Manage Users and Groups
The Directory is the heart of your identity ecosystem. It allows you to organize your workforce into logical units, manage individual access lifecycles, and ensure that every user has the exact level of access they need to be productive.
Global Directory Access
While the Directory provides a unified view of your organization, access to these settings is a high-level privilege.
To protect organizational data and maintain a secure "Source of Truth," the Directory section is accessible only to Global Administrators. Standard users are restricted from viewing the directory to ensure privacy and cross-tenant security.
Create and organize Groups
In the GlobalAI ecosystem, Groups are the primary mechanism for access control. When setting up the platform, your first task is to define these groups; users must then be associated with them to receive permissions within the workspace.
Create the Group container
- Navigate to Directory > Groups.
- Select New Group.
- Name: Enter a unique identifier (for example,
DevOps_Admins). - Confirm the group creation.
Superuser privileges: Toggle this to Yes only if the group needs full administrative access to manage the Identity system itself.
Associate Users to the Group
Once the group exists, you can add members to activate their platform access:
- In the Groups list, click on the Name of the group (for example,
authentik Admins). - Select the Users tab from the top horizontal menu.
- Click the Add existing user button.
- Search for the identities you wish to include and confirm the association.
We only use Groups. While you may see a "Roles" tab within a User's profile in this interface, it is non-representative of platform access and should be ignored. All functional permissions and access levels within the GlobalAI platform are derived solely from a user's Group memberships.
User account management
As a Global Admin, you can select any user from Directory > Users to access their Overview tab and perform critical administrative tasks.
Direct Actions
The Actions panel provides immediate control over the user's status:
- Edit: Update user details such as name, email, or profile attributes.
- Deactivate: Temporarily prevent a user from logging in. Their data and group memberships remain intact, but they can't access any platform flows.
- Impersonate: View the platform exactly as this user does to troubleshoot permission or dashboard issues.
You must provide a Reason for the session, which is permanently recorded in the Audit Logs for compliance.
Recovery measures
If a user is locked out or has forgotten their credentials, use the Recovery panel:
- Set password: Manually overwrite the user's password.
- Create Recovery Link: Generate a one-time link to send to the user manually.
- Email recovery link: Trigger a system-generated secure reset link to the user's registered email.
Generate API tokens and app passwords
For programmatic access or service accounts, you can generate static credentials.
- Navigate to Directory > Tokens and App passwords.
- Select Create.
- In the Create Token window, configure the following:
- Identifier: A unique name for the token.
- User: Select the account the token belongs to.
- Intent: Choose between an API Token for programmatic use or an App password for flow executors.
- Expiring: Toggle to set a lifetime or leave unchecked for a permanent token.
- Select Create.
- Secure the Token: Copy the token immediately. For security, it will never be displayed again.
Related articles
With your groups defined and users associated, you can now move forward with connecting your external systems and securing your deployment.
Manage External Providers
Connect your Group-based permissions to enterprise SSO systems like Okta, Entra ID, or Active Directory.
Customize Auth Flows
Define the sequence of stages, such as MFA or CAPTCHA, that users must complete to log in.
Secure the Platform
Configure global reputation policies and event retention to protect your organization from brute-force attacks.