User Management

Note

Fugue allows you to invite other parties in your organization to access and collaborate on the same Fugue environments. Invited users have the ability to view, add, edit, and remove selected environments, as well as invite and remove other users, depending on the role-based access control policy they are assigned. Additionally, privileged users can see who else has been invited and whether they have activated their account.

_images/rbac-user-list.png

When you invite a user to Fugue, you assign that user to an RBAC group. The user receives an email invitation to create a new Fugue user account. Once they create a user account, they can view and/or manage the environments associated with their RBAC group. This can include establishing a baseline, enabling drift detection, and enabling baseline enforcement in an environment, if they are part of the Admin group.

The first user to register an organization account is the account owner. Invited users have the same permissions as the account owner, except the account owner cannot be deleted. To make a different user the account owner, contact support@fugue.co. Additionally, logged-in users cannot remove their own account.

Before you can set up multiple users, you’ll need to sign up with Fugue and set up an environment for your organization if you haven’t done so already. (See Setup - AWS & AWS GovCloud and Setup - Azure.)

Note

The organization name is the name entered during signup and currently it cannot be changed.

User Setup

The Users Page

You can access the Users page by selecting the Organizations link in the top right corner of the UI, then selecting Users.

On the Users page, you can see a list of users in your organization along with their RBAC groups and statuses. You can also invite new users through the Invite New Users button.

_images/rbac-user-list-annotated.png

Status:

Active

Account has been activated.

Invite Pending

Invite has been sent, but the account has not yet been activated.

Invite Expired

Invite was sent, but the account was not activated in time or someone manually expired the invite. Invites expire after one week.

To Invite Another User

To invite a new user, select the Invite New Users button and enter the email address of the user you want to invite.

Press Tab to add additional email addresses if needed and press Delete to delete an address.

Next, select the RBAC group the user should belong to.

Then, select Send Invitation Email.

_images/RiskManager_InviteNewUsers.png

Note

If you invite new users to your organization’s Fugue account and assign them to the Admin group, you are granting the users access to create, view, edit, and delete any environments in your account. You also grant them permission to establish a baseline, which facilitates drift detection and automatic enforcement.

To Re-send or Cancel an Invite

To resend or cancel an invite for a user with the status Invite Pending, select the ellipsis icon ... and choose Resend Invitation or Cancel Invitation.

Invites remain valid for one week. Resending an invite restarts the one-week period.

_images/RiskManager_InvitePendingActions.png

To Remove a User

To remove a user with the status Active, select the ellipsis icon ... and choose Remove User. You’ll be prompted to confirm removal. Note that you cannot delete the account owner or your own account.

_images/RiskManager_RemoveUserAction.png

Note

By removing a user from your organization’s Fugue account, you are revoking their access to sign in, create, view, and edit any environments in your account.

To Create a User Profile

When a user invites you to their organization, you receive the following email:

Hello, You’ve been invited to the {organization name} organization’s Fugue account by {name}. Please create a new user profile in order to begin. We’re excited for you to get started. Should you have any questions or need assistance, please feel free to contact us at support@fugue.co.

Follow the Create User Profile button in the email to create your user account. You’ll see the following form:

_images/RiskManager_CreateUserProfile.png

Enter your first name and last name and create a password. The password must be at least 8 characters. Organization and email address are automatically filled in and cannot be changed.

After you select the Create Account button, you’ll see a message asking you to confirm your email address:

An email has been sent to {email}. Please check your inbox and follow the provided instructions to activate your {organization name} Fugue account.

You also have the option of re-sending the email if you did not receive it. The email says the following:

Hello, Welcome to the {organization name} community! Please activate your account. We’re excited for you to get started. Should you have any questions or need assistance, please feel free to contact us at support@fugue.co.

After you select the Activate Account button, you’ll see the login page for Fugue with a message saying “Your account has been activated. Please log in.”

_images/RiskManager_ActivatedUser.png

Once you log in, you’ll have access to all your group’s environments and permissions.

Migrating to a Different Organization

If Alice invites Bob to Acme Organization and then Bob independently signs up for BizCorp Organization, Bob’s email is associated with BizCorp Organization. In order to migrate his user account to Acme Organization, Bob needs to contact support@fugue.co.

Handling Duplicate Invites

A user account may only be associated with one organization account. If Alice signs up for Acme Organization, she cannot use the same email address to also sign up for BizCorp Organization. If Bob sends Alice an invite to BizCorp Organization, and Alice’s email address is already registered with Acme Organization, Alice will receive the following email:

Hello, You’ve been invited to the {organization name} organization’s Fugue account by {user name}. Unfortunately, it appears that your email address is already linked to an existing organization account. If you wish to migrate your user profile to the {organization name} organization’s account, please contact Fugue support. If you don’t wish to migrate your user profile to the {organization name} organization’s account, you may safely ignore this email.

Single Sign-on (SSO)

Note

To enable SSO for your organization, reach out to support@fugue.co. SSO is an Enterprise feature.

Fugue supports single sign-on (SSO), which allows organizations to manage users through an identity provider (IdP) such as Okta or G Suite. Users can then log into Fugue using existing credentials through their IdP, rather than needing to remember another username and password.

SSO: Logging In

When a non-SSO user accesses the login page, they see the following form:

_images/blank-login.png

The user enters their username and password to log in.

However, when a user in an SSO-enabled organization enters their email address on Fugue’s login page, the form displays “Single Sign-on Enabled” and the password field disappears:

_images/sso-enabled-login.png

After selecting “Log In,” the user is directed to their organization’s IdP authentication flow. For example, if the organization uses Okta, the user will be directed to Okta’s login page.

If the user is already signed into their IdP, they will bypass the IdP login page and be immediately directed to the Fugue UI.

Note

Once SSO is enabled for an organization, users must log in through SSO. They will be unable to log in using a Fugue username and password, unless they are the organization account owner.

In an SSO-enabled organization, the account owner has the option to log in via SSO or via Fugue username and password.

SSO: Inviting Users

Inviter Workflow

For the user who is sending the invitation, the process for inviting a user to an SSO-enabled organization is the same as inviting a user to a non-SSO-enabled organization.

Invitee Workflow

Users must be invited to Fugue and complete the normal registration workflow before they can use Fugue, even if their organization has enabled SSO.

If an SSO-enabled user has not signed up for Fugue and tries to log in using SSO, the login form displays “Single Sign-on Enabled” and the user is directed to their IdP authentication flow. However, after logging into the IdP, the user is shown an error message:

Unauthorized

You are not authorized to access Fugue within your organization. Please contact your organization’s administrator for assistance.

Please reach out to support@fugue.co if you have any additional questions.

_images/sso-not-fugue-user.png

To proceed, an organization admin must invite the user to Fugue. The user can then register and sign into Fugue using SSO.

Multi-Factor Authentication (MFA)

Note

To enable MFA for your organization, reach out to support@fugue.co.

Fugue allows organizations to enable multi-factor authentication (MFA), which requires users to enter a one-time password (OTP) after authenticating with their username and password at login.

Initial Login

When you log in for the first time after MFA is enabled, you’re prompted to scan a QR code using an authenticator app of your choice such as Authy, Google Authenticator, Auth0 Guardian, or Microsoft Authenticator:

_images/mfa-qr-code.png

Enter the 6-digit code provided by the authenticator. Next, Fugue generates a recovery code. (Make sure to save the code somewhere safe!) This code enables you to log in if you don’t have access to the authenticator app or device:

_images/mfa-backup-code.png

Fugue asks you to confirm that you saved the code before proceeding to log you in. You’ll see a message that Fugue has verified your identity:

_images/mfa-confirmation.png

You’re then redirected to the Fugue UI.

Subsequent Logins

Next time you log in, you’ll be asked to enter a new 6-digit code from your authenticator app:

_images/mfa-next-login.png

You can select “Remember this browser” in order to skip this step in future logins. Organizations may optionally require users to enter a OTP on every login, in which case the checkbox does not appear.

Entering a Recovery Code

If you lose access to your authenticator app or device, you can enter the recovery code Fugue gave you when you set up MFA. Select “Use your recovery code”:

_images/mfa-use-backup-code.png

Enter your recovery code on the next screen:

_images/mfa-enter-backup-code.png

Fugue generates a new code for you after your code is accepted.