DocsAPIImportant! These docs are being deprecated. Please visit learn.netmaker.io for our new documentation.

User Management (Pro)

Since v0.25.0, the User Management feature is designed to streamline the administration of user roles, permissions, and access levels within a platform. This robust system allows super admins to create and manage user accounts with varying levels of access, ensuring that each user has the appropriate permissions to perform their tasks effectively. The feature supports multiple user types, including super admins, admins, service users, and platform users, each with distinct capabilities tailored to their roles within the organization.

At its core, the User Management feature enables the creation of user accounts through both invitation and direct addition methods. Super admins can assign Platform Access Levels (PAL) to users, determining their access to various functionalities across the platform. For instance, admins can manage user roles, invite new users, and oversee network configurations, while service users are limited to specific tasks without dashboard access, focusing instead on remote access via the RAC app. This hierarchical structure promotes security and efficiency, allowing organizations to maintain control over their user base while facilitating collaboration.

Additionally, the feature includes functionalities for managing network roles and groups, enhancing the granularity of access control. Admins can create network-specific roles and assign them to users, ensuring that they only have access to the resources necessary for their work. Groups can be formed to bundle roles, simplifying the management of permissions for multiple users at once. This flexibility is crucial for organizations with diverse teams and projects, as it allows for a tailored approach to user management that can adapt to changing needs and workflows.

Here is a breakdown of the different user types and their permissions (platform access levels):

  • Super Admin: Possesses complete control over the platform, including creating and managing all other user types and their permissions.

  • Admin: Has significant privileges to manage user accounts, assign roles, and oversee network configurations, but with limitations compared to the Super Admin (eg: cannot create other admins).

  • Platform User: Has access to the dashboard and can interact with assigned resources based on granted permissions, suitable for team members needing specific functionalities.

  • Service User: Designed for operational tasks without dashboard access, with permissions adjustable by Super Admins or Admins. The classic use case for this user type is remote access via the Netmaker Desktop app.

Adding users

There are two ways to create a user:

  1. Basic Auth: Fill in the user’s details and click Create User.

  2. User Invite: Enter the email addresses of the users you want to invite. They will receive an email with a link to create their account. For Netmaker on-prem deployments, ensure that the SMTP client is configured to send emails.

Basic Authentication

This method is more suited for creating individual users directly. The admin just types a username and password for the user, then assigns them to a group.

Click on "Create User"

User Invite

This method is more suited for inviting multiple users at once. The admin types in the email addresses of the users they want to invite, then assigns them to a group.

Users will receive an email with a link to create their account and will be assigned the groups set by the admin during the invite process. In the case of Netmaker on-prem deployments, ensure the SMTP client is properly configured to handle email delivery.

Note:

  • Starting from Netmaker version 0.90.0, SMTP configuration is managed via the Settings → Email Configuration

  • For versions 0.30.0 and below, SMTP must be configured manually via environment variables in the server configuration. Please refer to our official guide for setup instructions.

User Groups

User grouping in Netmaker Professional allows administrators to organize users based on shared attributes such as department, role, or project. This makes it easier to manage permissions and access controls across multiple users.

Think of a group as a collection of network roles.

How it works

  • Group Creation – Administrators create groups based on organizational needs.

  • User Assignment – Users are added to one or more groups.

  • Permission Management – Permissions are assigned to groups through network roles, reducing the need to configure individual users.

  • Inheritance – Users automatically inherit the combined permissions of all groups they belong to.

In short, a group’s permissions come from the network roles assigned to it. Users can be members of multiple groups, and their effective permissions are additive.

Associated Network Roles

The Associated Network Roles section defines access levels for each network:

  • Admin – Full access, including managing devices and users.

  • User – View-only access; can see resources but cannot make changes.

  • n/a – No access to that network.

Assigning roles per network ensures fine-grained control over visibility and management rights.

For a visual guide on creating and managing users, roles, and groups, see the User Interface section of the docs.

Sync Users and Groups from Your IdP

Keeping your private networks secure can get complicated as your organization grows. Manually creating accounts, managing groups, and removing access for leaving employees is slow and error-prone.

Netmaker’s IdP Integration automates all of this by syncing users and groups from your enterprise identity provider. Access stays accurate and up-to-date, onboarding and offboarding are faster, and users enjoy a seamless login via Single Sign-On (SSO).

Note: IdP integration is available only on self-hosted Pro tenants. Contact us for details.

Supported Identity Providers

Netmaker supports automatic user and group provisioning through native integration with the following identity providers:

  • Microsoft Entra ID (Azure AD)

  • Google Workspace

  • Okta Identity Cloud

==

Key Features

1. Single Sign-On (SSO)

Users can log in to Netmaker via their IdP credentials. This replaces local Netmaker password management and provides a centralized login experience.

2. Automatic User and Group Sync

  • Users: Synchronized as service-users by default. These users do not have dashboard access unless promoted manually.

  • Groups: Group memberships are imported, allowing role-based or policy-based access control.

  • Prefix Filtering: Administrators can define prefixes to limit which users or groups are imported.

  • Sync Frequency: Default is every 24 hours. The interval can be adjusted via the IDP_SYNC_INTERVAL environment variable (30m, 1h, 6h, 12h, 24h, etc.).

Admins can also manually trigger synchronization via the Settings page.

3. Self-Onboarding via IdP Sign-In

If auto-sync is disabled or incomplete:

  • Users can sign in using their IdP credentials.

  • Only users from allowed email domains can attempt to sign in.

  • Upon first login, user accounts are created in a "pending approval" state and require admin approval before access is granted.

4. Automatic Suspension

If a user is suspended or disabled in the IdP, Netmaker will prevent their login attempts automatically. This ensures that offboarding actions in the IdP are enforced in Netmaker without additional manual steps.

Setup Guides

Notes and Limitations

  • Self-hosted Only: IdP integration is limited to self-hosted Pro tenants.

  • Super Admin Setup: By default, Super Admin accounts are not linked to IdP users.

    To assign Super Admin rights to an IdP-synced user, you can take advantage of the Transferring Super Admin Rights process below.

  • Source of Truth: Your IdP is the authoritative source. Manual changes in Netmaker (e.g., deleting users or groups) will be overwritten during the next sync.

  • IdP Removal Caution: Deleting an IdP integration will immediately remove all synced users and groups from Netmaker.

Caution: Removing your IdP configuration cannot be undone without reconfiguration. Proceed carefully.

Transferring super admin rights

To transfer Super Admin rights, you must be logged in as the current Super Admin. Go to User Management, locate your Super Admin account, then open the three-dot action menu next to it and select Transfer Super Admin. Choose the user you want to transfer the role to and confirm the action. Super Admin rights can only be transferred to a user with Admin privileges. Once completed, the selected user becomes the new Super Admin, and your account is automatically downgraded to Admin.

Only one Super Admin can exist at a time, and the change takes effect immediately.

Controlling User Sessions

To enhance security and ensure optimal system performance, our platform provides robust tools to control user sessions. Admins can define time limits for user sessions, automaticall enforcing session expiration after a set period. This feature helps ensure that sessions are not left open indefinitely, reducing the risk of unauthorized access.

Key Features:

  • Customizable Timeout: Admins can configure the timeout duration based on security needs, such as 2 hours, 5 hours, or longer.

  • Automatic Session Expiration: Sessions automatically expire after a predefined period of time.

  • Seamless User Experience: Once a session expires, users are automatically logged out and redirected to the login page to re-authenticate.

How It Works:

  1. Predefined Timeout Configuration: Admins set the session timeout under Settings → Security & Authentication by defining the JWT Validity Duration parameter (in minutes) to specify the duration of the session.



    And enabling Auto Disable User Connection under Settings → System Configuration to automatically enforce Netmaker Desktop app session expiration.

  2. Expiration Trigger: If the timeout is expired, the system will automatically log out the user and terminate their session.

  3. Automatic Logout: After expiration, the user is logged out, and their session is securely cleared, ensuring that no idle sessions remain active.

Benefits:

  • Enhanced Security: Reduces the risk of unauthorized access from idle sessions.

  • Compliance: Meets internal and industry security policies requiring session timeouts.

  • Resource Efficiency: Frees up resources by automatically closing inactive sessions.

User Access Tokens

Overview

User Access Tokens are used to generate Bearer tokens that enable programmatic access to API resources on a Netmaker server. These tokens are designed to support non-interactive authentication workflows, particularly in environments that rely on automation and scripting.

Purpose and Use Cases

User Access Tokens are especially useful in scenarios involving:

  • Automated scripts

  • CI/CD pipelines

  • Infrastructure management tools

  • Programmatic integrations with the Netmaker API

By using access tokens, applications and scripts can authenticate securely without requiring interactive user login.

Token Generation

User Access Tokens can be generated under the following conditions:

  • Tokens may be created for existing user accounts.

  • Tokens may also be generated during account creation.

  • Multiple tokens can be generated for a single account.

  • Each token is issued with an explicit expiration date, after which it becomes invalid.

Permissions and Scope

  • The access scope of a User Access Token is strictly limited to the role and type of account for which it was generated.

  • Tokens do not grant privileges beyond those assigned to the associated user account.

Authorization to Generate Tokens

The ability to generate User Access Tokens is restricted as follows:

  • Super Admins, Owners, and Admins are permitted to generate tokens.

  • Admins are limited to generating one token per non-admin user.

  • Admins cannot generate multiple tokens for the same non-admin account.

Token Lifecycle and Revocation

User Access Tokens are automatically invalidated under the following conditions:

  • If a user account is disabled or deleted, all tokens associated with that account can no longer be used for access.

  • If an admin account is deleted or demoted to a non-admin account, all tokens generated by that admin account are automatically deleted, regardless of which users they were issued for.

Security Considerations

  • Tokens should be treated as sensitive credentials and stored securely.

  • Expiration dates should be configured according to the principle of least privilege.

  • Regular token rotation is recommended, especially for long-running automation workflows.