Manage Orchestrator Users

Orchestrator > Orchestrator Server > Users & Authentication > User Management

Use the User Management dialog box to manage who has Read-Write or Read-Only access to Orchestrator.

Add a User

Users can have either Read-Write or Read-Only privileges. These provide prescribed access to Orchestrator menus.

To further limit the what users can see, you can assign them to customized menu groups in Orchestrator > User Menu Access.
Multi-Factor Authentication (MFA) is a recommended option for each Orchestrator user.
A username cannot be more than 512 characters long.

NOTE: You cannot modify a Username. You must delete it and create a new user.

Multi-Factor Authentication

Orchestrators support Multi-Factor Authentication (MFA). This is available on all platforms of the Orchestrator, including on-premise and cloud versions.

The first step in authentication is always username/password. For added security, users can choose between application- or email-based authentication, as described below.

NOTE: Only users whose role is assigned Read-Write privilege for User Management can enable or disable MFA for any user.

Configuring Multi-Factor Authentication Through an Application

Orchestrator supports applications that provide time-based keys for two-factor authentication and are compliant with RFC 4226 / RFC 6238. Google Authenticator is one such app. The example below uses Google Authenticator on a mobile phone. You can also use a desktop version.

To enable MFA through an application:

Navigate to Orchestrator > Orchestrator Server > Users & Authentication > User Management, and then click your username.
In the Two Factor field, select Application. Orchestrator generates a time-limited QR code.
In the Google Authenticator app, use the Scan barcode function to read the QR code. You will be prompted to enter your Orchestrator username and password.

Here you can see Google Authenticator with the new account added for the Orchestrator.

Configuring Multi-Factor Authentication Through Email

To enable MFA through email:

Navigate to Orchestrator > Orchestrator Server > Users & Authentication > User Management, and then click your username.
In the Two Factor field, select Email, and then enter your email address.

If an invalid email address is entered, the account could be locked out and would require password reset procedures.
Click Add. Orchestrator sends a time-limited authentication code to your email address. To verify your email address, click that link.

Orchestrator then opens a browser window telling you that your email address has been verified.

Using Multi-Factor Authentication

After MFA is configured, every login requires two steps: entering the username/password and entering the current token.

Based on the authentication method you choose, do one of the following:

Use the current token from the Google Authenticator (or other) app.
Use the code you receive in email.

In both cases, the codes have a specific expiration time.

Modify User

Orchestrator > Orchestrator Server > Users & Authentication > User Management > Edit > Modify User

You can modify the following user fields:

User Name is the identifier the user uses to log in, and it cannot be more than 512 characters long.
First Name, Last Name, and Phone Number are optional information.
Email is required if two-factor authentication is enabled.
Two-factor Authentication is a second step in the login process that requires an authentication code. The code can be obtained in two ways:
- Using an authentication application that generates time-based authentication codes. If this is activated, Orchestrator generates a barcode that can be scanned to set up an authentication app like Google Authenticator for your mobile device.
- Using your email to receive authentication codes every time you log in. This requires access to your email every time you log in.
Password is used at login.
Status determines whether the user can log in.
Role determines the user’s permissions.