* draft rbac docs * tweaks * add a permissions topic * tweaks * more changes * draft permissions topic * more content on roles * links * typo * more conceptual info * Optimised images with calibre/image-actions * more content on roles * add more x-ref links * fix links * more content * links * typos * polishing * Update website/docs/user-group-role/access-control/permissions.md Co-authored-by: Jens L. <jens@goauthentik.io> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * separwate conceptual vs procedural in permissions * finished groups procedurals * new page * added link * Update website/docs/user-group-role/access-control/permissions.md Co-authored-by: Jens L. <jens@goauthentik.io> Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> * polish * edits from PR review * restructured view section to remove repetition * rest of edits from PR review * polished flows and stages * polish * typo --------- Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com> Co-authored-by: Tana Berry <tana@goauthentik.io> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> Co-authored-by: Jens L. <jens@goauthentik.io>
3.2 KiB
title |
---|
User properties and attributes |
Object properties
The User object has the following properties:
-
username
: User's username. -
email
User's email. -
uid
User's unique ID -
name
User's display name. -
is_staff
Boolean field if user is staff. -
is_active
Boolean field if user is active. -
date_joined
Date user joined/was created. -
password_change_date
Date password was last changed. -
path
User's path, see Path -
attributes
Dynamic attributes, see Attributes -
group_attributes()
Merged attributes of all groups the user is member of and the user's own attributes. -
ak_groups
This is a queryset of all the user's groups.You can do additional filtering like:
user.ak_groups.filter(name__startswith='test')
For Django field lookups, see here.
To get the name of all groups, you can use this command:
[group.name for group in user.ak_groups.all()]
Examples
List all the User's group names:
for group in user.ak_groups.all():
yield group.name
Path
:::info Requires authentik 2022.7 :::
Paths can be used to organize users into folders depending on which source created them or organizational structure. Paths may not start or end with a slash, but they can contain any other character as path segments. The paths are currently purely used for organization, it does not affect their permissions, group memberships, or anything else.
Attributes
goauthentik.io/user/can-change-username
Optional flag, when set to false prevents the user from changing their own username.
goauthentik.io/user/can-change-name
Optional flag, when set to false prevents the user from changing their own name.
goauthentik.io/user/can-change-email
Optional flag, when set to false prevents the user from changing their own email address.
goauthentik.io/user/token-expires
:
Optional flag, when set to false, Tokens created by the user will not expire.
Only applies when the token creation is triggered by the user with this attribute set. Additionally, the flag does not apply to superusers.
goauthentik.io/user/debug
:
See Troubleshooting access problems, when set, the user gets a more detailed explanation of access decisions.
additionalHeaders
:
:::info This field is only used by the Proxy Provider. :::
Some applications can be configured to create new users using header information forwarded from authentik. You can forward additional header information by adding each header
underneath additionalHeaders
:
Example:
additionalHeaders:
REMOTE-USER: joe.smith
REMOTE-EMAIL: joe@jsmith.com
REMOTE-NAME: Joseph
These headers will now be passed to the application when the user logs in. Most applications will need to be configured to accept these headers. Some examples of applications that can accept additional headers from an authentik Proxy Provider are Grafana and Tandoor Recipes.