Users
User management is a central component of OpenVLE.
Here you manage all people who have access to the system — both users with an OIDC / LDAP account and local accounts (e.g., external persons or test users).
Where can I find this section?
Via main menu: Access Control -> Users
Alternatively accessible via: Linked via Roles or Permissions
Features at a Glance
- View, create, edit, and delete user accounts
- Assign or remove roles
- Grant individual permissions at object or model level
- Lock and unlock user accounts
- View associated connections, VMs, and activities
- Track changes via changelogs
Key Fields at a Glance
| Field name | Description |
|---|---|
Auth Backend | Authentication method of the user. Can be *internal* (locally managed) or *external* (via an external Identity Provider such as LDAP or OIDC). |
Email | Primary email address of the user. Used for notifications, system emails, and password resets. |
Language | Preferred system language of the user. Determines in which language notifications and interface texts are displayed. |
Name | Full name of the user. Displayed in lists, detail views, and in communications (e.g., in emails). |
Status | Current state of the user account. Possible values are *active*, *inactive*, *email pending*, or *banned*. |
Username | Unique login name of the user. Used for authentication and cannot be changed after creation. |
Creating a User
- Open the Access Control -> Users section in the main menu.
- Click Add to create a new user account.
- Enter the desired data (Name, Username, Email, and Status).
If the user is an externally authenticated user (e.g., LDAP or OIDC), the Access option must be set to Yes.
If the user is a locally authenticated user, the Access option must be set to No.
Generally, this setting should be left at "Yes". - Save the new user.
- Assign roles or individual permissions to the user.
Tip:
Most users are created automatically when they first sign in with their external account.
Externally authenticated users are identified by their username.
Therefore, make sure the username exactly matches the value in the external Identity Provider (IdP).
Fields such as Name and Email address are automatically updated with information from the external IdP when the user signs in.
Externally authenticated users cannot be edited after creation.
Only the Status (active/inactive) can be changed, and the user can be deleted.
The username cannot be changed after creation.
Activating or Deactivating a User
- Open the Access Control -> Users section in the main menu.
- Search for the desired user in the list and open their profile.
- In the user's action bar, you will see either a yellow "Ban" button (to lock) or a yellow "Unban" button (to unlock).
- Click the respective button to lock or unlock the user's access.
After locking, the user can immediately no longer perform any actions within OpenVLE — even if they are currently logged in and have an active session.
Access to Apache Guacamole is currently not automatically locked.
This functionality will be delivered in a future version.
Resetting a User's Password (Local Accounts Only)
- Open the Access Control -> Users section in the main menu.
- Search for the desired user in the list and open their profile.
- Click the yellow "Set Password" button in the action bar.
- Enter the new password twice.
- Save the changes.
Current sessions of the user remain unaffected — the user is not automatically logged out.
Resetting the password is only possible for locally authenticated users.
For external authentication methods (e.g., LDAP or SSO), the password cannot be changed.
Editing a User (Local Accounts Only)
- Open the Access Control -> Users section in the main menu.
- Search for the desired user in the list.
- Click Edit, or open the user's context menu and select Edit.
- The form displays all current user data.
- Adjust the desired fields — for example, Name or Email.
- Save the changes.
Only locally authenticated users can be edited.
For externally authenticated users (e.g., LDAP or SSO), only the Status can be changed, and the user can be deleted.
Deleting a User
- Open the Access Control -> Users section in the main menu.
- Search for the desired user in the list.
- Click Delete, or open the user's context menu and select Delete.
- An extended deletion dialog appears, showing all linked objects that will also be deleted (if applicable).
- Confirm the deletion in the displayed dialog.
- The user will then be permanently removed.
This action cannot be undone.
If the user should only temporarily lose access, it is recommended to lock the user instead of deleting them.
Example or Use Case
An administrator wants to create a temporary user for internal testing. They open the Users section, click Add, and create a local account. Afterward, they assign the Tester role to the user, which grants access to selected virtual machines.
Notes / Special Considerations
- Users with external accounts are automatically created upon their first login.
- Local users must be created manually.
- A user can have multiple roles — their permissions are combined.
- Individually assigned permissions supplement the rights from roles.
- Locked users remain visible in the system but can no longer log in.
Relationships to Other Objects
Many objects in OpenVLE are related to other elements within the system. The following overview shows which relationships exist and whether they trigger certain automations.
| Object | Description | Automatic behavior |
|---|---|---|
| Activities | A user can be assigned any number of activities. | No automations. |
| Changelogs | All changes to the object are automatically logged. | Automatic removal when the object is deleted. |
| Connections | A user can be assigned any number of connections. | No automations. |
| Emails | A user can be assigned any number of sent emails. | No automations. |
| Events | A user can be assigned to any number of events. | No automations. |
| Permissions | Object-specific permissions can be assigned directly to the object. | Automatic removal when the object is deleted. |
| Roles | A user can be assigned any number of roles. | No automations. |
| Tags | Objects can be tagged with any number of tags to categorize or filter them. | Automatic removal when the object is deleted. |
Required Permissions
The permissions required for actions can be assigned via roles or individually. If you lack certain rights, the corresponding functions in the user interface are hidden or disabled.
| Action | Required permission | Path | Additional information |
|---|---|---|---|
| View users | users_read | / or /<objectID> | |
| Create users | users_create | / | |
| Edit users | users_update | / or /<objectID> | |
| Delete users | users_delete | / or /<objectID> | |
| View roles | roles_read | / | |
| View permissions | permissions_read | / | |
| Assign permissions | objectpermissions_create | / | |
| Remove permissions | objectpermissions_delete | / |
Example:
/4a3bc312-d1af-4b3f-b222-f5e9cecbf007 – This gives the user access to this single object only.If the path / is used, the permission applies globally to all objects of this type.
For *_create permissions, only the global path / is allowed.