User Management

Note

Fugue allows you to invite other parties in your organization to access and collaborate on the same Fugue environments. Invited users have the ability to view, add, edit, and remove selected environments, as well as invite and remove other users, depending on the role-based access control policy they are assigned. Additionally, privileged users can see who else has been invited and whether they have activated their account.

_images/rbac-user-list.png

When you invite a user to Fugue, you assign that user to an RBAC group. The user receives an email invitation to create a new Fugue user account. Once they create a user account, they can view and/or manage the environments associated with their RBAC group. This can include establishing a baseline, enabling drift detection, and enabling baseline enforcement in an environment, if they are part of the Admin group.

The first user to register an organization account is the account owner. Invited users have the same permissions as the account owner, except the account owner cannot be deleted. To make a different user the account owner, contact support@fugue.co. Additionally, logged-in users cannot remove their own account.

Before you can set up multiple users, you’ll need to sign up with Fugue and set up an environment for your organization if you haven’t done so already. (See Setup - AWS & AWS GovCloud and Setup - Azure.)

Note

The organization name is the name entered during signup and currently it cannot be changed.

User Setup

The Users Page

You can access the Users page by selecting the Organizations link in the top right corner of the UI, then selecting Users.

On the Users page, you can see a list of users in your organization along with their RBAC groups and statuses. You can also invite new users through the Invite New Users button.

_images/rbac-user-list-annotated.png

Status:

Active

Account has been activated.

Invite Pending

Invite has been sent, but the account has not yet been activated.

Invite Expired

Invite was sent, but the account was not activated in time or someone manually expired the invite. Invites expire after one week.

To Invite Another User

To invite a new user, select the Invite New Users button and enter the email address of the user you want to invite.

Press Tab to add additional email addresses if needed and press Delete to delete an address.

Next, select the RBAC group the user should belong to.

Then, select Send Invitation Email.

_images/RiskManager_InviteNewUsers.png

Note

If you invite new users to your organization’s Fugue account and assign them to the Admin group, you are granting the users access to create, view, edit, and delete any environments in your account. You also grant them permission to establish a baseline, which facilitates drift detection and automatic enforcement.

To Re-send or Cancel an Invite

To resend or cancel an invite for a user with the status Invite Pending, select the ellipsis icon ... and choose Resend Invitation or Cancel Invitation.

Invites remain valid for one week. Resending an invite restarts the one-week period.

_images/RiskManager_InvitePendingActions.png

To Remove a User

To remove a user with the status Active, select the ellipsis icon ... and choose Remove User. You’ll be prompted to confirm removal. Note that you cannot delete the account owner or your own account.

_images/RiskManager_RemoveUserAction.png

Note

By removing a user from your organization’s Fugue account, you are revoking their access to sign in, create, view, and edit any environments in your account.

To Create a User Profile

When a user invites you to their organization, you receive the following email:

Hello, You’ve been invited to the {organization name} organization’s Fugue account by {name}. Please create a new user profile in order to begin. We’re excited for you to get started. Should you have any questions or need assistance, please feel free to contact us at support@fugue.co.

Follow the Create User Profile button in the email to create your user account. You’ll see the following form:

_images/RiskManager_CreateUserProfile.png

Enter your first name and last name and create a password. The password must be at least 8 characters. Organization and email address are automatically filled in and cannot be changed.

After you select the Create Account button, you’ll see a message asking you to confirm your email address:

An email has been sent to {email}. Please check your inbox and follow the provided instructions to activate your {organization name} Fugue account.

You also have the option of re-sending the email if you did not receive it. The email says the following:

Hello, Welcome to the {organization name} community! Please activate your account. We’re excited for you to get started. Should you have any questions or need assistance, please feel free to contact us at support@fugue.co.

After you select the Activate Account button, you’ll see the login page for Fugue with a message saying “Your account has been activated. Please log in.”

_images/RiskManager_ActivatedUser.png

Once you log in, you’ll have access to all your group’s environments and permissions.

Migrating to a Different Organization

If Alice invites Bob to Acme Organization and then Bob independently signs up for BizCorp Organization, Bob’s email is associated with BizCorp Organization. In order to migrate his user account to Acme Organization, Bob needs to contact support@fugue.co.

Handling Duplicate Invites

A user account may only be associated with one organization account. If Alice signs up for Acme Organization, she cannot use the same email address to also sign up for BizCorp Organization. If Bob sends Alice an invite to BizCorp Organization, and Alice’s email address is already registered with Acme Organization, Alice will receive the following email:

Hello, You’ve been invited to the {organization name} organization’s Fugue account by {user name}. Unfortunately, it appears that your email address is already linked to an existing organization account. If you wish to migrate your user profile to the {organization name} organization’s account, please contact Fugue support. If you don’t wish to migrate your user profile to the {organization name} organization’s account, you may safely ignore this email.

Single Sign-on (SSO)

Note

Single sign-on (SSO) for Fugue is in beta. To enable SSO for your organization, reach out to support@fugue.co.

Fugue supports single sign-on (SSO), which allows organizations to manage users through an identity provider (IdP) such as Okta or G Suite. Users can then log into Fugue using existing credentials through their IdP, rather than needing to remember another username and password.

SSO: Logging In

When a non-SSO user accesses the login page, they see the following form:

_images/blank-login.png

The user enters their username and password to log in.

However, when a user in an SSO-enabled organization enters their email address on Fugue’s login page, the form displays “Single Sign-on Enabled” and the password field disappears:

_images/sso-enabled-login.png

After selecting “Log In,” the user is directed to their organization’s IdP authentication flow. For example, if the organization uses Okta, the user will be directed to Okta’s login page.

If the user is already signed into their IdP, they will bypass the IdP login page and be immediately directed to the Fugue UI.

Note

Once SSO is enabled for an organization, users must log in through SSO. They will be unable to log in using a Fugue username and password, unless they are the organization account owner.

In an SSO-enabled organization, the account owner has the option to log in via SSO or via Fugue username and password.

SSO: Inviting Users

Inviter Workflow

For the user who is sending the invitation, the process for inviting a user to an SSO-enabled organization is the same as inviting a user to a non-SSO-enabled organization.

Invitee Workflow

Users must be invited to Fugue and complete the normal registration workflow before they can use Fugue, even if their organization has enabled SSO.

If an SSO-enabled user has not signed up for Fugue and tries to log in using SSO, the login form displays “Single Sign-on Enabled” and the user is directed to their IdP authentication flow. However, after logging into the IdP, the user is shown an error message:

Unauthorized

You are not authorized to access Fugue within your organization. Please contact your organization’s administrator for assistance.

Please reach out to support@fugue.co if you have any additional questions.

_images/sso-not-fugue-user.png

To proceed, an organization admin must invite the user to Fugue. The user can then register and sign into Fugue using SSO.