​

User Management in Altostrat SDX

​

User Types: Portal vs. Notification-Only

​

Creating Users

​

1. User Self-Registration

• Individuals can sign up themselves via the Altostrat authentication portal (e.g., https://auth.altostrat.app).
• They must verify their email address to activate their account.
• Once registered, they can either create their own Organization and Team or accept an invitation to join an existing Team.
• See User Registration for the user perspective.

​

2. Admin Creation (UI / API)

• An administrator with the appropriate permissions (user:create scope) can create new users directly within a Team context.
• Via UI: Typically done through the Settings -> Users or Team Settings -> Members section by clicking “Add User” or similar.
• Via API: Use the POST /users endpoint.
• Required Information: When creating via Admin/API, you’ll typically provide:
  • name: User’s full name.
  • email: User’s unique email address.
  • allow_login (Boolean): Set to true for a Portal User, false for a Notification-Only User.
  • timezone: User’s preferred timezone (defaults based on creator’s IP if not provided via API).
  • (Optional) mobile: Phone number details for SMS notifications.
  • (Optional) roles: An array of Role IDs to assign within the current team context.
• Important: When creating a Portal User via API with allow_login: true who doesn’t use SSO, a temporary password will be generated and returned in the API response. This should be securely communicated to the user, who should change it upon first login. Email verification will also be required.

​

Managing Team Membership & Roles (Granting Access)

1. Navigate to Team Members: Go to Settings → Teams, select the relevant Team, and navigate to its Members list.

Selecting the target team from the main Teams list.

Viewing the members list within the selected team's settings.

2. Add or Invite the User:

• Add Existing User: If the user already has an Altostrat account, use the “Add Member” function (requires user:create or similar scope) and search for their email.
• Invite New User: If the user doesn’t have an account or you want them to register first, use the “Invite” function (requires teams:invite-users scope). Enter their email address to send an invitation link. (API: POST /teams/{team}/invites).

Using the 'Add Member' or 'Invite' button within the team members section.

3. Assign Roles: During the add/invite process (or by editing the member later), assign the appropriate Role(s). The selected roles determine the user’s permissions only within this specific team. Refer to Roles & Permissions for details on configuring roles and scopes.

​

Managing User Profiles

1. Locate the User: Find the user in Settings → Users or within a specific Team → Members list. Click on their name or an ‘Edit’ icon.

Navigating to the user list via Settings.

Selecting a user from the list to view/edit details.

2. Edit Details: Modify fields such as:

• Name
• Email Address (requires re-verification)
• Mobile Number (for SMS, requires re-verification)
• Timezone, Locale, Date/Time Formats
• allow_login status (to enable/disable portal access)
• Assigned Roles (within the team context)

Editing various user profile fields, including role assignments.

3. Save Changes: Confirm the updates. (API: PUT /users/{user}).

​

Disabling User Login

1. Edit the user’s profile as described above.
2. Set the allow_login toggle or checkbox to false (disabled).
3. Save the changes. (API: PUT /users/{user})

​

Deleting / Removing Users

• Removing from a Team: This revokes the user’s access to that specific team’s resources and removes their role assignments for that team. They remain an Altostrat user and may belong to other teams.
  • UI: Go to Team Settings → Members, find the user, and select “Remove”.
  • API: DELETE /teams/{team}/members/{user} (Requires teams:remove-users scope).
  • Caution: You typically cannot remove the Team Owner.
• Deleting User Account: This permanently removes the user from the Altostrat SDX system. This is generally less common than removing from a team unless the user should have no access at all.
  • UI: May be available under Settings → Users for users not associated with critical resources.
  • API: DELETE /users/{user} (Requires user:delete scope).
  • Caution: You cannot delete a user who is the sole owner of an Organization or Team that still has members or resources. Ownership must be transferred first.

Locating the user to disable or delete.

Using the 'Remove from Team' or 'Delete User' option.

​

Verification Processes

• Email Verification: Essential for Portal Users to log in. An email with a verification link is sent upon registration or email address change. Admins can trigger a resend via UI or API (GET /users/{user}/verification-notification/email).
• Mobile Verification: Required if a mobile number is added and SMS notifications are desired. Ensures SMS delivery is possible. A verification link is sent via SMS upon adding/changing a number. Admins can trigger a resend via UI or API (GET /users/{user}/verification-notification/mobile). Check Supported SMS Regions.

​

Best Practices

• Keep Team Memberships Accurate: Regularly review who belongs to each team to ensure correct resource access. Remove users who no longer need access to a specific team’s resources.
• Use Roles Effectively: Assign roles based on job function, adhering to the principle of least privilege. Create custom roles for specific needs.
• Audit Regularly: Periodically review all users in your organization, ensuring accounts are still needed and roles are appropriate. Disable or remove inactive/unnecessary accounts.
• Prefer Disabling over Deleting: For users who leave temporarily or just need login access revoked, disabling (allow_login: false) is often preferable to deletion as it preserves history and notification settings.