Users and Credentials
Everyware Cloud accounts contain users. Users have one identity and one or more credentials. Users can be assigned one or more roles and can be granted one or more permissions.
When logged into Everyware Cloud console, navigate to the Users section to review and manage all the users created under the current account in scope.
Recommended Users for a New Account
Creating Users in a new Account
When logged in as an Everyware Cloud Administrator, create a new top level account. Then switch the account in context to the newly created account and navigate to the Users section. From that section, you can then create new Users, set their Credentials and grant their access control policy.
User Service Settings
Make sure to review and edit the settings of the User Service to enable the creation of users under the current account.
When creating a new account, it is recommended to create the following initial set of users. While more users can be added during the lifecycle of the account, the following is considered a good starting set.
For illustration purposes, the table below assumes "acme" as the account name. Replace "acme" with the name of the account just created.
| User | Description | Credentials Type | Granted Role/Permissions |
|---|---|---|---|
| acme | Administrator for the Acme account. | PASSWORD | Role: admin |
| acme_api | User for REST API connectivity | API_KEY | Permissions: broker:connect:ALL |
| acme_broker | User for device connectivity | PASSWORD | Role: thing |
| acme_vpn | User for VPN connectivity | PASSWORD | Permissions: vpn:connect:ALL |
Create a new User
Account administrators can create new users for the Everyware Cloud Console. To create a new user, click the New button in the Users section to open the New User dialog as shown in the following screen capture.
The following table defines the User Information for new users.
| Parameter | Description |
|---|---|
| Username | Must be at least 3 characters and can contain alphanumeric characters combined with dash and/or underscore. |
| Password | Must be 12 characters and contain at least one lower case letter, one upper case letter, one digit, and one special character. The password provided will be used to create the new user's credentials of PASSWORD type. |
| Display Name | A “user-recognizable” name assigned to the user, for display purposes only |
| User’s email | |
| Phone Number | User’s phone number |
Enter the User Information and use the tooltips provided in the Console for assistance.
Two additional parameters control the status of the user, which can be enabled or disabled, and provide an optional user's expiration date.
When completed, click Submit to create the new user.
User Credentials
A user can have one or more credentials. Credentials can be of two types: password and API key.
| Credentials Type | Credentials Description |
|---|---|
| PASSWORD | Password credentials can be used to authenticate to the Everyware Cloud platform through a username/password credentials pair. Such authentication mechanism can be used for the Everyware Cloud Console, and the messaging broker. When creating a new user, the password provided in the New User dialog is leveraged to create new Credentials of type PASSWORD. |
| API_KEY | API Key credentials can be used to authenticate to the Everyware Cloud platform REST API. |
In the Users section, select a user and access the Credentials tab to review and manage the credentials associated with the user.
Click the Add button to add new credentials to the currently selected user. Select the Credentials type and use the two additional parameters to control the status of the credentials, which can be enabled or disabled, and provide an optional credentials's expiration date.
When creating credentials of type PASSWORD, provide the password and confirm it.
When creating credentials of type API_KEY, provide the password and confirm it. After the API_KEY are created, a confirmation dialog will show the resulting API Key. Write it down and keep it somewhere safe, since this will not be provided in clear any more..
To edit user's credentials, select the credentials in the table and click on the Edit.
To delete user's credentials, select the credentials in the table and click on the Delete.
Minimum Password Length
Users password must, by default, be at least 12 characters long, and must contain at least one uppercase letter, one lowercase letter, one number and one symbol. However, the 12 characters minimum limit can be increased both at Account level and at System level.
To change the limit for a single account, go to the Account Settings and open the CredentialService configuration:
CredentialService configuration
Using the password.minLength configuration, a new minimum limit can be enforced when creating a new password; the allowed values are numbers between 12 and 255 (inclusive). If empty, the default system value will be used. Such default value can be specified at deploy time with the AUTH_PASSWORD_MIN_LENGTH variable. Again, allowed values are numbers between 12 and 255 (inclusive). If a value lower than 12 is used, 12 will be assumed; similarly, if a value higher than 255 is used, 255 will be assumed.
The minimum password length will only be enforced on new passwords; existing passwords will not be affected in any way after modifying the setting.
Multi Factor Authentication
Everyware Cloud provides a Multi Factor Authentication feature (a.k.a. MFA), which allows a user to authenticate to a system only when he presents the password and another valid factor. A user can enable the MFA through the User menu in the Console. The user can also access the MFA configuration dialog through the upper right menu. Note that only the user itself can enable the MFA.
MFA tab in the Users section
MFA uses a secret to produce a one-time code to authenticate. The secret will be displayed in the form of a QR code during the MFA activation. This QR code can only be viewed once during MFA activation, and only by the user itself. To collect the QR code, use an authenticator app (e.g. the Google Authenticator App) installed on a smartphone. This app will be used to produce one-time authentication code.
Scratch codes are also produced, in order to pass the multi factor authentication in case the authenticator app is temporarily unavailable. Similarly to the QR code, also scratch codes can only be viewed once during MFA activation, and they can be viewed only by the user itself. Users have a limited number of scratch codes (the maximum number of scratch codes can be set through a dedicated environment variable, see the Web Console container properties section for more information). Furthermore, each scratch code is invalidated after being used once.
QR code and scratch codes.
The admin is able to see if the user have the MFA enabled or not. Moreover, even if only the user is allowed to enable MFA, the admin is allowed to disable it for each one of the users in the account.
User view, from an admin point of view, with "Disable MFA" button.
When the MFA is enabled for a given user, such user has to type the one-time authentication code provided by the authenticator app as part of the login process to the Web Console.
MFA authentication code view during the login process.
The user with enabled MFA can also trust the access to the console from one or more devices. In this way, the MFA procedure is enforced only on un-trusted devices. Note that the trust on the device expires after 30 days, and the admin is able to revoke the trusted device.
"Revoke trusted machine" button.
External Users
Everyware Cloud provides a Single Sign-On feature based on the OpenID Connect identity layer. The OpenID Connect provider is unique for the same Everyware Cloud instance, thus it is common to all the accounts in the instance. To enable this feature, an OpenID Connect provider is required (please refer to the Container Properties page in order to provide the required configuration parameters for the Single Sign On).
In order to enable a user to login through an external Single Sign-On provider, the user must already exist on the chosen OpenID Connect provider. The user can then be added to Everyware Cloud. Such user is called "external user", and it differs form a normal one for not having any credentials (since his credentials are stored in the OpenID Connect provider). To create a new external user in Everyware Cloud, click the New button in the Users section to open the New User dialog as shown in the following screen capture and chose the "External user" type.
External user creation.
The following table defines the User Information for new external users.
| Parameter | Description |
|---|---|
| Username | Must be at least 3 characters and can contain alphanumeric characters combined with dash and/or underscore. |
| External Id | User Id on the OpenID Connect provider, it can be in the form of an UUID or a simple username, depending on the chosen provider. |
When the Single Sign-On feature is enabled, the login dialog also shows the "SSO Login" button, which allows the user to login via the OpenID Connect provider.
"SSO Login" button on the login dialog.
# User Roles and Permissions
A user can be assigned one or more roles and can be granted one or more permissions.
More information on managing roles and permission is available in the Access Control section.
Edit an User
To make changes to an existing user, select the user from the Users and then click Edit.
Delete an User
To delete an existing user, select the user from the Users and then click Delete.
Updated over 4 years ago