Skip to content
Kong Summit 2022: Where API Innovation Runs Wild  —Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Konnect Cloud
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Kong Konnect Platform

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Request Demo
  • Kong Gateway
  • Konnect Cloud
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Kong Konnect Platform

  • Docs contribution guidelines
  • 2.8.x (latest)
  • 2.7.x
  • 2.6.x
  • Older Enterprise versions (0.31-2.5)
  • Older OSS versions (0.13-2.5)
  • Archive (pre-0.13)
    • Overview of Kong Gateway
    • Version Support Policy
    • Changelog
    • Overview
    • Kubernetes
    • Helm
    • OpenShift with Helm
    • Docker
    • Amazon Linux
    • CentOS
    • macOS
    • Debian
    • RHEL
    • Ubuntu
    • Migrating from OSS to EE
    • Upgrade Kong Gateway
    • Upgrade Kong Gateway OSS
      • Configuring a Service
      • Configuring a gRPC Service
      • Enabling Plugins
      • Adding Consumers
      • Prepare to Administer
      • Expose your Services
      • Protect your Services
      • Improve Performance
      • Secure Services
      • Set Up Intelligent Load Balancing
      • Manage Administrative Teams
      • Publish, Locate, and Consume Services
    • Running Kong as a Non-Root User
    • Resource Sizing Guidelines
      • Deploy Kong Gateway in Hybrid Mode
    • Kubernetes Deployment Options
    • Control Kong Gateway through systemd
    • Performance Testing Framework
    • DNS Considerations
    • Default Ports
      • Access Your License
      • Deploy Your License
      • Monitor License Usage
      • Start Kong Gateway Securely
      • Keyring and Data Encryption
      • Kong Security Update Process
        • Getting Started
        • Advanced Usage
          • Environment Variables
          • AWS Secrets Manager
          • Hashicorp Vault
        • Reference Format
      • Authentication Reference
        • OpenID Connect with Curity
        • OpenID Connect with Azure AD
        • OpenID Connect with Google
        • OpenID Connect with Okta
        • OpenID Connect with Auth0
        • OpenID Connect with Cognito
        • OpenID Connect Plugin Reference
      • Allowing Multiple Authentication Methods
        • Create a Super Admin
        • Configure Networking
        • Configure Kong Manager to Send Email
        • Reset Passwords and RBAC Tokens
        • Configure Workspaces
        • Basic Auth
        • LDAP
        • OIDC
        • Sessions
        • Add a Role
        • Add a User
        • Add an Admin
      • Mapping LDAP Service Directory Groups to Kong Roles
    • Configure gRPC Plugins
    • GraphQL Quickstart
    • Logging Reference
    • Network and Firewall
    • Overview
    • Enable the Dev Portal
    • Structure and File Types
    • Portal API
    • Working with Templates
    • Using the Editor
        • Basic Auth
        • Key Auth
        • OIDC
        • Sessions
        • Adding Custom Registration Fields
      • SMTP
      • Workspaces
      • Manage Developers
      • Developer Roles and Content Permissions
        • Authorization Provider Strategy
        • Enable Application Registration
        • Enable Key Authentication for Application Registration
        • External OAuth2 Support
        • Set up Okta and Kong for external OAuth
        • Set Up Azure AD and Kong for External Authentication
        • Manage Applications
      • Easy Theme Editing
      • Migrating Templates Between Workspaces
      • Markdown Rendering Module
      • Customizing Portal Emails
      • Adding and Using JavaScript Assets
      • Single Page App in Dev Portal
      • Alternate OpenAPI Renderer
    • Helpers CLI
      • Metrics
      • Reports
      • Vitals with InfluxDB
      • Vitals with Prometheus
      • Estimate Vitals Storage in PostgreSQL
    • Prometheus plugin
    • Zipkin plugin
      • DB-less Mode
      • Declarative Configuration
      • Supported Content Types
      • Information Routes
      • Health Routes
      • Tags
      • Service Object
      • Route Object
      • Consumer Object
      • Plugin Object
      • Certificate Object
      • CA Certificate Object
      • SNI Object
      • Upstream Object
      • Target Object
      • Vaults Beta
        • Licenses Reference
        • Licenses Examples
        • Workspaces Reference
        • Workspace Examples
        • RBAC Reference
        • RBAC Examples
        • API Reference
        • Examples
      • Developers
        • API Reference
        • Examples
        • Event Hooks Reference
        • Examples
      • Audit Logging
      • Keyring and Data Encryption
      • Securing the Admin API
    • DB-less and Declarative Configuration
    • Configuration Reference
    • CLI Reference
    • Load Balancing Reference
    • Proxy Reference
    • Rate Limiting Library
    • Health Checks and Circuit Breakers Reference
    • Clustering Reference
      • kong.client
      • kong.client.tls
      • kong.cluster
      • kong.ctx
      • kong.ip
      • kong.log
      • kong.nginx
      • kong.node
      • kong.request
      • kong.response
      • kong.router
      • kong.service
      • kong.service.request
      • kong.service.response
      • kong.table
      • kong.vault
      • Introduction
      • File structure
      • Implementing custom logic
      • Plugin configuration
      • Accessing the datastore
      • Storing custom entities
      • Caching custom entities
      • Extending the Admin API
      • Writing tests
      • (un)Installing your plugin
    • Plugins in Other Languages

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Invite an Admin
  • Copy and Send a Registration Link
  • How to Grant an Admin Access with LDAP
Kong Gateway
2.8.x (latest)
  • Home
  • Kong Gateway
  • Configure
  • Auth
  • Rbac

Invite an Admin

An Admin is any user in Kong Manager. They may access Kong entities within their assigned Workspaces based on the Permissions of their Roles.

This guide describes how to invite an Admin in Kong Manager. As an alternative, if a Super Admin wants to invite an Admin with the Admin API, it is possible to do so using /admins.

Invite an Admin

  1. Navigate to the Teams page in Kong Manager

  2. From the Admins tab select Invite Admin

  3. Fill out the username and email address. When a new Admin receives an invitation, they will only be able to log in with that email address. Assign the appropriate Role and click Invite User to send the invitation.

    Super Admins can invite users to multiple Workspaces, and assign them any Role available within Workspaces, including Roles that exist by default (e.g. super-admin, read-only) and Roles with customized permissions.

    The Super Admin can see all available roles across Workspaces on the Roles tab of the Organization page.

  4. On the Teams page, the new invitee will appear on the Admins list with the under Invited. Once they accept the invitation, the user will be listed in the main Admins list.

    By default, the registration link will expire after 259,200 seconds (3 days). This time frame can be configured with the kong.conf file in admin_invitation_expiry.

    If an email fails to send, either due to an incorrect email address or an external error, it will be possible to resend an invitation.

    If SMTP is not enabled or the invitation email fails to send, it is possible for the Super Admin to copy and provide a registration link directly.

  5. The newly invited Admin will have the ability to set a password. If the Admin ever forgets the password, it is possible for them to reset it through a recovery email.

Copy and Send a Registration Link

If a mail server is not yet set up, it is still possible to invite Admins to register and log in.

  1. Invite an Admin as described in the section above.

  2. If the “View” link is clicked next to the invited Admin’s name, a register_url is displayed on the invitee’s details page.

    Registration URL

  3. Copy and directly send this link to the invited Admin so that they may set up their credentials and log in.

If admin_gui_auth is ldap-auth-advanced, credentials are not stored in Kong, and the Admin will be directed to log in.

How to Grant an Admin Access with LDAP

  1. Pick a user in the LDAP Directory that will be the Super Admin.

  2. Change the Super Admin’s username in Kong by making a PATCH request to admins/kong_admin and setting the value of username to the corresponding LDAP attribute.

For example, if the LDAP user’s attribute is einstein, the PATCH to /admins/kong_admin should have a username set to einstein.

  1. Log in to Kong Manager using the LDAP credentials associated with the Super Admin.

  2. Invite Admins from the “Admins” page in Kong Manager, ensuring that the username of each Admin is mapped to the attribute value set in the LDAP directory.

    To enable the Admins to log in, it is still necessary to assign a Role to them.

  3. Once an Admin has logged in successfully and accesses the Admin API using their LDAP credentials, they will be marked as “approved” on the “Admins” list in Kong Manager

    The new Admins will still receive an email, but all credentials will be handled through the LDAP server, not Kong Manager or the Admin API.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2022