Manage Users
Overview
You can use the symflow
CLI to manage your organization's Users, and their associations with various Services.
This is advanced
Sym has broad support for automation when managing user identity. The most common times you might find yourself managing identities manually via CLI are:
- Using
set-role
to create or removeadmins
- Individual edge cases
- If you need to delete/reset/overwrite an existing identity.
Each User is represented as:
- A primary login email address for Sym
- A Role (
admin
or null) - An Identity tuple of
[service_type]:[external_id]
for each configured Service
Users can be managed individually, or in bulk via a single file, which is accessible via the update
command, described below.
Don't forget the help command!
When in doubt,
-h
or--help
will tell you everything you need to know.
Commands
Command | What it does | Example |
---|---|---|
create | Creates a single User record and starts a creation wizard for each selected Service. | symflow users create [email protected] (see below for Options) |
list | Displays all current Sym Users. | symflow users list |
list-identities | Displays all current Sym Users' Service Identities. | symflow users list-identities |
update | Opens the Sym Users CSV in your system's default editor. | symflow users update |
update-identity | Updates a single Sym User. | symflow users update-identity [email protected] |
delete | Deletes a User record based on a single Service association. | symflow users delete slack —user-id U123456 |
delete-identity | Deletes a single Service Identity for a User without removing the full User record. | symflow users delete-identity [email protected] (see below for Options) |
set-role | Sets the Role for a User. | symflow users set-role [email protected] --role admin |
Usage details
create
create
The create
command will create a User for the provided email address.
Option | What it does | Example value(s) |
---|---|---|
-s | Picks the Service Types for which the symflow CLI will launch a user_id configuration wizard. | -s aws_sso -s slack |
Note: For each Service Type provided as an option, the symflow
CLI will prompt for a user_id
for each matching Service.
For example, if you have three Services with a Service Type of aws_sso
, and you run the following command:
symflow users create [email protected] -i aws_sso
symflow
CLI will prompt for user_ids
for all three Service instances.
list
list
The list
command will list all Users in your organization. This provides a quick overview of your organization and who the admins are. See this guide for more detailed information about Roles: User Rules.
$ symflow users list
Email Role Created At
---------- ------ -----------------------
[email protected] admin 2020-10-12 14:21:12 EDT
[email protected] 2021-06-21 17:20:08 EDT
[email protected] admin 2021-07-08 09:01:34 EDT
list-identities
list-identities
When listing users, you will see one column per configured service_type
, with a User's IDs populated only for the systems where they've been given access via the update
command.
$ symflow users list-identities
User ID sym:cloud aws_iam:1234567890 slack:T23456789
---------- -------------- ---------------------------------- ---------------
abcd-1234 [email protected] arn:aws:iam:[service_id]:user/beth ABCDEFGH
abcd-1234 [email protected] arn:aws:iam:[service_id]:user/ari ABCDEFGH
abcd-1234 [email protected] ABCDEFGH
update
update
The symflow users update
command is your one-stop-shop for editing your User database, which will be launched as a CSV in your system's default editor of choice.
Order of rows does not matter -- for ease, new Users should be entered at the top of the file.
Note: when adding Users, simply leave a ,
in place of the User ID column, and Sym will provision a unique ID on the backend.
Options
Option | What it does | Example value(s) |
---|---|---|
--input-file -i | Writes the contents of a local file onto the Sym Users table. Note: this is a full replacement and will overwrite whatever is currently in your Users list (think PUT vs. PATCH). | -i users.csv |
Measure twice, cut once.
We strongly recommend backing up your User list in a separate text file before making any substantial edits. While this method enables you to take bulk actions much faster than a UI, it also means that you need to be careful about things like
,
s for empty columns.
update-identity
update-identity
This command is useful for updating a single identity for a single User without operating on a CSV. In basic usage, the command takes a User's primary identity as an input, which triggers a wizard that will help you update a single identity. Alternatively, you can specify the use
Options
Option | What it does | Example value(s) |
---|---|---|
--service-type | Specifies the Service Type that will be used to match the User's Identity. | aws_sso slack |
--external-id | Indicates the specific Service Identity that will be removed from the User's record (e.g. which Slack organization). | T123456 |
--new-value | The new value for the User Identity in the specified service. | U123456 |
delete
delete
The most common way to delete whole Users is to use symflow users update
, but sometimes you want to remove a single User without the overhead of editing your file.
In that case, you can use symflow users delete
, and then add the service-type
and user-id
for that one User's presence in that Service, and we'll handle the rest under the hood.
If you don't provide the --force
boolean flag, you will be prompted to re-confirm as this is a destructive action.
Options
Option | What it does | Example value(s) |
---|---|---|
--output-file -o | Writes the Users table to a local file. | users.csv |
--force | Bypasses the y/n prompt and force deletes the user. |
delete-identity
delete-identity
This command is the fastest way to remove a single Service Type for a User without destroying the full User record. If you don't provide the --service-type
or --external-id
flags, you will be prompted for one or both. If you don't provide the --force
boolean flag, you will be prompted to re-confirm as this is a destructive action.
Options
Option | What it does | Example value(s) |
---|---|---|
--service-type | Specifies the Service Type that will be used to match the User's Identity. | aws_sso slack |
--external-id | Indicates the specific Service Identity that will be removed from the User's record (e.g. which Slack organization). | T123456 |
--force | Bypasses the confirmation prompt and force deletes the identity. |
set-role
set-role
Use this command to set a User's Role. The options are guest
, member
, and admin
. For more information on each Role, see User Roles. The User's email must be specified, and the role
provided as an option.
Note: only Users with a Role of admin
can use this command.
Options
Option | What it does | Example value(s) |
---|---|---|
--role | Chooses the new role for the specified User. | guest member admin |
Updated 3 days ago