User Management in Altostrat SDX

Altostrat SDX manages access control through Users, Teams, and Roles. A user account represents an individual who can interact with the platform or receive notifications. Access to resources (like sites or billing information) is determined by a user’s membership in a Team and the Roles assigned to them within that team.

User Types: Portal vs. Notification-Only

Altostrat supports two primary user distinctions based on their ability to log in:

CharacteristicPortal User (allow_login: true)Notification-Only User (allow_login: false)
Can Log In?✅ Yes❌ No
Receives Notifications?✅ Yes✅ Yes
Can Own Resources?✅ Yes (via Team Membership)❌ No
Requires Email Verification?✅ Yes (for login)❌ No
Typical Use CaseAdmins, Operators, Team MembersStakeholders, Alert Recipients

Essentially, the ability to log in (allow_login flag) is the key differentiator. Notification-Only users are primarily recipients for alerts and reports without needing dashboard access.

Creating Users

Users can be added to Altostrat SDX in two main ways:

1. User Self-Registration

  • Individuals can sign up themselves via the Altostrat authentication portal (e.g., https://auth.altostrat.app).
  • They must verify their email address to activate their account.
  • Once registered, they can either create their own Organization and Team or accept an invitation to join an existing Team.
  • See User Registration for the user perspective.

2. Admin Creation (UI / API)

  • An administrator with the appropriate permissions (user:create scope) can create new users directly within a Team context.
  • Via UI: Typically done through the Settings -> Users or Team Settings -> Members section by clicking “Add User” or similar.
  • Via API: Use the POST /users endpoint.
  • Required Information: When creating via Admin/API, you’ll typically provide:
    • name: User’s full name.
    • email: User’s unique email address.
    • allow_login (Boolean): Set to true for a Portal User, false for a Notification-Only User.
    • timezone: User’s preferred timezone (defaults based on creator’s IP if not provided via API).
    • (Optional) mobile: Phone number details for SMS notifications.
    • (Optional) roles: An array of Role IDs to assign within the current team context.
  • Important: When creating a Portal User via API with allow_login: true who doesn’t use SSO, a temporary password will be generated and returned in the API response. This should be securely communicated to the user, who should change it upon first login. Email verification will also be required.

Managing Team Membership & Roles (Granting Access)

Access to resources like sites, billing, or VPNs is controlled by Team membership and the Roles assigned within that team. To grant a user access:

  1. Navigate to Team Members: Go to Settings → Teams, select the relevant Team, and navigate to its Members list.

Selecting the target team from the main Teams list.

Viewing the members list within the selected team's settings.

  1. Add or Invite the User:
  • Add Existing User: If the user already has an Altostrat account, use the “Add Member” function (requires user:create or similar scope) and search for their email.
  • Invite New User: If the user doesn’t have an account or you want them to register first, use the “Invite” function (requires teams:invite-users scope). Enter their email address to send an invitation link. (API: POST /teams/{team}/invites).

Using the 'Add Member' or 'Invite' button within the team members section.

  1. Assign Roles: During the add/invite process (or by editing the member later), assign the appropriate Role(s). The selected roles determine the user’s permissions only within this specific team. Refer to Roles & Permissions for details on configuring roles and scopes.

If adding an existing user and they don’t appear in the search, ensure they have verified their email address after registration.

Managing User Profiles

Users can manage some of their own profile details. Administrators with user:update scope can modify details for other users within their teams.

  1. Locate the User: Find the user in Settings → Users or within a specific Team → Members list. Click on their name or an ‘Edit’ icon.

Navigating to the user list via Settings.

Selecting a user from the list to view/edit details.

  1. Edit Details: Modify fields such as:
  • Name
  • Email Address (requires re-verification)
  • Mobile Number (for SMS, requires re-verification)
  • Timezone, Locale, Date/Time Formats
  • allow_login status (to enable/disable portal access)
  • Assigned Roles (within the team context)

Editing various user profile fields, including role assignments.

  1. Save Changes: Confirm the updates. (API: PUT /users/{user}).

Disabling User Login

To prevent a Portal User from logging in while retaining their account for notifications or historical reference:

  1. Edit the user’s profile as described above.
  2. Set the allow_login toggle or checkbox to false (disabled).
  3. Save the changes. (API: PUT /users/{user})

The user will no longer be able to log in via password or SSO, but their association with teams and notification settings remain.

Deleting / Removing Users

Removing a user has different implications:

  • Removing from a Team: This revokes the user’s access to that specific team’s resources and removes their role assignments for that team. They remain an Altostrat user and may belong to other teams.

    • UI: Go to Team Settings → Members, find the user, and select “Remove”.
    • API: DELETE /teams/{team}/members/{user} (Requires teams:remove-users scope).
    • Caution: You typically cannot remove the Team Owner.
  • Deleting User Account: This permanently removes the user from the Altostrat SDX system. This is generally less common than removing from a team unless the user should have no access at all.

    • UI: May be available under Settings → Users for users not associated with critical resources.
    • API: DELETE /users/{user} (Requires user:delete scope).
    • Caution: You cannot delete a user who is the sole owner of an Organization or Team that still has members or resources. Ownership must be transferred first.

Locating the user to disable or delete.

Using the 'Remove from Team' or 'Delete User' option.

Verification Processes

Best Practices

  • Keep Team Memberships Accurate: Regularly review who belongs to each team to ensure correct resource access. Remove users who no longer need access to a specific team’s resources.
  • Use Roles Effectively: Assign roles based on job function, adhering to the principle of least privilege. Create custom roles for specific needs.
  • Audit Regularly: Periodically review all users in your organization, ensuring accounts are still needed and roles are appropriate. Disable or remove inactive/unnecessary accounts.
  • Prefer Disabling over Deleting: For users who leave temporarily or just need login access revoked, disabling (allow_login: false) is often preferable to deletion as it preserves history and notification settings.

By effectively managing users, teams, and roles, you maintain a secure and organized Altostrat SDX environment.