Users and Credentials

Everyware Cloud accounts contain users. Users have one identity and one or more credentials. Users can be assigned one or more roles and can be granted one or more permissions.

When logged into Everyware Cloud console, navigate to the Users section to review and manage all the users created under the current account in scope.

Recommended Users for a New Account

📘

Creating Users in a new Account

When logged in as an Everyware Cloud Administrator, create a new top level account. Then switch the account in context to the newly created account and navigate to the Users section. From that section, you can then create new Users, set their Credentials and grant their access control policy.

🚧

User Service Settings

Make sure to review and edit the settings of the User Service to enable the creation of users under the current account.

When creating a new account, it is recommended to create the following initial set of users. While more users can be added during the lifecycle of the account, the following is considered a good starting set.

For illustration purposes, the table below assumes "acme" as the account name. Replace "acme" with the name of the account just created.

UserDescriptionCredentials TypeGranted Role/Permissions
acmeAdministrator for the Acme account.PASSWORDRole: admin
acme_apiUser for REST API connectivityAPI_KEYPermissions:
broker:connect:ALL
acme_brokerUser for device connectivityPASSWORDRole: thing
acme_vpnUser for VPN connectivityPASSWORDPermissions:
vpn:connect:ALL

Create a new User

Account administrators can create new users for the Everyware Cloud Console. To create a new user, click the New button in the Users section to open the New User dialog as shown in the following screen capture.

1362

The following table defines the User Information for new users.

ParameterDescription
UsernameMust be at least 3 characters and can contain alphanumeric characters combined with dash and/or underscore.
PasswordMust be 12 characters and contain at least one lower case letter, one upper case letter, one digit, and one special character. The password provided will be used to create the new user's credentials of PASSWORD type.
Display NameA “user-recognizable” name assigned to the user, for display purposes only
EmailUser’s email
Phone NumberUser’s phone number

Enter the User Information and use the tooltips provided in the Console for assistance.
Two additional parameters control the status of the user, which can be enabled or disabled, and provide an optional user's expiration date.
When completed, click Submit to create the new user.

User Credentials

A user can have one or more credentials. Credentials can be of two types: password and API key.

Credentials TypeCredentials Description
PASSWORDPassword credentials can be used to authenticate to the Everyware Cloud platform through a username/password credentials pair.
Such authentication mechanism can be used for the Everyware Cloud Console, and the messaging broker.

When creating a new user, the password provided in the New User dialog is leveraged to create new Credentials of type PASSWORD.
API_KEYAPI Key credentials can be used to authenticate to the Everyware Cloud platform REST API.

In the Users section, select a user and access the Credentials tab to review and manage the credentials associated with the user.

1360

Click the Add button to add new credentials to the currently selected user. Select the Credentials type and use the two additional parameters to control the status of the credentials, which can be enabled or disabled, and provide an optional credentials's expiration date.

1358

When creating credentials of type PASSWORD, provide the password and confirm it.

When creating credentials of type API_KEY, provide the password and confirm it. After the API_KEY are created, a confirmation dialog will show the resulting API Key. Write it down and keep it somewhere safe, since this will not be provided in clear any more..

1360

To edit user's credentials, select the credentials in the table and click on the Edit.
To delete user's credentials, select the credentials in the table and click on the Delete.

Minimum Password Length

Users password must, by default, be at least 12 characters long, and must contain at least one uppercase letter, one lowercase letter, one number and one symbol. However, the 12 characters minimum limit can be increased both at Account level and at System level.

To change the limit for a single account, go to the Account Settings and open the CredentialService configuration:

3837

CredentialService configuration

Using the password.minLength configuration, a new minimum limit can be enforced when creating a new password; the allowed values are numbers between 12 and 255 (inclusive). If empty, the default system value will be used. Such default value can be specified at deploy time with the AUTH_PASSWORD_MIN_LENGTH variable. Again, allowed values are numbers between 12 and 255 (inclusive). If a value lower than 12 is used, 12 will be assumed; similarly, if a value higher than 255 is used, 255 will be assumed.

The minimum password length will only be enforced on new passwords; existing passwords will not be affected in any way after modifying the setting.

Multi Factor Authentication

Everyware Cloud provides a Multi Factor Authentication feature (a.k.a. MFA), which allows a user to authenticate to a system only when he presents the password and another valid factor. A user can enable the MFA through the User menu in the Console. The user can also access the MFA configuration dialog through the upper right menu. Note that only the user itself can enable the MFA.

3833

MFA tab in the Users section

MFA uses a secret to produce a one-time code to authenticate. The secret will be displayed in the form of a QR code during the MFA activation. This QR code can only be viewed once during MFA activation, and only by the user itself. To collect the QR code, use an authenticator app (e.g. the Google Authenticator App) installed on a smartphone. This app will be used to produce one-time authentication code.

Scratch codes are also produced, in order to pass the multi factor authentication in case the authenticator app is temporarily unavailable. Similarly to the QR code, also scratch codes can only be viewed once during MFA activation, and they can be viewed only by the user itself. Users have a limited number of scratch codes (the maximum number of scratch codes can be set through a dedicated environment variable, see the Web Console container properties section for more information). Furthermore, each scratch code is invalidated after being used once.

3834

QR code and scratch codes.

The admin is able to see if the user have the MFA enabled or not. Moreover, even if only the user is allowed to enable MFA, the admin is allowed to disable it for each one of the users in the account.

3837

User view, from an admin point of view, with "Disable MFA" button.

When the MFA is enabled for a given user, such user has to type the one-time authentication code provided by the authenticator app as part of the login process to the Web Console.

3832

MFA authentication code view during the login process.

The user with enabled MFA can also trust the access to the console from one or more devices. In this way, the MFA procedure is enforced only on un-trusted devices. Note that the trust on the device expires after 30 days, and the admin is able to revoke the trusted device.

3831

"Revoke trusted machine" button.

External Users

Everyware Cloud provides a Single Sign-On feature based on the OpenID Connect identity layer. The OpenID Connect provider is unique for the same Everyware Cloud instance, thus it is common to all the accounts in the instance. To enable this feature, an OpenID Connect provider is required (please refer to the Container Properties page in order to provide the required configuration parameters for the Single Sign On).

In order to enable a user to login through an external Single Sign-On provider, the user must already exist on the chosen OpenID Connect provider. The user can then be added to Everyware Cloud. Such user is called "external user", and it differs form a normal one for not having any credentials (since his credentials are stored in the OpenID Connect provider). To create a new external user in Everyware Cloud, click the New button in the Users section to open the New User dialog as shown in the following screen capture and chose the "External user" type.

3833

External user creation.

The following table defines the User Information for new external users.

ParameterDescription
UsernameMust be at least 3 characters and can contain alphanumeric characters combined with dash and/or underscore.
External IdUser Id on the OpenID Connect provider, it can be in the form of an UUID or a simple username, depending on the chosen provider.

When the Single Sign-On feature is enabled, the login dialog also shows the "SSO Login" button, which allows the user to login via the OpenID Connect provider.

3835

"SSO Login" button on the login dialog.

# User Roles and Permissions
A user can be assigned one or more roles and can be granted one or more permissions.
More information on managing roles and permission is available in the Access Control section.

Edit an User

To make changes to an existing user, select the user from the Users and then click Edit.

Delete an User

To delete an existing user, select the user from the Users and then click Delete.