Users¶

Overview¶

A user in JustIAM can be a human account (local or federated) or a service account (API-only, no interactive login).

User fields¶

Field	Description
`email`	Primary identifier, must be unique
`username`	Short name derived from the email local-part (e.g. `alice` from `alice@corp.com`). Used as `preferred_username` in OIDC tokens. Read-only.
`first_name` / `last_name`	Display name
`is_active`	Inactive users cannot log in or use tokens
`is_admin`	Full administrative access, bypasses all permission checks
`is_service_account`	Cannot log in interactively; authenticates using Personal Access Tokens only
`auth_source`	`"internal"` for local accounts; the provider name for federated accounts

Creating a user¶

UI: Administration → Users → + Create User

Required fields: Email. If creating a local account, set a password. If creating a service account, leave the password blank and enable Service Account.

API:

POST /api/v1/users
Authorization: Bearer <token>
Content-Type: application/json

{
  "email": "alice@example.com",
  "first_name": "Alice",
  "last_name": "Smith",
  "password": "SecurePass123!",
  "is_admin": false,
  "is_service_account": false
}

Updating a user¶

UI: Users → click on a user → Edit

Updatable fields: email, first_name, last_name, is_active, is_admin.

If any User Attributes are defined and you have the user_attributes.manage permission, an Attributes section appears at the bottom of the edit panel. All attributes are editable by admins regardless of the user_editable flag (which only restricts end-users in their own profile).

PUT /api/v1/users/{id}

Deactivating / deleting¶

Deactivate (is_active = false) — preserves history and disables all logins and tokens.
Delete (DELETE /api/v1/users/{id}) — permanently removes the user and all associated data (group memberships, tokens, MFA credentials).

Protected users

Certain users cannot be deleted under specific conditions. Attempting to do so returns 409 Conflict with an explanatory message.

Built-in service accounts — blocked while the feature they serve is active:

Service account	UUID	Blocked when
`proxy-provider@service.internal`	`00000000-0000-0000-0000-000000000004`	`proxy_mode` is `shared` or `dedicated`
`cp-service@idp.local`	(dynamic, created on bootstrap)	Always — this is the controlplane service account. Its token cannot be deleted or viewed via the admin UI; rotate it from the controlplane instead.

Last super-admin guard — the final active super-admin (is_admin = true, is_active = true) cannot be deleted. Promote another user to super-admin first.

Group membership¶

Users can belong to multiple groups. Assign via: - Users page → user → Groups tab - Groups page → group → Members tab - API: POST /api/v1/users/{id}/groups or POST /api/v1/groups/{id}/members

Revoking sessions and tokens¶

From the Users page you can:

Revoke all IDP sessions — invalidates all active idp_sid SSO cookies
Revoke all JWT tokens — pushes a revocation timestamp via DELETE /api/v1/users/{id}/jwt-revocations; all existing JWTs issued before this moment are rejected

Password reset¶

Users with a configured email can request a password reset at the login page. Admins can trigger a reset link via the API.

Service accounts¶

Service accounts are regular users with is_service_account = true. They:

Cannot log in through the UI or OIDC/SAML flows
Authenticate exclusively via Personal Access Tokens
Can be assigned to groups and IDP roles like regular users
PATs for service accounts are managed under Users → (service account) → Tokens

See Personal Access Tokens for details.