Manage administrators for federated authentication

7.7. Manage administrators for federated authentication#

After you configure and test federated authentication, you must maintain the system as users and roles change. This section covers common operational tasks.

7.7.1. Add a new administrator#

To grant administrative access to a new user, you don’t need to make any configuration changes in Nubus.

  1. Create the user account in your upstream IAM, not in Nubus.

  2. Assign the user to groups that correspond to guardian roles.

    Or add the user to the attribute containing guardian roles.

  3. When the user signs in to the Management UI for the first time, Nubus creates a federated account object automatically. For more information the data that Nubus creates for the object, see Data protection.

  4. Verify the user can access the expected management modules.

7.7.2. Update administrative roles#

Note

You don’t need to make any configuration changes in Nubus.

To change which administrative tasks a user can perform:

  1. Update the user’s group memberships or role attributes in the upstream IAM.

  2. When the user signs in to the Management UI again, their permissions reflect the new roles.

To revoke administrative access for a user account:

  1. Remove the user from all administrative groups in the upstream IAM.

  2. Or remove the guardian roles attribute from the user.

Important

The user can still sign in, but has no administrative permissions.

7.7.3. Prepare emergency access#

This feature depends on upstream IAM availability. If your upstream IAM becomes unavailable, you can’t create new administrator accounts in Nubus.

Prepare for upstream IAM outages before you enable federated authentication:

  1. Create a break-glass local administrator account in Nubus.

  2. Store the credentials securely in a password manager or vault.

  3. Keep this account active but don’t use it for normal administration.

  4. If your upstream IAM becomes unavailable, sign in with this break-glass account to restore access.

  5. Rotate the credentials of this account after you restore upstream IAM access.

Warning

A break-glass account is essential for disaster recovery. Without it, you have no access if the upstream IAM is unavailable.

On this page