User Management
The User Management screen in D.Hub allows you to view registered users, create new local users, and synchronize users from an external IdP (Identity Provider). User deletion and deactivation features are also available on this screen.
Only users with admin privileges can access this page. Regular users accessing the /settings/users path will see an insufficient permissions notice.
How to Access
Click the Settings menu at the bottom of the sidebar, then navigate to the User Management tab. This screen is mapped to the /settings/users path and is protected by AdminRoute, so only users with the admin role can access it.
User List
Upon entering the User Management screen, the full list of registered users is displayed in a table view.
Table Columns
| Column | Description |
|---|---|
| Username | Unique identifier used for login |
| User email address | |
| Role | admin or user |
| Auth Method | local (local account) or oidc (SSO account) |
| Status | Active or Inactive |
| Created Date | Date the account was registered |
Search and Filtering
Use the search bar at the top of the list to quickly search by username or email. You can also combine the following filters to narrow down users:
- Status filter: Distinguish between active / inactive users
- Role filter: Distinguish between admin / regular user
- Auth method filter: Distinguish between local account / OIDC account
Creating Local Users
Click the + Add User button on the user list screen to open the local user creation dialog.
Creation Fields
| Field | Required | Description |
|---|---|---|
| Username | ✅ | Unique identifier for login. Lowercase letters, numbers, and hyphens are allowed. |
| ✅ | User's email address. Duplicate registration is not allowed. | |
| Password | ✅ | Password with a minimum of 8 characters. Stored hashed using the Argon2 algorithm. |
| Role | ✅ | Choose between admin or user. |
After filling in all fields, click the Create button to create the user.
Local users log in directly with their username and password. Even in environments where OIDC SSO is configured, you can create separate local accounts for emergency access.
OIDC Users
In environments where OIDC SSO is configured, users are automatically registered in D.Hub when they first log in through an external IdP (Keycloak, Azure AD, Zitadel, etc.). These registered users are shown with the oidc auth method.
Characteristics of OIDC users:
- Passwords are not stored in D.Hub; authentication is handled by the external IdP
- User profiles (email, name, etc.) are automatically fetched from the IdP's token claims
- Admins can separately assign roles within D.Hub
User Sync
Users registered in an external IdP can be bulk-synchronized to D.Hub. This is useful for pre-configuring access control, as admins can obtain the user list in advance without users having to log in first.
Sync Procedure
- Click the Sync Users button on the user list screen
- The user list is fetched from the connected IdP (Keycloak, Azure AD, Zitadel)
- Users not yet registered in D.Hub are automatically added
- Profile information (email, name) of already registered users is updated with IdP data
Supported IdPs
| IdP | Sync Method | Notes |
|---|---|---|
| Keycloak | Admin REST API | Retrieves all users within the realm |
| Azure AD | Microsoft Graph API | Retrieves users within the tenant |
| Zitadel | Management API | Retrieves users within the organization |
Sync is a one-way operation from IdP → D.Hub. Local users created in D.Hub are not synced back to the IdP.
User Deletion and Deactivation
User Deactivation
Instead of immediately deleting a user, you can deactivate them to block login. Deactivated users remain in the list and can be reactivated later.
User Deletion
Select the user to delete from the user list and click the Delete button. Deleted users cannot be recovered.
- Ownership of resources (Collections, Datasets, Pipelines, etc.) owned by the user is not transferred. It is recommended to transfer resource ownership to another user before deletion.
- Deleting an OIDC user from D.Hub does not delete them from the IdP. If the user logs in again via SSO, they may be automatically re-registered.
Next Steps
| Document | Description |
|---|---|
| Group Management | Create user groups and manage members |
| Authentication & Access Control | Local auth, OIDC SSO, ReBAC-based access control |