Authentication & User Management
This page covers who can sign in to the Tenant Plane (TP), how they sign in, and how admins manage users — invites, deactivation, and first-user setup.
For the full path from marketing signup → provisioned tenant → first login → onboarding wizard, see Subscribe & get access.
Where authentication applies
- Tenant Plane (TP): Where operators and engineers work (incidents, runbooks, dashboards, etc.). This page is about TP authentication and user management.
- Control Plane (CP): Used for tenant provisioning, subscriptions, and org-level admin. CP has its own login (e.g. portal or SSO); see your deployment docs for CP URLs.
Sign-in methods
Users can sign in to the Tenant Plane in these ways:
Email and password
- First user: If no users exist, the first account is usually created via a registration or set password flow (e.g. from an invite link or welcome email). That user typically has admin rights.
- Invited users: An admin invites by email; the user receives a link to set password and then signs in with email + password.
- Forgot password: On the login page, use Forgot password. The user enters their email; they receive a reset link. They set a new password on the reset password page, then sign in with email + password.
SSO (SAML or OIDC)
- If your organization configures SAML or OIDC (e.g. Okta, Azure AD, Google Workspace), users can choose Sign in with SSO on the TP login page.
- They are redirected to the IdP to authenticate; after success, they are redirected back to the Tenant Plane and signed in.
- SSO is configured at the tenant or deployment level (e.g. by an admin in Settings or via control plane). End users only need to click “Sign in with SSO.”
First user and tenant admin
- For a new tenant, the first user is often created when the tenant is provisioned (e.g. via signup or control plane). That user may be prompted to set a password or complete profile.
- The first user is usually treated as the tenant admin: they can manage users, roles, and settings. Subsequent users are typically added via invite or (if SSO is on) by logging in with SSO when their identity is already known to the IdP.
Managing users (admin)
Admins manage users from Settings → Users & access (or equivalent in your deployment).
Invite users
- Open Settings → Users & access (or Users).
- Click Invite user.
- Enter email and optionally name and role.
- Send the invite. The user receives an email with a link to set their password (or to sign in with SSO if enabled).
- After they complete the flow, they appear in the user list and can sign in.
Deactivate users
- To remove access without deleting history, deactivate the user (e.g. toggle Active off or Deactivate action).
- Deactivated users cannot sign in; their past actions (e.g. incident assignments, audit logs) remain associated with their account.
- Reactivation is possible if your deployment supports it (e.g. toggle Active back on).
User list
- The user list shows active (and optionally inactive) users, email, name, role, and last login.
- Use it to see who has access and to invite or deactivate users.
Forgot password and reset password
User flow
- On the login page, click Forgot password.
- Enter the email address associated with the account.
- Submit. If the email exists, the user receives a password reset email (rate-limited to avoid abuse).
- They open the link in the email and are taken to the reset password page.
- They enter and confirm a new password and submit.
- They can then sign in with email and the new password.
Security notes
- Reset links are time-limited and single-use. After a successful reset, the link cannot be used again.
- If the email is not in the system, the UI typically does not reveal that (to avoid email enumeration).
Rate limiting
- Login and password reset (and similar sensitive flows) are rate-limited. After too many attempts in a short time, further attempts are temporarily blocked with a clear message.
- Why: Protects your account and the platform from brute-force and abuse.
- If you’re rate-limited: Wait a few minutes and try again. Use Forgot password instead of repeated login attempts if you’ve forgotten your password. See What’s new — rate limiting for more context.
Roles and permissions
- Roles (e.g. admin, operator, fulfiller, requester) define what a user can do (modules, portal shortcuts, APIs).
- Invite creates an account via signup link; for least privilege at scale, use SSO group → role mapping or SCIM — see the step-by-step Users, roles & access (the Settings UI today focuses on invite/deactivate; bulk role changes are IdP-driven).
- Portal-only users use
/portalas requesters; see Self-service portal. - Settings overview: Settings, users & RBAC.
Summary
| Topic | Where / How |
|---|---|
| Sign in | TP login page — email/password or SSO |
| First user | Set password or register; becomes tenant admin |
| Invite users | Settings → Users & access → Invite user |
| Deactivate users | Settings → Users & access → user → Deactivate |
| Forgot password | Login page → Forgot password → email link → reset page |
| SSO | Configure at tenant/deployment; users choose “Sign in with SSO” |
See also
- Users, roles & access — Step-by-step: invite, SSO, SCIM, roles
- Self-service portal — Requester catalog and requests
- Workflows (ITSM vs automation) — Separate from user RBAC
- First login to first value — What to do after first sign-in
- Settings, users & RBAC — Settings map; approval gates vs ITSM workflows
- What’s new — Rate limiting, password reset, and other recent enhancements
- Shared SaaS and On-prem — Deployment-specific auth details