference.

View user details

In the Directory > Users menu of the Admin interface, you can browse all the users in your authentik instance.

To view details about a specific user:

  1. In the list of all users, click on the name of the user you want to check.

    This takes you to the Overview tab, with basic information about the user and quick access to perform basic actions on the user.

  2. To see further details, click any of the other tabs:

    • Session shows the active sessions established by the user. If there is any need, you can clean up the connected devices for a user by selecting the device(s) and then clicking Delete. This forces the user to authenticate again on the deleted devices.
    • Groups allows you to manage the group membership of the user. You can find more details on groups.
    • User events displays all the events generated by the user during a session, such as login, logout, application authorization, password reset, user info update, etc.
    • Explicit consent lists permissions that the user explicitly granted to an application. Entries appear only when the user validates an explicit consent flow in an OAuth2 provider. To reset consent because an application requires new permissions or the user requested a reset, select the applications and click Delete. The application prompts the user to grant consent again.
    • OAuth Refresh Tokens lists all the OAuth tokens currently distributed. You can remove the tokens by selecting the applications and then clicking Delete.
    • MFA Authenticators shows all the authenticators that the user has registered to their profile. You can remove the tokens if the user has lost their authenticator and wants to enroll a new one.

Modify a user

After the creation of the user, you can edit any parameter defined during the creation.

To modify a user object, go to Directory > Users, and click the edit icon beside the name. You can also go into user details, and click Edit.

Manage user permissions

You cannot directly grant a user any permissions. Instead, either assign the user to a role with the appropriate permissions, or add a user to a group that has the appropriate permissions (via the group's role/roles).

On the flipside, to grant permissions on a user object to a role, review "Manage permissions".

Add a user to a group

  1. To add a user to a group, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full user details page.
  3. Click the Groups tab, and then click either Add to existing group (or Add new group first).

Add a user to a role

  1. To add a user to a role, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full user details page.
  3. Click the Roles tab, and then click either Add to existing role (or Add new role first).
info

Users also inherit roles from the groups they belong to. The Roles tab has two sub-tabs: Assigned Roles shows roles directly assigned to the user, while All Roles shows all roles including those inherited from groups. Inherited roles are marked with an "Inherited" label.

Bind a user to an application

These bindings control which users can access an application, and whether or not the application is visible in the user's Application Dashboard page. If no bindings for an application are defined, this means that all users and groups can access the application.

For instructions refer to Manage applications.

User credentials recovery

If a user has lost their credentials and needs to recover their account, there are two available options:

  1. Create a recovery link and send it to the user
  2. Have authentik send the user a recovery email

Both options require you to configure a recovery flow and set it as the Default recovery flow for the active brand.

If the user only needs their password reset, see these instructions.

Configure a recovery flow

To get started, you can import this example flow: Recovery with email verification flow

Then, set this as the default recovery flow for the active brand:

  1. In the Admin interface, navigate to System > Brands, and select the active brand.
  2. Under Default flows, set Recovery flow to the imported recovery flow: default-recovery-flow.
  3. Click Update.

Now that you've configured a recovery flow, you can select one of the following options:

Email stage not required

The example recovery flow includes an email stage. However, if you're manually sending the recovery link to the user, this email stage is not required and can be removed.

  1. In the Admin interface, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full User details page.
  3. To generate a recovery link, which you can then send to the user, click Create recovery link.

A dialog displays the recovery link. Copy the link and send it to the user.

Email stage required

This option is only available if the recovery flow has an Email Stage bound to it. The example recovery flow includes an email stage.

You can email a password-reset link to the user. This option requires configured email and an email address on the user account.

  1. In the Admin interface, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full User details page.
  3. To send the email to the user, click Email recovery link.

If the user does not receive the email, check if the mail server parameters are properly configured.

Reset a password

Administrator resets a user's password

As an administrator, you can reset a user's password.

  1. In the Admin interface, navigate to Directory > Users to display all users.
  2. Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the options.
  3. To reset the user's password, click Reset password, and then define the new value.

User resets their password

If a Recovery flow has been applied to the brand, users can reset their own passwords in the User interface.

Deactivate or delete a user

Deactivate a user

  1. Go into the user list or detail, and click Deactivate.
  2. Review the changes and click Update.

The active sessions are revoked and the authentication of the user blocked. You can reactivate the account by following the same procedure.

Delete a user

caution

This deletion is not reversible, so be sure you do not need to recover any identity data of the user. You may instead deactivate the account to preserve identity data.

  1. Go into the user list and select one (or multiple users) to delete and click Delete on the top-right of the page.
  2. Review the changes and click Delete.

The user list refreshes and no longer displays the removed users.

Impersonate a user

An administrator can impersonate a user, temporarily assuming that user's identity.

  1. In the Admin interface, navigate to Directory > Users to display all users.
  2. Click the name of the user to display the full User details page.
  3. On the Overview tab, beneath User Details, in the Actions area, click Impersonate.
  4. At the prompt, provide a reason why you are impersonating this user, and then click Impersonate.
info

An administrator can globally enable or disable impersonation in the system settings. By default, this option is enabled, meaning all users can be impersonated.

An administrator can also require a reason for impersonation in the system settings.

Export users Enterprise

You can export your authentik instance's user data to a CSV file. To generate a data export, follow these steps:

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Directory > Users and click Export.
  3. Set a search query as well as the ordering for the data export.
  4. Click Export above the event list.
  5. Confirm the export parameters in the confirmation dialog.
  6. authentik processes the export in the background and sends a notification when it is ready.
  7. In the notification, click Download.

To review, download, or delete past data exports, navigate to Events > Data Exports in the Admin interface.