Manage user access

You manage access to Adobe Commerce on cloud infrastructure projects and environments by adding users and assigning roles.

Project-level access provides role-based access to a specific project. Environment-level access provides role-based access to environment types within the project. Adobe Commerce on cloud infrastructure consists of three environments types: Production, Staging, and Integration. The following table lists the roles

Role Scope Access SSH
Account owner Project Perform any task in any project or environment, including deleting it.
Adobe assigns this role to the License Owner associated with the email address, name, and information of the person who registered the account. Submit an Adobe Commerce Support ticket to modify settings or change the Account owner.
Super User Project Access all project settings and environments. Super users can change settings and perform administrator tasks on any environment, including creating and restoring snapshots and managing users.
Project viewer Project View-only access to all project environments. Users with this role cannot perform tasks on any environment. Can be granted write access to a specific environment type.
Admin Environment Change settings, push code, perform tasks and branch management, including merging with the parent environment Yes
Contributor Environment Push code and branch the environment; cannot change settings or execute actions Yes
Viewer Environment View-only access to an environment No
None Environment No access to an environment No

Add user authentication requirements

For added security, Adobe provides project-level multi-factor authentication (MFA) enforcement to require two-factor authentication (TFA) for SSH access to Adobe Commerce on cloud infrastructure project source code and environments. See Enable MFA for SSH.

When MFA enforcement is enabled on an Adobe Commerce on cloud infrastructure project, all users with SSH access to an environment in that project must enable TFA on their Adobe Commerce on cloud infrastructure account. For automated processes, users must create an API token that machine users can use to authenticate from the command line. See Enable user accounts for TFA and SSH access.

Add users and manage access

Add users and assign roles using the magento-cloud CLI or the Project Web Interface.

Prerequisites:

  • Gather the email address associated with an existing Adobe Commerce on cloud infrastructure account. New users can register for an account. and provide the associated email address after completing account validation.

  • Users assigned the Admin role cannot manage users using the magento-cloud CLI. Only users that are granted the Super User or Account Owner role can manage users.

Manage users with the CLI

Use the magento-cloud CLI to manage users and integrate with automated systems:

  • magento-cloud user:add–add a user to the project
  • magento-cloud user:delete–delete a user
  • magento-cloud user:list [users]–list project users
  • magento-cloud user:role–view or change the user role
  • magento-cloud user:update–update user role on a project

The following examples use the magento-cloud CLI to add a user, configure roles, modify project assignments, and assign user roles.

Add a user and assign roles

  1. Use the magento-cloud CLI to add the user.

    magento-cloud user:add
    
  2. Follow the prompts to specify the user email address, set the project and environment-type roles, and add the user.

    Sample prompts

    Enter the user's email address: alice@example.com
    
    Email address: alice@example.com
    
    The user's project role can be admin (a) or viewer (v).
    
    Project role (default: viewer) [a/v]: viewer
    
    The user's environment type role(s) can be admin (a), viewer (v), contributor (c) or none (n).
    
    Role on type development (default: none) [a/v/c/n]: none
    Role on type production (default: none) [a/v/c/n]: admin
    Role on type staging (default: none) [a/v/c/n]: admin
    
    Adding the user alice@example.com to (project_id):
    Project role: viewer
      Role on type production: admin
      Role on type staging: admin
    
    Adding users can result in additional charges.
    
    Are you sure you want to add this user? [Y/n] y
    Adding the user to the project
    

    After you add the user, Adobe sends an email to the specified address with instructions for accessing the Adobe Commerce on cloud infrastructure project.

View a user’s project role

magento-cloud user:get alice@example.com

Sample response:

Current role(s) of User (alice@example.com) on Production (project_id):
  Project role: admin

Add a user to multiple environments

To add a user as a viewer on a Production environment, and as a contributor on an Integration environment:

magento-cloud user:add alice@example.com -r production:v -r integration:c

Update user environment permissions

To update user environment permissions to admin on the Production environment:

magento-cloud user:update alice@example.com -r production:a

Manage users from the Project Web Interface

You can use the Project Web Interface to add permissions and use the Edit feature to modify permissions for an existing user.

Add users from the Project Web Interface

  1. Log in to your account.

  2. On the My Account page, click the Magento tab to see the projects in your account.

  3. Click the Projects tab.

  4. Click your project name to open the Cloud project portal (Onboarding UI).

  5. Click Infrastructure access, and then click Project Access (Web UI).

    Cloud project portal

  6. In the Project Access (Web UI), add users as needed.

Add a project-level user

  1. In the Project Web Interface, click the settings icon in the top navigation bar.

  2. In the Users tab, click Add User.

  3. Complete the Add User form:

    • Enter the user e-mail address.

    • Select the access for the account:

      For a project administrator account, select Super User. This role provides Admin rights to all settings and environments. If not selected, the account has only view options for all project environments.

    • Select permissions per specific environment (or branch) in the Integration environment: No access, Admin (change settings, execute action, merge code), Contributor (push code), or Viewer (view only). When you add active environments, you can modify permissions per user.

    TIP

    Only Super Users can manage users in any environment. To grant a user access to the Users tab when configuring the environment, another Super User or the Account Owner must assign that user the Super User role.

  4. Click Add User.

  5. After adding project-level users, you must redeploy all environments to apply the changes. Adding a project-level user does not trigger a deployment automatically.

After you add the user, Adobe sends an email to the specified address with instructions for accessing the Adobe Commerce on cloud infrastructure project.

Update account security settings

After you add a user to a Cloud project, ask the user to review their account security settings and add the following security configuration as needed:

  • Enable TFA—Adobe recommends adding TFA to all accounts to meet security and compliance standards. Projects configured with MFA enforcement require TFA on accounts that use SSH to access the projects.

  • Enable SSH keys—Users that require access to Adobe Commerce on cloud infrastructure source code repositories must enable SSH keys on their account. See Secure connections.

  • Create an API token—Users must generate an API token that is used for SSH access to an environment. You need the token to enable authentication workflows for automated processes.

    On projects with MFA enforcement enabled, you must use the API token to authenticate SSH access requests from automated accounts. The token allows automated processes to bypass authentication workflows which require TFA.

Enable TFA for Cloud accounts

Adobe Commerce on cloud infrastructure supports TFA using any of the following applications:

Instructions for installing the authenticator application and enabling TFA are available on the Account settings page in the Project Web Interface.

To enable TFA on your user account:

  1. Log in to your account.

  2. Click the Account settings tab.

  3. Click Security to access the TFA configuration settings. Then, click Set up application.

    Cloud Security settings

  4. If you do not have an approved authenticator application on your mobile device, use the linked instructions to install one.

  5. Add your Adobe Commerce on cloud infrastructure account to the authenticator application.

    • On your mobile device, open the authenticator application. Then, add the setup code to the application.

    • On the TFA set up - Application page, type the TFA code from your mobile device in the Application verification code field.

    • Click Verify and save.

      If the code is valid, Adobe sends a notification to the account email address confirming that the account now has TFA.

  6. Optional. Enable Trusted browser settings to cache the authentication code in the browser for 30 days.

    This configuration reduces the number of authentication challenges during project login.

  7. Click Save or Skip.

  8. Save the recovery codes.

    • On the TFA setup - Recovery codes page, copy and save the recovery codes so that you can log into your Adobe Commerce on cloud infrastructure project when you cannot access your mobile device or authentication application.

    Cloud TFA recovery codes

    • Copy the recovery codes to another location or write them down in case you lose access to your device or authentication application.

    • Click Save to save the codes to your account so you can view and manage them from your account security settings.

      WARNING

      If you lose access to an account with TFA and have no recovery codes, you must contact your project administrator, or Submit an Adobe Commerce Support ticket to reset the TFA application.

  9. After completing the TFA setup, click Save to update your account.

  10. Authenticate your current session with TFA.

    • Log out of your account.

    • Log in with your username and password.

    • When prompted, enter the TFA code for the accounts.magento.cloud entry from the authenticator application on your mobile device.

Manage TFA configuration and recovery codes

You manage the TFA configuration for an Adobe Commerce on cloud infrastructure account from the Security section on the Account settings page.

  1. Log in to your account.

  2. Click the Account Settings tab.

  3. Click Security to view the TFA configuration options.

    Cloud manage TFA config

  4. Use the available links to update the TFA settings for your Adobe Commerce on cloud infrastructure account:

    • Disable TFA
    • Reset the authenticator application
    • Add or remove trusted browsers
    • View or refresh TFA recovery codes on account

Create an API token

An API token can be exchanged for an OAuth 2 access token, which can then be used to authenticate requests.

On projects that have MFA enforcement enabled, you must have an API token to enable SSH access for machine users and automated processes.

IMPORTANT

Protect API token values for your account. Do not expose the value in code samples, screen captures, or insecure client-server communications. Also, do not expose the value in source code stored in public repositories.

To create an API token:

  1. Log in to your account.

  2. On the Cloud projects page, click the Account settings tab.

  3. On the Account settings tab, expand the API Tokens section. Then, click Create an API token.

    API tokens

  4. Specify an Application name for the token, for example, specify a name that matches the machine user or automated process that uses the API token.

    Create API token

  5. Click Create API token to generate the token.

    Generate API token

On this page