Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 2. Managing user accounts using the IdM Web UI

Manage the complete user lifecycle in the Identity Management (IdM) Web UI. Create, activate, disable, enable, preserve, restore, and delete user accounts to handle employee onboarding, temporary leaves, and departures.

2.1. User life cycle
Link kopieren

Identity Management (IdM) user accounts progress through three states: Stage, Active, and Preserved. Understanding this lifecycle helps you provision new accounts, manage departures, and restore users when needed.

  • Stage users are not allowed to authenticate. This is an initial state. Some of the user account properties required for active users cannot be set, for example, group membership.
  • Active users are allowed to authenticate. All required user account properties must be set in this state.
  • Preserved users are former active users that are considered inactive and cannot authenticate to IdM. Preserved users retain most of the account properties they had as active users, but they are not part of any user groups.

A flow chart displaying 4 items: Active users - Stage users - Preserved users - Deleted users. Arrows communicate the relationships between each kind of user: Active users can be "preserved" as Preserved users. Preserved users can be "restored" as Active users. Preserved users can be "staged" as Stage users and Stage users can be "activated" into Active users. All users can be deleted to become "Deleted users".

You can delete user entries permanently from the IdM database.

Important

Deleted user accounts cannot be restored. When you delete a user account, all the information associated with the account is permanently lost.

A new administrator can only be created by a user with administrator rights, such as the default admin user. If you accidentally delete all administrator accounts, the Directory Manager must create a new administrator manually in the Directory Server.

Warning

Do not delete the admin user. As admin is a pre-defined user required by IdM, this operation causes problems with certain commands. If you want to define and use an alternative admin user, disable the pre-defined admin user with ipa user-disable admin after you granted admin permissions to at least one different user.

Warning

Do not add local users to IdM. The Name Service Switch (NSS) always resolves IdM users and groups before resolving local users and groups. This means that, for example, IdM group membership does not work for local users.

2.2. Adding users in the Web UI
Link kopieren

Create user accounts in the Identity Management (IdM) Web UI to provision access for new employees. You can create active users who can authenticate immediately or stage users who require activation before use.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users Stage Users tab.

    Alternatively, you can add the user account in the Users Active users, however, you cannot add user groups to the account.

  3. Click the + Add icon.

  4. Optional: In the User login field, add a login name.

    If you leave it empty, the IdM server creates the login name in the following pattern: The first letter of the first name and the surname. The whole login name can have up to 32 characters.

  5. Enter First name and Last name of the new user.

  6. Optional: In the GID drop down menu, select groups in which the user should be included.

    Note that this option is only available on the Active Users dialog box.

  7. Optional: In the Password and Verify password fields, enter your password and confirm it, ensuring they both match.

  8. Click the Add button.

    At this point, you can see the user account in the Stage Users or Active Users table.

    If you click on the user name, you can edit advanced settings, such as adding a phone number, address, or occupation.

    Warning

    IdM automatically assigns a unique user ID (UID) to new user accounts. You can assign a UID manually, or even modify an already existing UID. However, the server does not validate whether the new UID number is unique. Consequently, multiple user entries might have the same UID number assigned. A similar problem can occur with user private group IDs (GIDs) if you assign GIDs to user accounts manually. You can use the ipa user-find --uid=<uid> or ipa user-find --gidnumber=<gidnumber> commands on the IdM CLI to check if you have multiple user entries with the same ID.

    You should not have multiple entries with the same UIDs or GIDs. If you have objects with duplicate IDs, security identifiers (SIDs) are not generated correctly. SIDs are crucial for trusts between IdM and Active Directory and for Kerberos authentication to work correctly.

2.3. Activating stage users in the IdM Web UI
Link kopieren

Activate a stage user account in the Identity Management (IdM) Web UI to enable the user to log in to IdM and be added to groups. This step is required before the user can authenticate.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.
  • At least one staged user account in IdM.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users Stage users tab.
  3. Click the checkbox of the user account you want to activate.
  4. Click on the Activate button.

  5. Click OK on the Confirmation dialog box.

    If the activation is successful, the IdM Web UI displays a green confirmation that the user has been activated and the user account has been moved to Active users. The account is active and the user can authenticate to the IdM domain and IdM Web UI. The user is prompted to change their password on the first login.

    Additionally, at this stage, you can add the active user account to user groups.

2.4. Disabling user accounts in the Web UI
Link kopieren

Disable active user accounts temporarily to prevent authentication while preserving group memberships and account data. Disabled accounts remain in the active users list and can be re-enabled later.

Disabled user accounts still exist within Identity Management (IdM) and all of the associated information remains unchanged. Unlike preserved user accounts, disabled user accounts remain in the active state and can be a member of user groups.

Note

After disabling a user account, any existing connections remain valid until the user’s Kerberos TGT and other tickets expire. After the ticket expires, the user will not be able to renew it.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users Active users tab.
  3. Click the checkbox of the user accounts you want to disable.
  4. Click the Disable button.

  5. Click the OK button on the Confirmation dialog box.

    If the accounts are disabled successfully, you can verify this in the Status column in the Active users table.

2.5. Enabling user accounts in the Web UI
Link kopieren

Re-enable a disabled user account in the Identity Management (IdM) Web UI to restore authentication capabilities.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.
  2. Go to Users Active users tab.
  3. Click the checkbox of the user accounts you want to enable.
  4. Click the Enable button.

  5. Click the OK button on the Confirmation dialog box.

    If the change is successful, you can verify this in the Status column in the Active Users table.

2.6. Preserving active users in the IdM Web UI
Link kopieren

Preserve user accounts in the IdM Web UI to remove them from active use while retaining account data for potential restoration.

Preserve a user account if an employee leaves the company. If you want to disable user accounts for a couple of weeks or months (parental leave, for example), disable the account. For details, see Disabling user accounts in the Web UI. The preserved accounts are not active and users cannot use them to access your internal network, however, the account stays in the database with all the data.

You can move the restored accounts back to the active mode.

Prerequisites

  • Administrator privileges for managing the IdM (Identity Management) Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users Active users tab.
  3. Click the checkbox of the user accounts you want to preserve.
  4. Click the Delete button.
  5. On the Remove users dialog box, click preserve.

  6. Click the Delete button.

    The user account is moved to Preserved users.

Next steps

2.7. Restoring users in the IdM Web UI
Link kopieren

Restore preserved user accounts in the Identity Management (IdM) Web UI to, for example, re-enable access for returning employees. You can restore preserved users to active or stage status.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users Preserved users tab.
  3. Click the checkbox at the user accounts you want to restore.
  4. Click the Restore button.

  5. On the Confirmation dialog box, click the OK button.

    The IdM Web UI displays a green confirmation and moves the user accounts to the Active users tab.

2.8. Deleting users in the IdM Web UI
Link kopieren

Permanently delete user accounts from Identity Management (IdM) when the account data is no longer needed. This irreversible operation removes the account, group memberships, and passwords from the IdM database.

You can delete:

  • Active users — the IdM Web UI offers you with the options:

  • Stage users — you can just delete stage users permanently.
  • Preserved users — you can delete preserved users permanently.

The following procedure describes deleting active users. Similarly, you can delete user accounts on:

  • The Stage users tab
  • The Preserved users tab

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users Active users tab.

    Alternatively, you can delete the user account in the Users Stage users or Users Preserved users.

  3. Click the Delete icon.
  4. On the Remove users dialog box, click delete.

  5. Click the Delete button.

    The users accounts are permanently deleted from IdM.

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben