User Management

Superadmin Signup

When you start Netmaker for the first time, you will be prompted to create a superadmin account from the UI like below

Input your username and a super memorable but strong password then click on the Sign up button. Once you’ve signed up, you can login to your Netmaker server with the account.

Another user type that exists in netmaker CE is “admin“. A user with admin role has equal capabilities as the superadmin, except the creation of other admins and transfering super-admin priviledges.

User Access Tokens

Overview

User Access Tokens are used to generate Bearer tokens that enable programmatic access to API resources on a Netmaker server. These tokens are designed to support non-interactive authentication workflows, particularly in environments that rely on automation and scripting.

Purpose and Use Cases

User Access Tokens are especially useful in scenarios involving:

Automated scripts
CI/CD pipelines
Infrastructure management tools
Programmatic integrations with the Netmaker API

By using access tokens, applications and scripts can authenticate securely without requiring interactive user login.

Token Generation

User Access Tokens can be generated under the following conditions:

Tokens may be created for existing user accounts.
Tokens may also be generated during account creation.
Multiple tokens can be generated for a single account.
Each token is issued with an explicit expiration date, after which it becomes invalid.

Permissions and Scope

The access scope of a User Access Token is strictly limited to the role and type of account for which it was generated.
Tokens do not grant privileges beyond those assigned to the associated user account.

Authorization to Generate Tokens

The ability to generate User Access Tokens is restricted as follows:

Super Admins, Owners, and Admins are permitted to generate tokens.
Admins are limited to generating one token per non-admin user.
Admins cannot generate multiple tokens for the same non-admin account.

Token Lifecycle and Revocation

If a user account is disabled or deleted, all tokens associated with that account can no longer be used for access.
If an admin account is deleted or demoted to a non-admin account, all tokens generated by that admin account are automatically deleted, regardless of which users they were issued for.

Security Considerations

Tokens should be treated as sensitive credentials and stored securely.
Expiration dates should be configured according to the principle of least privilege.
Regular token rotation is recommended, especially for long-running automation workflows.

Users in Netmaker Professional

Since v0.25.0, Netmaker Professional offers a more capable user management feature. Server administrators can create different kinds of users (admins, platform users and service users) and group them for easier management.

Check the “Users in Netmaker Professional“ section for more information

Using the Netmaker Desktop Application

Users are required to sign in using their assigned credentials. Alternatively, social login options are available.

After successful login you will be shown all the networks and gateways you have given access to, so now you will be able to connect/disconnect/refresh your connection to a gateway. Internet gateways are depicted with a globe icon. An internet gateway can be used to route all your traffic through the gateway, this is useful if you want to access the internet without exposing your public IP address. This behaves like a traditional VPN.

User Management in Netmaker Professional

The User Management features in Netmaker Professional are designed to streamline the administration of user roles, permissions, and access levels within a platform. This system allows super admins to create and manage user accounts with varying levels of access, ensuring appropriate permissions for tasks. Supported user types include super admins, admins, service users, and platform users, each with distinct capabilities.

User accounts can be created via invitation or direct addition. Super admins assign Platform Access Levels (PAL) to determine access across the platform. Admins can manage user roles, invite users, and oversee network configurations; service users are limited to specific tasks without dashboard access (commonly used for remote access via the Netmaker Desktop app).

The system also supports network roles and groups for more granular access control. Admins can create network-specific roles and assign them to users or groups to simplify permission management across teams and projects.

User types and platform access levels:

Super Admin: Full control over the platform, including creating and managing other user types and permissions.
Admin: High privileges to manage accounts, assign roles, and handle network configuration, but cannot create other admins.
Platform User: Dashboard access and ability to interact with assigned resources as permitted.
Service User: No dashboard access; permissions adjustable by Super Admins/Admins. Typical use: remote access via Netmaker Desktop app.

Adding users

There are two ways to create a user:

Basic Auth

This method is suited for creating individual users directly. The admin provides a username and password, assigns groups, then clicks Create User.

Click on "Add a User" then choose "Create User"

User Invite

This method is suited for inviting multiple users. The admin enters email addresses of users to invite and assigns them to a group.

Invited users receive an email with a link to create their account and are assigned the groups set by the admin during invite. For Netmaker on-prem deployments, ensure the SMTP client is configured to send emails.

Note:

Starting from Netmaker version 0.90.0, SMTP configuration is managed via Settings → Email Configuration.
For versions 0.30.0 and below, SMTP must be configured via environment variables in the server configuration. See the official guide: https://docs.netmaker.io/docs/server-installation/advanced-options

User Groups

User grouping in Netmaker Professional allows admins to organize users by department, role, project, or other attributes, simplifying permissions and access control.

Think of a group as a collection of network roles.

How it works:

Group Creation – Administrators create groups based on needs.
User Assignment – Users are added to one or more groups.
Permission Management – Permissions are assigned to groups via network roles, reducing per-user configuration.
Inheritance – Users inherit the combined permissions of all their groups.

A group's permissions come from the network roles assigned to it. Users can belong to multiple groups; their effective permissions are additive.

Associated Network Roles

The Associated Network Roles section defines per-network access levels:

Admin – Full access, including managing devices and users.
User – View-only access.
n/a – No access to that network.

Assigning roles per network enables fine-grained control over visibility and management rights.

For a visual guide on creating and managing users, roles, and groups, see the User Interface section of the docs: https://docs.netmaker.io/docs/references/user-interface#users__user-groups

Provision Users and Groups from Your Identity Provider

Managing private network access can become complex at scale. Manual provisioning and membership maintenance are time-consuming and error-prone.

Netmaker’s Identity Provider (IdP) Integration automates user and group management by synchronizing with your enterprise IdP. This ensures permissions remain accurate across private networks without manual effort. Benefits include simplified onboarding/offboarding, reduced administrative overhead, improved compliance, and Single Sign-On (SSO).

Note: IdP integration is available only for self-hosted Pro tenants. For managed tenant support, contact: https://www.netmaker.io/contact

Supported Identity Providers

Netmaker supports native synchronization with:

Microsoft Entra ID (Azure AD)
Google Workspace

Support for additional IdPs (e.g., Okta) is planned.

Features

Single Sign-On (SSO)

Users can log in via their IdP credentials, replacing local password management.

Automatic User and Group Sync

Users: Synchronized as service-users by default (no dashboard access unless promoted).
Groups: Memberships are imported.
Prefix Filtering: Admins can limit which users/groups are imported via prefixes.
Sync Frequency: Default every 24 hours; adjusted via IDP_SYNC_INTERVAL environment variable (e.g., 30m, 1h, 6h, 12h, 24h).

Admins can manually trigger sync via the Settings page.

If auto-sync is disabled or incomplete:

Users may sign in with IdP credentials.
Only users from allowed email domains may attempt sign-in.
On first login, accounts are created in a "pending approval" state and require admin approval.

Automatic Suspension

If a user is suspended or disabled in the IdP, Netmaker prevents their login attempts automatically.

Setup Guides

Integrating Google Workspace: https://docs.netmaker.io/docs/how-to-guides/identity-provider-integration-guide#integrating-google-workspace
Integrating Microsoft Entra ID (Azure AD): https://docs.netmaker.io/docs/how-to-guides/identity-provider-integration-guide#integrating-microsoft-entra-id-azure-ad
Integrating GitHub: https://docs.netmaker.io/docs/how-to-guides/identity-provider-integration-guide#integrating-github
Integrating Generic OpenID (OIDC) Provider: https://docs.netmaker.io/docs/how-to-guides/identity-provider-integration-guide#integrating-generic-openid-oidc-provider

Notes and Limitations

Self-hosted Only: IdP integration is limited to self-hosted Pro tenants.
Super Admin Setup: By default, Super Admin accounts are not linked to IdP users. To assign Super Admin rights to an IdP-synced user, use the Transferring Super Admin Rights process below.
Source of Truth: IdP is authoritative. Manual changes in Netmaker (e.g., deleting users/groups) will be overwritten on the next sync.
IdP Removal Caution: Deleting an IdP integration immediately removes all synced users and groups from Netmaker.

Caution: Removing your IdP configuration cannot be undone without reconfiguration. Proceed carefully.

Transferring super admin rights

Super admin rights can be transferred only to another admin. On the Users page, hover over the ellipsis on the superadmin row and select the option to transfer admin rights. A dialog opens allowing selection of an admin to receive super admin rights.

Controlling User Sessions

Admins can define session time limits to automatically enforce session expiration for security and performance.

Key features:

Customizable Timeout: Configure durations (e.g., 2 hours, 5 hours).
Automatic Session Expiration: Sessions expire after the set period.
Seamless User Experience: Expired sessions log users out and redirect to login.

How it works:

Configure Timeout

Set the session timeout under Settings → Security & Authentication by defining the JWT Validity Duration parameter (in minutes) to specify session length.

Auto Disable User Connection

Enable Auto Disable User Connection under Settings → System Configuration to enforce Netmaker Desktop app session expiration.

Expiration and Logout

When the timeout expires, the system logs out the user, terminates the session, and clears session state securely.

Benefits:

Enhanced Security: Reduces risk from idle sessions.
Compliance: Helps meet policies requiring session timeouts.
Resource Efficiency: Frees resources by closing inactive sessions.