You are browsing documentation for an older version. See the latest documentation here.
Invite an Admin
An Admin is any user in Kong Manager. They may access Kong entities within their assigned Workspaces based on the Permissions of their Roles.
This guide describes how to invite an Admin in Kong
Manager. As an alternative, if a Super Admin wants to
invite an Admin with the Admin API, it is possible to
do so using
/admins
.
Invite an Admin
-
Navigate to the Teams page in Kong Manager
-
From the Admins tab select Invite Admin
-
Fill out the username and email address. When a new Admin receives an invitation, they will only be able to log in with that email address. Assign the appropriate Role and click Invite User to send the invitation.
Super Admins can invite users to multiple Workspaces, and assign them any Role available within Workspaces, including Roles that exist by default (e.g.
super-admin
,read-only
) and Roles with customized permissions.The Super Admin can see all available roles across Workspaces on the Roles tab of the Organization page.
-
On the Teams page, the new invitee will appear on the Admins list with the under Invited. Once they accept the invitation, the user will be listed in the main Admins list.
By default, the registration link will expire after 259,200 seconds (3 days). This time frame can be configured with the
kong.conf
file inadmin_invitation_expiry
.If an email fails to send, either due to an incorrect email address or an external error, it will be possible to resend an invitation.
If SMTP is not enabled or the invitation email fails to send, it is possible for the Super Admin to copy and provide a registration link directly.
-
The newly invited Admin will have the ability to set a password. If the Admin ever forgets the password, it is possible for them to reset it through a recovery email.
Copy and Send a Registration Link
If a mail server is not yet set up, it is still possible to invite Admins to register and log in.
-
Invite an Admin as described in the section above.
-
If the “View” link is clicked next to the invited Admin’s name, a
register_url
is displayed on the invitee’s details page. -
Copy and directly send this link to the invited Admin so that they may set up their credentials and log in.
If admin_gui_auth
is ldap-auth-advanced
, credentials are not stored in Kong, and the Admin will be directed to log in.
How to Grant an Admin Access with LDAP
-
Pick a user in the LDAP Directory that will be the Super Admin.
-
Change the Super Admin’s username in Kong by making a
PATCH
request toadmins/kong_admin
and setting the value ofusername
to the corresponding LDAPattribute
.
For example, if the LDAP user’s attribute is einstein
,
the PATCH
to /admins/kong_admin
should have a username
set to einstein
.
-
Log in to Kong Manager using the LDAP credentials associated with the Super Admin.
-
Invite Admins from the “Admins” page in Kong Manager, ensuring that the
username
of each Admin is mapped to theattribute
value set in the LDAP directory.To enable the Admins to log in, it is still necessary to assign a Role to them.
-
Once an Admin has logged in successfully and accesses the Admin API using their LDAP credentials, they will be marked as “approved” on the “Admins” list in Kong Manager
The new Admins will still receive an email, but all credentials will be handled through the LDAP server, not Kong Manager or the Admin API.