[{"data":1,"prerenderedAt":151},["ShallowReactive",2],{"guide:en:admin/granting-access":3},{"id":4,"title":5,"body":6,"description":143,"extension":144,"meta":145,"navigation":146,"path":147,"seo":148,"stem":149,"__hash__":150},"guide_en/en/user/admin/granting-access.md","Granting and Managing User Access",{"type":7,"value":8,"toc":136},"minimark",[9,14,18,33,36,41,49,65,93,97,108,111,115,118,129],[10,11,13],"h1",{"id":12},"access","Access",[15,16,17],"p",{},"Getting access to the application typically follows one of two flows:",[19,20,21,30],"ol",{},[22,23,24,25,29],"li",{},"Users request access to the application through the ",[26,27,28],"code",{},"sign up"," link (/auth/signup)",[22,31,32],{},"Users are invited to the application by an admin",[15,34,35],{},"Given two possible flows, it's possible for a request to exists while an account already exists. This is harmless and can easily be decluttered through deleting extra requests.",[37,38,40],"h2",{"id":39},"requesting-access","Requesting Access",[15,42,43,44],{},"When a users visits your app they have the option to sign up through the login link. ",[45,46,48],"a",{"href":47},"./granting-access/sign-up.png","Sign up",[15,50,51,52,55,56,59,60,64],{},"Completing the short form will creates the request which can be acted upon by anyone with ",[26,53,54],{},"CreateUser"," or ",[26,57,58],{},"DeleteUser"," in the admin/access-requests. ",[45,61,63],{"href":62},"./granting-access/access-requests.png","Admin Access Requests"," There are a few aspects worth noting here:",[66,67,68,71,74,77,87,90],"ul",{},[22,69,70],{},"Only requests from valid domains are accepted (see Authentication, Allowed Domains); requests outside of valid domains effectively fail silently so the domains you allow is kept private.",[22,72,73],{},"Only one request can be made by each email address",[22,75,76],{},"The requestor's message is replaced upon resubmission",[22,78,79,80,83,84],{},"Declined requests are also deleted. The admin right to ",[26,81,82],{},"viewDeleted"," is needed to see deleted requests. Undeleting a request requires the admin right ",[26,85,86],{},"createAccessRequest",[22,88,89],{},"Approving a request creates an account, generates a secure random password, and sends the user an email to validate the request. Upon successful validation, the user will need to reset their password.",[22,91,92],{},"To allow SSO, a user must exist. SSO details are attached to the user's profile but all details are hidden except for the validation that the user is able to use it. Once the user is logged in they should be able to trigger the SSO flow which associates to the account. Permissions are managed within the application rather than through third party OAuth providers.",[37,94,96],{"id":95},"giving-access","Giving Access",[15,98,99,100,102,103,107],{},"Users with the ",[26,101,54],{}," admin right can create accounts directly through the ",[104,105,106],"strong",{},"Admin → Users"," menu. For bulk operations, a .csv template is available in the upper right of the Add User panel. Creating accounts automatically set a random secure password and sends a request to validate the account. Users will need to reset their password after the account is created.",[15,109,110],{},"While it is possible to create an account outside of the Allowed Domains this does not allow password-setting not allow automatic validation of email addresses or phone numbers.",[37,112,114],{"id":113},"sso","SSO",[15,116,117],{},"Under the default settings, users will need to create an account. Upon navigating back to the login page, they'll see a message to Add SSO. (This option must be activated by the administrator first. See Authentication, Customizing Admin Settings.) Logging in a second time through SSO will automatically associate the SSO settings to the user's account.",[15,119,120,121,124,125,128],{},"Alternatively, if ",[26,122,123],{},"Allow Registration"," is active in the application settings, users can sign up with SSO directly. While this creates an account automatically it also creates a random secure password which can be reset and used provided the option to login through ",[26,126,127],{},"username/password"," is active.",[15,130,131,132,135],{},"SSO settings can be removed from a user's profile by any user with the ",[26,133,134],{},"UserUpdate"," admin right from the './admin/users' page.",{"title":137,"searchDepth":138,"depth":138,"links":139},"",2,[140,141,142],{"id":39,"depth":138,"text":40},{"id":95,"depth":138,"text":96},{"id":113,"depth":138,"text":114},"How users request access, how admins invite and approve users, and how SSO accounts are linked.","md",{},true,"/en/user/admin/granting-access",{"title":5,"description":143},"en/user/admin/granting-access","UvExGNXKViWSgQ0vjHNYKaEWZiHVgH6-npOshkZrYZs",1776295548981]