Since v0.25.0, the User Management feature is designed to streamline the administration of user roles, permissions, and access levels within a platform. This robust system allows super admins to create and manage user accounts with varying levels of access, ensuring that each user has the appropriate permissions to perform their tasks effectively. The feature supports multiple user types, including super admins, admins, service users, and platform users, each with distinct capabilities tailored to their roles within the organization.

At its core, the User Management feature enables the creation of user accounts through both invitation and direct addition methods. Super admins can assign Platform Access Levels (PAL) to users, determining their access to various functionalities across the platform. For instance, admins can manage user roles, invite new users, and oversee network configurations, while service users are limited to specific tasks without dashboard access, focusing instead on remote access via the RAC app. This hierarchical structure promotes security and efficiency, allowing organizations to maintain control over their user base while facilitating collaboration.

Additionally, the feature includes functionalities for managing network roles and groups, enhancing the granularity of access control. Admins can create network-specific roles and assign them to users, ensuring that they only have access to the resources necessary for their work. Groups can be formed to bundle roles, simplifying the management of permissions for multiple users at once. This flexibility is crucial for organizations with diverse teams and projects, as it allows for a tailored approach to user management that can adapt to changing needs and workflows.

Here is a breakdown of the different user types and their permissions (platform access levels):

• Super Admin: Possesses complete control over the platform, including creating and managing all other user types and their permissions.

• Admin: Has significant privileges to manage user accounts, assign roles, and oversee network configurations, but with limitations compared to the Super Admin (eg: cannot create other admins).

• Platform User: Has access to the dashboard and can interact with assigned resources based on granted permissions, suitable for team members needing specific functionalities.

• Service User: Designed for operational tasks without dashboard access, with permissions adjustable by Super Admins or Admins. The classic use case for this user type is remote access via the Netmaker Desktop app.

Adding usersCopied!

There are two ways to create a user:

1. Basic Auth: Fill in the user’s details and click Create User.

2. User Invite: Enter the email addresses of the users you want to invite. They will receive an email with a link to create their account. For Netmaker on-prem deployments, ensure that the SMTP client is configured to send emails.

Basic AuthenticationCopied!

This method is more suited for creating individual users directly. The admin just types a username and password for the user, then assigns them to a group.

Click on "Add a User" then choose "Create User"

User InviteCopied!

This method is more suited for inviting multiple users at once. The admin types in the email addresses of the users they want to invite, then assigns them to a group.

Users will receive an email with a link to create their account and will be assigned the groups set by the admin during the invite process. In the case of Netmaker on-prem deployments, ensure the SMTP client is properly configured to handle email delivery.

Please Note: For Netmaker on-prem deployments, additional server configurations are needed to enable email functionality. Refer to our guide for more details:

Advanced Options

User GroupsCopied!

User grouping in Netmaker Professional is a mechanism for organizing users based on shared attributes or roles. By placing users into groups, administrators can efficiently manage permissions and access controls.

In plain terms, a group can be viewed as a collection of network roles.

Here's how it works:

1. Group Creation: Administrators define groups based on criteria such as department, role, or project.

2. User Assignment: Users are added to relevant groups. A user can belong to multiple groups.

3. Permission Management: Instead of assigning permissions to individual users, permissions are assigned to groups in the form of network roles. This simplifies the management process, as changes to permissions only need to be made at the group level.

4. Inheritance: Users inherit permissions from the groups they belong to. If a user is part of multiple groups, the combined permissions from all groups apply.

In summary, a group’s permissions are determined by the different network roles that are assigned to that group. A user can be in multiple groups, and the inherited permissions are additive.

Refer to the “User Interface” reference section of the docs to have a pictorial view on how to create and manage users, roles and groups.

User Interface

Provision Users and Groups from Your Identity ProviderCopied!

Managing secure private network access can become increasingly complex as organizations scale. Manually provisioning user accounts, maintaining group memberships, and revoking access for departing employees is time-consuming, error-prone, and risks lapses in security and compliance.

Netmaker’s Identity Provider (IdP) Integration solves this by automating user and group management through synchronization with your enterprise identity provider. By connecting Netmaker to your IdP, user and group data is seamlessly synchronized, ensuring that access permissions remain accurate and up-to-date across your private networks — with no manual effort required.

This integration simplifies onboarding and offboarding, reduces administrative overhead, improves compliance posture, and delivers a consistent login experience through Single Sign-On (SSO).

Note: IdP integration is currently available only for self-hosted Pro tenants. For managed tenant support, please contact us.

Supported Identity ProvidersCopied!

Netmaker currently supports native synchronization with the following identity providers for automatic provisioning of users and groups:

• Microsoft Entra ID (Azure AD)

• Google Workspace

Support for additional IdPs (e.g., Okta) is planned for future releases.

FeaturesCopied!

Single Sign-On (SSO)

Users can log in to Netmaker via their IdP credentials. This replaces local Netmaker password management and provides a centralized login experience.

Automatic User and Group Sync

• Users: Synchronized as service-users by default. These users do not have dashboard access unless promoted manually.

• Groups: Group memberships are imported, allowing role-based or policy-based access control.

• Prefix Filtering: Administrators can define prefixes to limit which users or groups are imported.

• Sync Frequency: Default is every 24 hours. The interval can be adjusted via the IDP_SYNC_INTERVAL environment variable (30m, 1h, 6h, 12h, 24h, etc.).

Admins can also manually trigger synchronization via the Settings page.

Self-Onboarding via IdP Sign-In

If auto-sync is disabled or incomplete:

• Users can sign in using their IdP credentials.

• Only users from allowed email domains can attempt to sign in.

• Upon first login, user accounts are created in a "pending approval" state and require admin approval before access is granted.

Automatic Suspension

If a user is suspended or disabled in the IdP, Netmaker will prevent their login attempts automatically. This ensures that offboarding actions in the IdP are enforced in Netmaker without additional manual steps.

Setup GuidesCopied!

• Integrating Google Workspace

• Integrating Microsoft Entra ID (Azure AD)

• Integrating GitHub

• Integrating Generic OpenID (OIDC) Provider

Notes and LimitationsCopied!

• Self-hosted Only: IdP integration is limited to self-hosted Pro tenants.

• Super Admin Setup: By default, Super Admin accounts are not linked to IdP users.

  To assign Super Admin rights to an IdP-synced user, you can take advantage of the Transferring Super Admin Rights process below.

• Source of Truth: Your IdP is the authoritative source. Manual changes in Netmaker (e.g., deleting users or groups) will be overwritten during the next sync.

• IdP Removal Caution: Deleting an IdP integration will immediately remove all synced users and groups from Netmaker.

⚠️ Caution: Removing your IdP configuration cannot be undone without reconfiguration. Proceed carefully.

Transferring super admin rightsCopied!

Super admin rights can be transferred only to another admin. To do this, on the users page, go to the superadmin row and hover over the ellipsis. You will see an option to transfer admin rights. On clicking it, a dialog box will open allowing you to select any admin to transfer super admin rights to.

Controlling User SessionsCopied!

To enhance security and ensure optimal system performance, our platform provides robust tools to control user sessions. Admins can define time limits for user sessions, automaticall enforcing session expiration after a set period. This feature helps ensure that sessions are not left open indefinitely, reducing the risk of unauthorized access.

Key Features:

• Customizable Timeout: Admins can configure the timeout duration based on security needs, such as 2 hours, 5 hours, or longer.

• Automatic Session Expiration: Sessions automatically expire after a predefined period of time.

• Seamless User Experience: Once a session expires, users are automatically logged out and redirected to the login page to re-authenticate.

How It Works:

1. Predefined Timeout Configuration: Admins set the session timeout under Settings → Security & Authentication by defining the JWT Validity Duration parameter (in minutes) to specify the duration of the session.
   

   

   
   
   And enabling Auto Disable User Connection under Settings → System Configuration to automatically enforce Netmaker Desktop app session expiration.
   

   

2. Expiration Trigger: If the timeout is expired, the system will automatically log out the user and terminate their session.

3. Automatic Logout: After expiration, the user is logged out, and their session is securely cleared, ensuring that no idle sessions remain active.

Benefits:

• Enhanced Security: Reduces the risk of unauthorized access from idle sessions.

• Compliance: Meets internal and industry security policies requiring session timeouts.

• Resource Efficiency: Frees up resources by automatically closing inactive sessions.