Getting Started
User Management
Basic user management operations in FerrisKey.
User Management
FerrisKey provides essential user management capabilities within each Realm. This guide covers the basic operations for managing users in your application.
Overview
User management in FerrisKey is Realm-scoped, meaning users are isolated within their respective Realms. Each Realm maintains its own user base with independent profiles and credentials.
All user management operations are performed within the context of a specific Realm, ensuring complete tenant isolation.
User Operations
User Registration
Users can be created through:
- Self-registration - Users sign up directly through your application
- Admin creation - Administrators create users manually
- API provisioning - Programmatic user creation via API
User Authentication
FerrisKey supports multiple authentication methods:
- Username/password - Traditional credential-based login
- Email/password - Email as the primary identifier
- Multi-factor authentication - TOTP-based second factor
Profile Management
Basic user profile information includes:
- Username - Unique identifier within the Realm
- Email address - Contact and recovery information
- Display name - User's preferred display name
- Account status - Active, inactive, or locked states
User Attributes
Standard Attributes
FerrisKey manages essential user attributes:
username- Unique username within the Realmemail- User's email addressfirstName- User's first namelastName- User's last nameenabled- Account active status
Account Status
Users can have different account states:
| Status | Description |
|---|---|
| Active | User can authenticate and access applications |
| Inactive | User account is disabled, authentication blocked |
| Locked | Account temporarily locked due to security policies |
Security Features
Password Policies
Configure password requirements per Realm:
- Minimum length - Enforce password complexity
- Character requirements - Uppercase, lowercase, numbers, symbols
- Password history - Prevent password reuse
Account Protection
Built-in security measures:
- Account lockout - Automatic lockout after failed attempts
- Password expiration - Force password changes periodically
- Audit logging - Track user authentication events
MFA Management
TOTP Setup
Users can enable Time-based One-Time Passwords:
- QR Code generation - Users scan QR code with authenticator app
- Secret sharing - Manual entry for compatible apps
- Verification - Confirm setup with test code
- Backup codes - Recovery options for lost devices
MFA Status
Track MFA enrollment per user:
- Not configured - User hasn't set up MFA
- Configured - TOTP is active and required
- Disabled - MFA temporarily disabled by admin
Best Practices
User Lifecycle
- Onboarding - Clear registration and setup process
- Active management - Regular review of user accounts
- Offboarding - Proper account deactivation when users leave
Security Guidelines
- Strong passwords - Enforce robust password policies
- MFA adoption - Encourage or require multi-factor authentication
- Regular audits - Monitor user access patterns and permissions
- Prompt deactivation - Quickly disable accounts when needed
User management forms the foundation of your application's security. Start with basic operations and gradually implement more sophisticated policies as your requirements evolve.