You manage access to Adobe Commerce on cloud infrastructure projects and environments by adding users and assigning roles.
Project-level access provides role-based access to a specific project. Environment-level access provides role-based access to environment types within the project. Adobe Commerce on cloud infrastructure consists of three environments types: Production, Staging, and Integration. The following table lists the roles
Role | Scope | Access | SSH |
---|---|---|---|
Project owner | Project | Perform any administrator task in any project or environment, including deletion (supersedes the Super User role.) This role might not be assigned to the License Owner associated with the email address, name, and information of the person who registered the account. Submit an Adobe Commerce Support ticket to modify settings or change the Project owner. |
— |
Super User | Project | Access all project settings and environments. Super users can change settings and perform administrator tasks on any environment, including creating and restoring snapshots and managing users. | — |
Project viewer | Project | View-only access to all project environments. Users with this role cannot perform tasks on any environment. Can be granted write access to a specific environment type. | — |
Admin | Environment | Perform administrator tasks, such as change settings, push code, perform tasks and branch management, including merging with the parent environment | Yes |
Contributor | Environment | Push code and branch the environment; cannot change settings or execute actions | Yes |
Viewer | Environment | View-only access to an environment | No |
None | Environment | No access to an environment | No |
For added security, Adobe provides project-level multi-factor authentication (MFA) enforcement to require two-factor authentication (TFA) for SSH access to Adobe Commerce on cloud infrastructure project source code and environments. See Enable MFA for SSH.
When MFA enforcement is enabled on an Adobe Commerce on cloud infrastructure project, all users with SSH access to an environment in that project must enable TFA on their Adobe Commerce on cloud infrastructure account. For automated processes, users must create an API token that machine users can use to authenticate from the command line. See Enable user accounts for TFA and SSH access.
Add users and assign roles using the magento-cloud
CLI or the Project Web Interface.
Prerequisites:
A registered user with an Adobe ID. A user must register for an Adobe account and then initialize their Cloud account before you can add them to a Cloud project.
A user assigned the Admin role cannot manage users with the magento-cloud
CLI. Only users that are granted the Super User or Account Owner role can manage users.
Use the magento-cloud
CLI to manage users and integrate with automated systems:
magento-cloud user:add
–add a user to the projectmagento-cloud user:delete
–delete a usermagento-cloud user:list [users]
–list project usersmagento-cloud user:role
–view or change the user rolemagento-cloud user:update
–update user role on a projectThe following examples use the magento-cloud
CLI to add a user, configure roles, modify project assignments, and assign user roles.
Use the magento-cloud
CLI to add the user.
magento-cloud user:add
The user must have an Adobe ID; see the prerequisites.
Follow the prompts: specify the user email address, set the project and environment-type roles, and add the user.
Sample prompts
Enter the user's email address: alice@example.com
Email address: alice@example.com
The user's project role can be admin (a) or viewer (v).
Project role (default: viewer) [a/v]: viewer
The user's environment type role(s) can be admin (a), viewer (v), contributor (c) or none (n).
Role on type development (default: none) [a/v/c/n]: none
Role on type production (default: none) [a/v/c/n]: admin
Role on type staging (default: none) [a/v/c/n]: admin
Adding the user alice@example.com to (project_id):
Project role: viewer
Role on type production: admin
Role on type staging: admin
Are you sure you want to add this user? [Y/n] y
Adding the user to the project
After you add the user, Adobe sends an email to the specified address with instructions for accessing the Adobe Commerce on cloud infrastructure project.
magento-cloud user:get alice@example.com
Sample response:
Current role(s) of User (alice@example.com) on Production (project_id):
Project role: admin
To add a user as a viewer
on a Production
environment, and as a contributor
on an Integration
environment:
magento-cloud user:add alice@example.com -r production:v -r integration:c
To update user environment permissions to admin
on the Production
environment:
magento-cloud user:update alice@example.com -r production:a
You can use the Project Web Interface to add permissions and use the Edit feature to modify permissions for an existing user.
The user must have an Adobe ID; see the prerequisites.
Log in to your account.
On the My Account page, click the Magento tab to see the projects in your account.
Click the Projects tab.
Click a project.
Click Infrastructure access, and then click Project Access (Web UI).
In the Project Access (Web UI), add users as needed.
In the Project Web Interface, click the settings icon in the top navigation bar.
In the Users tab, click Add User.
Complete the Add User form:
Enter the user e-mail address.
Select Super User to create a project administrator account. This role provides Admin rights to all settings and environments. Other users only have access to view options for all project environments.
Select Environment permissions: No access, Admin (change settings, execute action, merge code), Contributor (push code), or Viewer (view only). When you add active environments, you can modify permissions per user.
Only Super Users can manage users in any environment. To grant a user access to the Users tab when configuring the environment, another Super User or the Account Owner must assign that user the Super User role.
Click Add User.
After adding project-level users, redeploy all environments to apply the changes. Adding a project-level user does not trigger a deployment automatically. Redeployment is an important step to ensure that the user can access an environment using SSH.
After you add the user, Adobe sends an email to the specified address with instructions for accessing the Adobe Commerce on cloud infrastructure project.
After you add a user to a Cloud project, ask the user to review their account security settings and add the following security configuration as needed:
Enable TFA—Adobe recommends adding TFA to all accounts to meet security and compliance standards. Projects configured with MFA enforcement require TFA on accounts that use SSH to access the projects.
Enable SSH keys—Users that require access to Adobe Commerce on cloud infrastructure source code repositories must enable SSH keys on their account. See Secure connections.
Create an API token—Users must generate an API token that is used for SSH access to an environment. You need the token to enable authentication workflows for automated processes.
On projects with MFA enforcement enabled, you must use the API token to authenticate SSH access requests from automated accounts. The token allows automated processes to bypass authentication workflows which require TFA.
Adobe Commerce on cloud infrastructure supports TFA using any of the following applications:
Instructions for installing the authenticator application and enabling TFA are available on the Account settings page in the Project Web Interface.
To enable TFA on your user account:
Log in to your account.
Click the Account settings tab.
Click Security. In the TFA application settings, click Set up application.
If you do not have an approved authenticator application on your mobile device, use the linked instructions to install one.
Add your Adobe Commerce on cloud infrastructure account to the authenticator application.
On your mobile device, open the authenticator application. Then, add the setup code to the application.
On the TFA set up - Application page, type the TFA code from your mobile device in the Application verification code field.
Click Verify and save.
If the code is valid, Adobe sends a notification to the account email address confirming that the account now has TFA.
Optional. Enable Trusted browser settings to cache the authentication code in the browser for 30 days.
This configuration reduces the number of authentication challenges during project login.
Click Save or Skip.
Save the recovery codes.
Copy the recovery codes to another location or write them down in case you lose access to your device or authentication application.
Click Save to save the codes to your account so you can view and manage them from your account security settings.
If you lose access to an account with TFA and have no recovery codes, you must contact your project administrator, or Submit an Adobe Commerce Support ticket to reset the TFA application.
After completing the TFA setup, click Save to update your account.
Authenticate your current session with TFA.
Log out of your account.
Log in with your username and password.
When prompted, enter the TFA code for the accounts.magento.cloud
entry from the authenticator application on your mobile device.
You manage the TFA configuration for an Adobe Commerce on cloud infrastructure account from the Security section on the Account settings page.
Log in to your account.
Click the Account Settings tab.
Click Security and view the TFA configuration options.
Use the available links to update the TFA settings for your Adobe Commerce on cloud infrastructure account:
An API token can be exchanged for an OAuth 2 access token, which can then be used to authenticate requests.
On projects that have MFA enforcement enabled, you must have an API token to enable SSH access for machine users and automated processes.
Protect API token values for your account. Do not expose the value in code samples, screen captures, or insecure client-server communications. Also, do not expose the value in source code stored in public repositories.
To create an API token:
Log in to your account.
On the Cloud projects page, click the Account settings tab.
On the Account settings tab, expand the API Tokens section. Then, click Create an API token.
Specify an Application name for the token, for example, specify a name that matches the machine user or automated process that uses the API token.
Click Create API token.