Creating and Managing Users¶
Overview¶
User accounts in the Zaita platform are created by a Super Administrator through an invitation or directly via the web portal. Once a user account exists, users can authenticate either with email and password, or through your organisation's identity provider if Single Sign-On (SSO) is configured.
All new users are assigned the User role by default.
Users Authenticating via SSO¶
When SSO is configured, users authenticate through your organisation's identity provider rather than managing separate Zaita credentials. However, user accounts must exist in the platform before SSO authentication will succeed — SSO authenticates users, it does not automatically create new accounts. Accounts are still provisioned through the invitation workflow described below.
SSO configuration is managed under Admin → Settings → SSO. For full configuration details, see Single Sign-On.
Users authenticating via SSO:
- Must have an existing Zaita account with a matching email address before their first SSO login.
- Are subject to the MFA and access policies enforced by your identity provider.
- Can have their role and domain assignments configured by a Super Administrator at any time.
- Can be granted a per-user SSO bypass to allow password login if required — see Per-User SSO Bypass.
Inviting Users Manually¶
For organisations that do not use SSO, users are added to the platform through an email invitation workflow.
Sending an Invitation¶
- Navigate to Admin → Users in the web portal.
- Select Invite User.
- Enter the user's email address.
- Send the invitation.
The invited user will receive an email with a link to set up and configure their account.
Account Setup¶
When the invited user follows the link in their invitation email, they will be prompted to:
- Set a password for their account.
- Register an authenticator app for multi-factor authentication (if MFA is enabled for your organisation — see MFA settings below).
- Complete their profile and sign in.
Once the user has accepted the invitation and completed account setup, they are assigned the User role by default. A Super Administrator can then update their role and configure their domain assignments as required.
Invitation Status¶
Pending invitations can be viewed and managed under Admin → Users. Administrators can:
- Resend an invitation if the original email was not received.
- Revoke a pending invitation to prevent account creation.
Invitations that are not accepted within the expiry period will need to be resent.
Multi-Factor Authentication¶
MFA is an organisational setting, not a per-user setting. When enabled, all users who authenticate directly with the platform (i.e. not through SSO) are required to register an authenticator app during account creation.
To configure MFA:
- Navigate to Admin → Settings.
- Locate the Multi-Factor Authentication setting.
- Enable or disable MFA for the organisation.
When MFA is enabled:
- New users will be prompted to register an authenticator during account setup.
- Existing users who have not yet registered an authenticator will be prompted to do so on their next sign-in.
- Users who authenticate through SSO are not affected — MFA for SSO users is managed by your identity provider.
Managing Existing Users¶
Viewing and Editing Users¶
To view or edit a user's account:
- Navigate to Admin → Users.
- Click the eye icon next to the user you want to view or edit.
- The user details page displays their name, email, current role, and domain assignments.
Updating Roles¶
User roles can be updated by a Super Administrator:
- Navigate to Admin → Users.
- Click the eye icon to view the user account.
- Select the new role from the Assigned Role dropdown.
- Click Update Role to save.
Role changes take effect immediately. See Roles and Permissions for a full description of each role.
Note: Each user can have only one role assigned. The available roles are:
| Role | Description |
|---|---|
| User | Default role — can request certificates for assigned domains |
| Super Administrator | Full platform access including user management |
| PKI Administrator | Manages Local PKI, integrations, and domains |
| Deployment Administrator | Manages target systems, Bridges, and Couriers |
| Policy Administrator | Manages certificate policies |
| Report Operator | Can run reports and view dashboard |
Managing Domain Assignments¶
Domain assignments control which domains a user can request certificates for. This is separate from roles and allows fine-grained control over certificate issuance.
To manage a user's domain assignments:
- Navigate to Admin → Users.
- Click the eye icon to view the user account.
- In the Allowed Certificate Domains section:
- Enter a domain pattern (e.g.,
example.comor*.example.com) and click Add Domain. - To remove a domain, click the delete icon next to the domain pattern.
Domain Pattern Examples:
| Pattern | What it allows |
|---|---|
www.example.com |
Certificates for exactly www.example.com |
*.example.com |
Certificates for any subdomain of example.com |
*.dev.internal.com |
Certificates for any subdomain of dev.internal.com |
Note: Super Administrators can request certificates for any domain regardless of their domain assignments.
Managing Group Membership¶
Users can be added to or removed from groups to control notification and alerting. Group membership is managed through Admin → Groups or from the individual user's account page.
Deactivating Users¶
To deactivate a user account:
- Navigate to Admin → Users.
- Click the eye icon to view the user account.
- Select Deactivate.
Deactivated users cannot sign in to the platform. Their historical activity — including audit logs and certificate request history — is retained. Deactivated accounts can be reactivated by a Super Administrator if required.
Best Practices¶
- Use SSO where possible — SSO centralises authentication, reduces credential sprawl, and lets you enforce your organisation's existing MFA and access policies. See Single Sign-On for configuration details.
- Pre-create accounts before enabling SSO — user accounts must exist in the platform before SSO authentication will succeed. Invite or add users first, then enable SSO.
- Enable MFA for non-SSO organisations — if SSO is not in use, enable MFA under Admin → Settings to add a second layer of authentication for all users.
- Configure domain assignments promptly — new users cannot request certificates until their domain assignments are configured.
- Apply the principle of least privilege — assign the minimum role necessary and use domain assignments to scope certificate access rather than elevating roles.
- Assign roles after onboarding — invite users first and update their roles once they have accepted the invitation and their responsibilities are confirmed.
- Deactivate accounts promptly — deactivate accounts for users who have left the organisation or no longer require access.
- Use groups for notifications — add users to appropriate groups during onboarding to ensure they receive relevant alerts from day one.