How to Add Users

Purpose

Adding and Managing Users in the Netmaker Platform

Identity Provider (IDP) Integration

Integrating an external Identity Provider (IDP) is the most efficient method for managing access at scale within Netmaker. By synchronizing with a provider like Google Workspace, you automate user onboarding and group management, ensuring that users have appropriate access levels based on their organizational roles.

Configuring Google Workspace Synchronization

To begin the integration, navigate to the Settings gear icon in the bottom-left corner of the sidebar and select the Security & Authentication tab.

In the Identity Providers Integration section, locate the Google option. Netmaker offers two levels of integration: a basic Setup OAuth only option for external login and a full Integrate option for automated synchronization. To enable full synchronization, click the Integrate button.

A configuration wizard will guide you through the connection process. Review the Required Permissions listed in the modal and click Get Started. You will be prompted to follow on-screen instructions for the Google Cloud Console, including creating a project and configuring the OAuth consent screen. Once the Google Cloud project is ready, enter the OAuth client ID and OAuth client secret into the provided fields in Netmaker to finalize the connection.

Authentication Security Policies

Beyond IDP integration, you can manage global platform security via the Authentication Security panel. Here, you can toggle Basic Authentication to enable or disable manual credential-based logins. For organizations requiring high security, you can toggle the Enforce Multi-factor Authentication switch to require MFA for every user on the platform.

Additionally, you can manage the JWT Validity Duration, which determines how long a user session remains active before a re-authentication is required. The default is set to 720 minutes but can be adjusted to meet your organization's security posture.

Authentication Security Settings

Beyond external identity provider integration, Netmaker provides a dedicated panel for managing core security protocols, including manual login permissions and session persistence. These settings are critical for defining the baseline security posture of your network management platform.

Access and MFA Controls

Within the Authentication Security panel, administrators can govern how users access the platform. This includes a toggle for Basic Authentication, which allows or restricts the use of manual username and password credentials. For environments requiring higher security standards, you can toggle Enforce Multi-factor Authentication. When enabled, this requires all platform users to provide a second form of verification before they are granted access.

Session Management

Session persistence is managed via JSON Web Tokens (JWT). The JWT Validity Duration setting determines how long a user remains logged into the dashboard or application before their session expires and they are required to re-authenticate.

The default session length is set to 720 minutes (12 hours). To adjust this duration to better suit your organizational security policies, click the Edit button next to the value and enter the desired time in minutes. This ensures a balance between user convenience and the risk of unauthorized access via stale sessions.

Reviewing Integration Status

Once your security settings are configured, you can verify your active integrations by returning to the Security & Authentication tab. This view allows you to see the details of configured providers, such as Google Workspace, including the Client ID and admin contact information, ensuring all security layers are correctly aligned.

Manual User Creation and Access Levels

While automated Identity Provider (IDP) synchronization is efficient for large organizations, Netmaker provides a robust manual user management system for creating local accounts and defining granular access controls.

Creating a New User

To manually add a user, navigate to the User Management page from the left-hand sidebar and click the + Create User button in the top-right corner. This opens a modal where you must define the user's primary credentials and permission scope.

1. Identify the User: Enter a unique identifier in the Username field and set a secure password.

2. Assign Access Level: Select the appropriate radio button to define the user's global platform permissions.

3. Finalize: Once details are entered and roles are assigned, click Create User. A confirmation toast will appear in the top-right corner.

Understanding Platform Access Levels

Netmaker utilizes three distinct access levels to ensure the principle of least privilege is maintained across the network infrastructure.

1. Admin

Admins hold full system-wide permissions. They can manage all users, add or remove devices, configure global settings, and oversee every network within the platform. This level is intended for primary infrastructure maintainers.

2. Platform User

Platform Users are granted dashboard access but are restricted to specific network administration duties. Their access is dictated by group membership. For example, assigning a Platform User to a 'cloud-overlay Admin Group' allows them to act as an administrator only for that specific network environment.

3. Service User

Service Users are restricted accounts designed for standard end-users who do not require dashboard access. These users cannot log into the web UI; instead, they use the Netmaker Desktop application to connect to their assigned networks. Access is managed by adding them to specific user groups, such as an 'Office User Group'.

4. Auditor

The Auditor role will gain full read-only access to the platform on the specified networks.

Post-Creation Management

Once created, users appear in the User Management table. From here, you can monitor their Status (Enabled/Disabled) and Auth Type. If you need to manage network-specific roles more granularly, you can navigate to the Groups tab to create custom groups and assign roles like 'admin' or 'user' to specific networks.

Group and Role Management

Netmaker utilizes a group-based system to manage granular access permissions across various networks. This allows administrators to define whether a user acts as an administrator or a standard user for specific network segments, ensuring the principle of least privilege.

Configuring Default and Custom Groups

While the platform automatically generates default groups for basic administrative and user roles, you can create custom groups for more specific use cases. To create a new group, navigate to the Groups dashboard and click the + Create Group button. In the resulting modal, provide a unique Group Name and a description to identify the group's purpose.

The core of group management lies in the Associated Network Roles. Within this section, you can use a dropdown menu for each specific network to assign roles. Currently, these roles include:

• Admin: Grants full management rights over the specific network.

• User: Grants standard access to the network without administrative privileges.

User Onboarding via Invitations

Beyond manual user creation, Netmaker supports an invitation workflow that streamlines onboarding. By clicking the Invite User button from the main dashboard, you can enter multiple email addresses to invite users in bulk. This system requires a configured SMTP server to send automated email invites.

When sending invitations, you must define the Platform Access Level (Admin, Platform User, or Service User). This sets the global permission for the invited user before they are assigned to specific network groups. Once configured, clicking Create User Invite(s) initiates the delivery of the invitation tokens.

You can monitor the status of sent invitations and manage pending enrollment sign-ups by navigating to the Invites & Requests tab at the top of the interface.

Email Invites and Pending Requests

Netmaker provides streamlined methods for onboarding users through automated email invitations and a self-service sign-up queue. These features allow administrators to manage growth without manually creating every individual account.

Sending Email Invitations

To invite new members to the platform via email, navigate to the User Management section and select the + Invite User(s) button. This workflow leverages your configured SMTP server to send automated onboarding emails.

• Recipient Entry: In the invitation modal, enter one or more email addresses. Multiple addresses should be separated by commas.

• Set Access Level: Choose the initial Platform Access Level (Admin, Platform User, or Service User) that the invitees will receive upon joining.

• Finalize: Click Create User Invite(s) to dispatch the emails.

Managing Pending Sign-Up Requests

Users who have initiated a sign-up through the Netmaker Web UI or the Netmaker Desktop application without an invitation will appear in the Requests section. This acts as an approval queue to ensure only authorized individuals gain access to the network.

To manage these users, navigate to the Invites & Requests tab and scroll to the Requests table at the bottom of the interface. Here, you can review the pending list and approve users individually. Once approved, you can assign them to specific network groups and define their platform permissions.