Overview

You can use the symflow CLI to manage your organization's Users, and their associations with various Services.

🚧
This is advanced
Sym has broad support for automation when managing user identity. The most common times you might find yourself managing identities manually via CLI are:

Using set-role to create or remove admins

Individual edge cases

If you need to delete/reset/overwrite an existing identity.

Each User is represented as:

A primary login email address for Sym
A Role (admin or null)
An Identity tuple of [service_type]:[external_id] for each configured Service

Users can be managed individually, or in bulk via a single file, which is accessible via the update command, described below.

📘
Don't forget the help command!
When in doubt, -h or --help will tell you everything you need to know.

Commands

Command	What it does	Example
`create`	Creates a single User record and starts a creation wizard for each selected Service.	`symflow users create [email protected]` (see below for Options)
`list`	Displays all current Sym Users.	`symflow users list`
`list-identities`	Displays all current Sym Users' Service Identities.	`symflow users list-identities`
`update`	Opens the Sym Users CSV in your system's default editor.	`symflow users update`
`update-identity`	Updates a single Sym User.	`symflow users update-identity [email protected]`
`delete`	Deletes a User record based on a single Service association.	`symflow users delete slack —user-id U123456`
`delete-identity`	Deletes a single Service Identity for a User without removing the full User record.	`symflow users delete-identity [email protected]` (see below for Options)
`set-role`	Sets the Role for a User.	`symflow users set-role [email protected] --role admin`

Usage details

`create`

The create command will create a User for the provided email address.

Option	What it does	Example value(s)
`-s`	Picks the Service Types for which the `symflow` CLI will launch a `user_id` configuration wizard.	`-s aws_sso` `-s slack`

Note: For each Service Type provided as an option, the symflow CLI will prompt for a user_id for each matching Service.

For example, if you have three Services with a Service Type of aws_sso, and you run the following command:

symflow users create [email protected] -i aws_sso

symflow CLI will prompt for user_ids for all three Service instances.

`list`

The list command will list all Users in your organization. This provides a quick overview of your organization and who the admins are. See this guide for more detailed information about Roles: User Rules.

$ symflow users list
Email           Role    Created At                      
----------      ------  ----------------------- 
[email protected]     admin   2020-10-12 14:21:12 EDT
[email protected]             2021-06-21 17:20:08 EDT
[email protected]  admin   2021-07-08 09:01:34 EDT

`list-identities`

When listing users, you will see one column per configured service_type, with a User's IDs populated only for the systems where they've been given access via the update command.

$ symflow users list-identities
User ID     sym:cloud       aws_iam:1234567890                  slack:T23456789       
----------  --------------  ----------------------------------  ---------------
abcd-1234   [email protected]    arn:aws:iam:[service_id]:user/beth  ABCDEFGH    
abcd-1234   [email protected]     arn:aws:iam:[service_id]:user/ari   ABCDEFGH     
abcd-1234   [email protected]                                       ABCDEFGH

`update`

The symflow users update command is your one-stop-shop for editing your User database, which will be launched as a CSV in your system's default editor of choice.

Order of rows does not matter -- for ease, new Users should be entered at the top of the file.

Note: when adding Users, simply leave a , in place of the User ID column, and Sym will provision a unique ID on the backend.

Options

Option	What it does	Example value(s)
`--input-file` `-i`	Writes the contents of a local file onto the Sym Users table. Note: this is a full replacement and will overwrite whatever is currently in your Users list (think PUT vs. PATCH).	`-i users.csv`

🚧
Measure twice, cut once.
We strongly recommend backing up your User list in a separate text file before making any substantial edits. While this method enables you to take bulk actions much faster than a UI, it also means that you need to be careful about things like ,s for empty columns.

`update-identity`

This command is useful for updating a single identity for a single User without operating on a CSV. In basic usage, the command takes a User's primary identity as an input, which triggers a wizard that will help you update a single identity. Alternatively, you can specify the use

Options

Option	What it does	Example value(s)
`--service-type`	Specifies the Service Type that will be used to match the User's Identity.	`aws_sso` `slack`
`--external-id`	Indicates the specific Service Identity that will be removed from the User's record (e.g. which Slack organization).	`T123456`
`--new-value`	The new value for the User Identity in the specified service.	`U123456`

`delete`

The most common way to delete whole Users is to use symflow users update, but sometimes you want to remove a single User without the overhead of editing your file.

In that case, you can use symflow users delete, and then add the service-type and user-id for that one User's presence in that Service, and we'll handle the rest under the hood.

If you don't provide the --force boolean flag, you will be prompted to re-confirm as this is a destructive action.

Options

Option	What it does	Example value(s)
`--output-file` `-o`	Writes the Users table to a local file.	`users.csv`
`--force`	Bypasses the y/n prompt and force deletes the user.

`delete-identity`

This command is the fastest way to remove a single Service Type for a User without destroying the full User record. If you don't provide the --service-type or --external-id flags, you will be prompted for one or both. If you don't provide the --force boolean flag, you will be prompted to re-confirm as this is a destructive action.

Options

Option	What it does	Example value(s)
`--service-type`	Specifies the Service Type that will be used to match the User's Identity.	`aws_sso` `slack`
`--external-id`	Indicates the specific Service Identity that will be removed from the User's record (e.g. which Slack organization).	`T123456`
`--force`	Bypasses the confirmation prompt and force deletes the identity.

`set-role`

Use this command to set a User's Role. The options are guest, member, and admin. For more information on each Role, see User Roles. The User's email must be specified, and the role provided as an option.

Note: only Users with a Role of admin can use this command.

Options

Option	What it does	Example value(s)
`--role`	Chooses the new `role` for the specified User.	`guest` `member` `admin`