User management (SSO)
Edit on GitHubThe User management (SSO Users) panel in CloudHub lets you control infrastructure access and define how team members connect to your environments in a unified and streamlined way while using one user to access everything. You can create, update, and delete SSO users, as well as fine-tune access for each user per service directly through the portal.
For more information on what SSO is and what benefits it provides, see SSO Access.
Capabilities
- Identity provisioning: Create SSO users for specific environments to ensure precise access control.
- Secure connectivity: Enable or disable VPN access for individual users to secure communications with protected network resources. SSO users also offer a number of options for securing your access from MFA to passwordless.
- User lifecycle management: Modify existing user configurations or remove users when access is no longer required.
Available service permissions
Users can be assigned very granular permissions for every available application per environment. This means one SSO user can have admin permissions for RabbitMQ on a test environment and viewer permissions for RabbitMQ on a production environment.
| Service | Permission |
|---|---|
| RabbitMQ | * Admin — Full administrative access with the ability to create and remove queues * Developer — Can view queues, read and publish messages in the queues * Viewer — Read-only access to queues |
| Jenkins | * Admin — Full administrative access * Developer — Can build, view, and cancel jobs * Viewer — Read-only access to jobs and builds |
| AWS CLI | * BaseRole — Allows access to the specific environment in the AWS Dashboard and AWS CLI * Custom Role — Can be absent, or can be one or more roles composed specifically for the customer that include all permissions of the Base role and additional permissions like DB access |
Requesting and renewing VPN for your SSO user
An SSO user needs VPN to access Jenkins and RabbitMQ. No VPN is required to access AWS Console.
To request the VPN for the specific environment, select the VPN option in the SSO user creation or edit form on CloudHub. Depending on whether SSO is enabled for Bastion (which handles VPN connections), you may need to use your SSO user credentials to also log in to the VPN when turning it on.
If your VPN configuration has expired, click the VPN Renew button next to your user to request a new VPN configuration.
Credential delivery for new users
When a new SSO user is created, credentials and access configuration are delivered securely across two separate emails:
- User update email: You will get an
Action needed: Verify your Spryker SSO account updatesemail with the link for account update. Follow this link to set up the password for your new user. - VPN configuration email: If you selected the VPN checkbox on user creation, or checked it during user edit, the VPN configuration file (OVPN profile) required to connect to the protected network is sent in a separate email.
Keep both emails secure. The link for account update expires in 3 hours. If you did not manage to set up the user password within 3 hours, contact support.
Thank you!
For submitting the form