+

Users

As an administrator of your root organization, you can enable, disable, or delete users.

By selecting the checkbox next to a user, additional options related to that user appear:

  • Enable: Enables the disabled users in the selected organization or business group.

  • Disable: Disables the users in the selected organization or business group. They are no longer able to log in.

  • Delete: When deleting from the root organization, all of the user’s permissions are removed, and the user becomes unattached. When deleting from a business group, all of the user’s permissions for only the selected business group are removed. The deleted user’s data resides in the organization for audit logging purposes.

Before You Begin

Before getting started, ensure that you have:

  • The Organization Administrator permission

  • The API Version Owner permission if you plan to manage user permissions for your API version

Inviting a User to Anypoint Platform

This feature is not available in Anypoint Platform Private Cloud Edition, Government Cloud or for organizations that use external identity providers for single sign-on (SSO). You must manage users, including invitations for new users, through your third-party IdP or LDAP.

As an organization administrator of a root organization, you can invite new users and manage existing users for your organization.

To invite new users to your organization:

  1. In the Access Management navigation menu, click Users.

  2. Click Invite user.

  3. Enter the email addresses of the users that you want to invite to your organization as a comma-separated list.

  4. Optionally, select a team or role (deprecated) to assign permissions to these users.

  5. Click Send Invitation.

The users you specify receive email invitations to join your organization. Invited users must use the link they receive in the invitation to join your organization. When they click the link, they are presented with a sign-up form that already has the Company field completed with the name of your organization.

Note that the email link expires in one week.

Invited users have access to the same set of resources as you (although they may have different permissions that can restrict what they can view or do).

Resending or Canceling a Sent Invitation

Click Pending Invites to view all invitations that have not yet been accepted. Select the ones you need to manage, and click Re-send Invite or Cancel Invite.

Grant Permissions to Users

Organization administrators manage user access using teams or roles (deprecated), or by granting permissions to users individually. Note that teams and roles functionality are mutually exclusive.

In the Users page, click a user name to access more information about that user, manage and view permissions, manage and view teams or roles, or reset their password.

By default, in every new organization and business group, you can assign the following:

  • Assign API permissions: Select the name of the API you want to give access to, then pick a version and permission.

  • Assign Runtime Manager permissions: Select the name of the Runtime Manager environment to give access to, then pick a permission.

  • Assign teams: Select the name of the team to give access to.

  • Assign roles (deprecated): Select the name of the role to grant. Check the roles section for a description of the default roles within an organization and business group.

In the legacy roles user interface, roles and permissions are grouped under organizations (and also, optionally, under business groups). This means that you can only assign roles and permissions that are related to resources that exist in the organization and/or business group that you are selecting.

If necessary, you can also remove user permissions, but note that if those permissions are granted through an assigned team or role, you can remove them only by using the teams or Roles functionality respectively. You cannot view or remove team-based or role-based permissions in the Users page.

Because the Roles feature is deprecated, it is best to opt in to the Teams feature to manage permissions in a hierarchy.

To grant permissions to an individual user:

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Users.

  4. In the Permissions section, click Add permissions.

  5. Next to each permission you want to grant the user, select the checkbox.

  6. Click Next.

  7. Select the business groups in which you want the selected permissions to apply.

  8. Click Next.

  9. Select the environments in which you want the selected permissions to apply.

  10. Review the permissions, business groups, and environments, and then click Add permissions.

The user now has the permissions you selected in the business groups and environments you specified.

Managing Deleted Users

When you delete a user from your root organization, the user is soft deleted. This user can no longer access the root organization or business groups but maintains an Anypoint Platform account and can later be associated with another organization. Anypoint Platform maintains a record of such users for the purposes of audit logs.

If an Anypoint Platform user that was removed from an organization tries to log in to their former organization, the login request fails, with a Your credentials are not valid error message.

An organization administrator can invite the user to join the same organization again, but the user must create a new username. If the user tries to log in with their old account, the sign up request fails, stating Cannot create user. User already exists.

If a deleted federated user tries to log in, the login request fails, with a This user is disabled error message, but the user still appears in the organization as a disabled account. An organization administrator can re-enable this user.

Managing External Users of Your Public APIs

When you make an API portal public, users from any other Anypoint Platform organization can register client applications to call your API. When these users log in to your public developer portal, they are considered external users because they are outside of your organization.

When a user logs into Anypoint Platform for the first time, they are automatically added to the External Users tab. From the External Users tab in Access management, you can view a list of all external users. You can also enable or disable each of these external users from this screen. When you disable an external user, they can no longer log in to your public portal.

You cannot search for external users in other parts of Anypoint Platform because these users do not belong to your organization and do not have additional permissions. To grant users permission to perform tasks like deploying an application, you must invite the user to join your organization.

Managing Sensitive Account Information

As an organization administrator, you can modify some sensitive user information. For enhanced security, Access Management might ask you to reauthenticate before you can modify an organization user’s email address. Connected apps and clients are exempt from reauthentication. If you have a script that makes an API call to change an organization user’s email addresses, it might need to accommodate reauthentication.

Access Management prompts you to reauthenticate under the following conditions:

  • If more than 30 minutes have elapsed since you entered your password, Access Management prompts you to reenter your password.

  • If you have multi-factor authentication (MFA) enabled and more than 8 hours have elapsed since you entered your password and used MFA, Access Management prompts you to reenter your password and confirm the login using MFA.

Each time you log in or reauthenticate, the timer resets. If less than 30 minutes have elapsed since you logged in, Access Management does not prompt for your password again.

Was this article helpful? Thanks for your feedback!
View on GitHub