---
title: Manage user accounts
description: How to create LDAP or local authentication user accounts, set permissions, and manage membership of groups and organizations.

---

# Manage user accounts {: #manage-user-accounts }

The DataRobot deployment provides support for local authentication users. These are user accounts you create manually (through **APP ADMIN > Manage Users**). DataRobot provides restrictions for login and password settings. The login credentials for these locally authenticated users are stored as fully qualified domain names.

=== "SaaS"

	!!! info "Availability information"
     	**Required permission:** Org Admin

=== "Self-Managed: LDAP"

	!!! info "Availability information"
     	**Required permission:** Can manage users

	The DataRobot deployment provides support for three types of user accounts:

	|  User Account Type | Description |
	|--------------------|--------------------------|
	| Internal | This is the default DataRobot administrator account, which authenticates using admin@datarobot.com. This account has full administrator access to the deployed cluster. You cannot revoke administrator privileges; the only change you can make to this account is password updates. |
	| Local authentication | These are user accounts you create manually (through **APP ADMIN > Manage Users**). DataRobot provides restrictions for login and password settings. The login credentials for these locally authenticated users are stored as fully qualified domain names. |
	| LDAP authentication configuration | These user accounts are created through an authentication integration with a defined LDAP directory service; you do not use the DataRobot UI to create these user accounts. |


	**LDAP accounts**

	When LDAP users sign into DataRobot for the first time, their user profiles are created and saved in DataRobot but their passwords are not. Usernames for these LDAP-authenticated users are simple usernames and not fully qualified domain names. Passwords cannot be changed. Not that if a user is removed from the LDAP Directory server or group, they are not able to access DataRobot. The user account, however, remains intact.

	!!! note
    	[Local authentication](#create-user-accounts) is not supported when LDAP is enabled (i.e., no "mixed mode").

	See the instructions below for creating local authentication accounts.

## Create user accounts {: #create-user-accounts }

As an administrator, you create and add new users to your DataRobot installation. The first user account you should create is one for yourself, so that you can access DataRobot as a user in addition to using the default administrator account. Use the following steps to create your own user account, and then repeat them for each additional user.

=== "SaaS"

	1. Expand the profile icon located in the upper right and click **APP ADMIN > Users** from the dropdown menu.

    	![](images/admin-create-user-2.png)

	2. Click **Create a user** at the top of the displayed page.

	  	![](images/admin-add-new-user.png)

	3. In the displayed dialog, enter the username (i.e., email address), first name, and password for the new user (other account settings are optional at this point).

    	![](images/admin-create-user-3.png)

	4. Click **Create user**. If successful, you see the message "Account created successfully" and the username for the new account.

	5. Click **View user profile** to view and configure user settings for this user, or click **Close**.

=== "Self-Managed"

	1. Expand the profile icon located in the upper right and click **APP ADMIN > Users** from the dropdown menu.

    	![](images/admin-create-user-2.png)

	2. Click **Create a user** at the top of the displayed page.

	  	![](images/admin-add-new-user.png)

	3. In the displayed dialog, enter the username (i.e., email address), first name, and password for the new user (other account settings are optional at this point). If shown, selecting [Require Clickthrough Agreement](manage-access#create-a-user-agreement) may be necessary for your cluster deployment.

	4. Click **Create user**. If successful, you see the message "Account created successfully" and the username for the new account.

	5. Click **View user profile** to view and configure user settings for this user, or click **Close**.

The new user will now be listed in the Users table. You can open the User Profile to see some important information including the user's application-assigned ID.

## Set admin permissions for users {: #set-admin-permissions-for-users }

=== "SaaS"

	As an admin, you can set organization admin permissions for other DataRobot users within the application, including your personal user account. These permissions allow the recipient to enable or disable features per user, as needed. Visit the **Settings** page to see a list of available features; hover over a feature name for a brief description.

	Below are the steps to enable administrator access for any user. This user will have administrator access to all DataRobot functionality configured for the application.

	!!! note
    	Consider and control how you provide admin settings to non-administrator users. One way to do this is to add settings only on an as-needed basis and then remove those settings when related tasks are completed.

	1. From the **Users** page, locate the user and select to open the user's profile page.

	2. Click **Membership** to display the organization and groups that the user is a member of.

	3. Under the **Organization** header, check the box in the **Org Admin** column to enable organization admin permissions for the user.

	![](images/org-admin-2.png)

	This user can now modify settings for other users. At any point, if you want to disable these permissions for the user, uncheck the box; the user will no longer have administrator capabilities.

=== "Self-Managed"

	As an admin, you can set admin permissions for other DataRobot users within the application, including your personal user account. These permissions allow the recipient to enable or disable features per user, as needed. Visit the **Settings** page to see a list of available features; hover over a feature name for a brief description.

	Below are the steps to enable administrator access for any user. This user will have administrator access to all DataRobot functionality configured for the application.

	!!! note
    	Consider and control how you provide admin settings to non-administrator users. One way to do this is to add settings only on an as-needed basis and then remove those settings when related tasks are completed.

	1. From the **Users** page, locate the user and select to open the user's profile page.

	2. On **User Profile**, click **Change Permissions** to display the **User Permissions > Manage Settings** page for the user

		![](images/user-profile-admin-guide.png)

	3. Select the Admin setting “Can manage users” and click **Save**.

	This user now can modify settings for other users. At any point, if you want to disable the “Can manage users” setting for this user, uncheck the box and click **Save**; the user will no longer have administrator capabilities.

## Self-Managed AI Platform admins {: #self-managed-ai-platform-admins }

The following is available only on the Self-Managed AI Platform.

### Additional permissions options {: #additional-permissions-options }

To set permissions and supported features for users, repeat the previous process selecting the desired permissions from those listed in the user's **User Permissions > Manage Settings** page. See the settings and features description for information on the available admin settings and optional features.

For each user you can also:

* Set their maximum [personal worker allocation](admin-overview#define-workers).
* Set their RAM usage limit.
* Set their file upload size limit.
* Set the rate at which the [Deployment page](deploy-inventory#inventory-update) refreshes (three second minimum).
* Assign them to an organization (you must create the organization first).

![](images/admin-additional-settings.png)

##  RBAC for users {: #rbac-for-users }

Role-based access (RBAC) controls access to the DataRobot application by assigning users roles with designated privileges. The assigned role controls both what the user sees when using the application and which objects they have access to. RBAC is additive, so a user's permissions will be the sum of all permissions set at the user and group level.

To assign a user role:

1. From the **Users** page, locate and select the user to open their profile page.

    ![](images/admin-create-user-2.png)

2. Click the **Permissions** tab to view a list of settings and permissions.

    ![](images/admin-personal-worker-1.png)

3. Open the **User roles** dropdown menu and select the appropriate role(s) for the user.

    ![](images/rbac-1.png)

4. When you're done, click **Save changes**.

Review the [role and access definitions](rbac-ref) to understand the permissions enabled for each role.

!!! tip
    Avoid granting access to specific features by assigning roles at the user-level because this makes managing permissions more difficult&mdash;causing you to have to modify several users, rather than a few groups, as well as increasing the possibility of having users with non-standardized levels of access. Make sure access to features required to complete work are defined at the group- or org-level, and that the user is a member.

!!! note
    Note that RBAC overrides [sharing-based role permissions](roles-permissions). For example, consider a user is assigned the Viewer role via RBAC, which only has <em>Read</em> access to objects. If this user has a project shared with them that grants Owner permissions (which offers <em>Read and Write</em> access), the Viewer role takes priority and denies the user <em>Write</em> access.

## Manage execution environment limits {: #manage-execution-environment-limits }

{% include 'includes/ex-env-limits.md' %}

1. Click your profile avatar (or the default avatar ![](images/icon-gen-settings.png)) in the upper-right corner of DataRobot, and then, under **APP ADMIN**, click **Users**.

    ![](images/admin-create-user-2.png)

2. From the **Users** page, locate and select the user to open their profile page.

3. Click the **Permissions** tab to view a list of settings and permissions.

    ![](images/admin-personal-worker-1.png)

4. On the **Permissions** tab, click **Platform**, and then click **Admin Controls**.

    ![](images/platform-admin-controls.png)

5. Under **Admin Controls**, set either or both of the following settings:

    * **Execution Environments limit**: The maximum number of custom model execution environments a user can add. This limit setting can't exceed 999.

    * **Execution Environments versions limit**: The maximum number of versions a user can add to each custom model execution environment. This limit setting can't exceed 999.

        ![](images/execution-env-controls.png)

6. Click **Save changes**.

## Change passwords {: #change-passwords }

You can change passwords for internal and local authentication user accounts. If your cluster uses LDAP authentication, you cannot change the password for any of the user types (individual users or the `admin@datarobot.com` account). If you need help generating a new password for the default administrator, contact Customer Support.

### Change your own password {: #change-your-own-password }

To change your own password:

1. Expand the profile icon located in the upper right and click **Settings**.

2. In the displayed page, enter your current password and then the new password twice (to create and confirm). Click **Change Password**.

DataRobot enforces the following password policy:

- Only printable ASCII characters
- Minimum one capital letter
- Minimum one number
- Minimum 8 characters
- Maximum 512 characters
- Username and password cannot be the same

### Change a user's password {: #change-a-users-password }

1. From the **APP ADMIN > Manage Users** page, locate the user and click to open their profile.

2. Click **Change Password**.

	![](images/admin-change-users-password.png)

4. In the displayed page, enter and confirm the new password.

5. When finished, click **Change Password**.

## Manage groups and organization membership {: #manage-groups-and-organization-membership }

SaaS admins can manage groups; Self-Managed admins can manage groups and organizations.

!!! note
    Users can have membership in up to 50 groups.

=== "Saas"

	Configuring groups helps you to manage users across the DataRobot platform. For more information, see:

	* [Group overview](admin-overview#what-are-groups)
	* [Creating groups](manage-groups#create-a-group)

	Once created, you can add one or more users as members from the group creation page. To add users individually, follow the steps below.

	!!! note
    	Note that *users* can see which groups they belong to from the **Membership** page, but they do not have permissions to make changes to those memberships.

	Browse to the **Users** page, select the user, and in **User Profile** click **Membership**. The **User Membership** page shows the currently configured groups for this user.

	![](images/org-admin-1.png)

	Work with the page as follows:

	|            | Field | Description |
	| ---------- | ----- | ----------- |
	| ![](images/icon-1.png) | **Add User to Groups** (1) | Opens a dialog where you can enter the name(s) of groups to add the user to. Note that if a group is assigned to an organization, you can only add members from that organization.
	| ![](images/icon-2.png) | *&lt;Group_name&gt;* | Opens the group configuration to allow editing of the name and description.|

=== "Self-Managed"

	Configuring groups and organizations helps you to manage users and resources across the DataRobot platform. For more information, see:

	* [Group overview](admin-overview#what-are-groups)
	* [Creating groups](manage-groups#create-a-group)
	* [Organization overview](admin-overview#what-are-organizations)
	* [Creating organizations](manage-orgs#creating-organizations)

	Once created, you can add one or more users as members from the group and organization creation pages. To add users individually, follow the steps below.

	!!! note
    	Note that *users* can see which organization and groups they belong to from the **Membership** page, but they do not have permissions to make changes to those memberships.

	Browse to the Users page, select the user, and in **User Profile** click **Membership**. The **User Membership** page shows the currently configured organization and any groups for this user.

	![](images/admin-usermembership-unconfigured.png)

	Work with the page as follows:

	|            | Field | Description |
	| ---------- | ----- | ----------- |
	| ![](images/icon-1.png) | Organization | Enter the name for the organization. Each user can be a member of only one organization.  |
	| ![](images/icon-2.png) | Go to org profile  | Displays information about that organization. If you do not see the organization you want, you must first create it.  |
	| ![](images/icon-3.png) | Add user to groups | Opens a dialog where you can enter the name(s) of groups to add the user to. If the user is a member of an organization, only groups also part of the same organization, or part of no organization, are available for selection. Users can have membership in up to 50 groups. |
	| ![](images/icon-4.png) | *&lt;Group_name&gt;* | Opens the group configuration to allow editing of the name and description. |

	When you next look at this user's profile, you see the organization for the user.

	![](images/admin-org-orgprofile.png)


## Deactivate user accounts {: #deactivate-user-accounts }

You cannot delete a user account from DataRobot&mdash;this ensures that your company's data is not lost, regardless of employee movement. However, the admin can block a user's access to DataRobot while ensuring the data and projects they worked on remain intact.

From **APP ADMIN > Manage Users**, locate the user:

* To deactivate, click the padlock icon next to their name, changing it to locked ![](images/icon-lock.png).
* To restore access, click the padlock icon to open ![](images/icon-unlock.png).

You can also change user account access from **Users > User Profile** by clicking **Enable User** or **Disable User**.

![](images/enable-disable-user-profile.png)

## View latest user activity {: #view-latest-user-activity }

From the **User Profile**, you can quickly access the most recent app usage activities for the user.

* Click **Recent activity** (near the bottom of the page) to see the last five app activities recorded for this user. Clicking the refresh link updates the list of activities:

	![](images/useractivity-userprofile-recentactivity.png)

* Click **View Activity** to see the [user activity monitor](main-uam-overview#view-activity-and-events) showing all app activities recorded for this user.
	![](images/admin-view-users-activity.png)
