# User management ## User types and roles Access to the WEKA system is managed through user accounts, each uniquely identified by a username and authenticated using a password. The system supports up to 1,152 local users. User permissions and access levels are determined by predefined roles. ### Role descriptions
RolePurposeKey permissionsRestrictions
Cluster AdminAdvanced administrative tasks for managing the cluster.Full access to system configuration, user management, and performance tuning.Cannot delete their own account or change their role to a regular user role.
CSIInterfacing with the WEKA cluster through the weka-csi-plugin for Kubernetes.
  • Provisioning, mounting, and unmounting file systems.
  • Storage management tasks through CLI and API.
  • Limited to storage management.
  • No access to broader administrative functions.
Organization AdminAdministrative tasks within a single organization.Privileges limited to managing the assigned organization.Cannot perform cluster-wide administrative tasks.
For details, see #organization-admin-role-privileges
Read-onlyViewing system configurations and data without making changes.
  • View system settings and data through GUI, CLI, and API.
  • Authenticate and write data to mounted locations (exception for authenticated mounts).
Cannot modify system settings or create file systems, protocols, or user accounts.
RegularBasic role for mounting filesystems.
  • Sign in to obtain an access token.
  • Change own password.
  • No GUI access.
  • No CLI or API commands beyond mounting tasks.
S3Running S3 commands and APIs.
  • Perform S3 operations within the limits of the assigned IAM policy.
  • Create S3 service accounts with specific policies.
Limited to actions allowed by the attached S3 IAM policy.
### **Special case: Cluster Admin (first user)** When a WEKA cluster is created, a default **Cluster Admin** user (`admin`) is generated with a default password. This user must change their password on the first login. The first user has full administrative privileges across the cluster.\ Key responsibilities and restrictions include: * **Responsibilities**: Managing cluster-wide operations, global configurations, hardware, and resources. * **Restrictions**: Cannot delete their account or downgrade their role. Cluster Admin accounts must adhere to a strict password policy: * Minimum of 8 characters. * At least one uppercase letter, one lowercase letter, and one number or special character. You can create additional Cluster Admin accounts with unique usernames. You can rename or delete the default `admin` user if at least one other Cluster Admin account exists. To ensure system continuity, maintain at least one internal Cluster Admin account for support purposes. {% hint style="info" %} When multiple organizations exist, Organization Admins manage specific organizations, while Cluster Admins handle cluster-wide and infrastructure-level tasks. {% endhint %} ## Authentication and login process The WEKA user login process involves authenticating users and managing access. The following steps outline the key components: * **Local user login**: The system first searches for the user among local accounts created using the GUI or the `weka user add` command. * **LDAP or AD integration**: If the user is not found locally but exists in an integrated LDAP or AD directory, the system verifies their credentials using LDAP. Integration must be configured beforehand. * **Login events**: * **Successful login**: Triggers a `UserLoggedIn` event, logging the username, role, and user type (local or LDAP). * **Failed login**: Prompts an "Invalid username or password" message and triggers a `UserLoginFailed` event with details of the failure. * **GUI login**: Users log in by entering their username and password in the GUI. The `WEKA_USERNAME` and `WEKA_PASSWORD` environment variables can pass this information to the CLI. * **CLI login**: Users authenticate through the CLI using the `weka user login ` command. This generates an authentication token file, defaulting to `~/.weka/auth-token.json`. * Use `weka user whoami` to verify the currently logged-in CLI user. * Adjust the token file path with the `--path` option or the `WEKA_TOKEN` environment variable. * **Persistence and defaults**: * The `weka user login` command's persistence is server-specific. * If `WEKA_USERNAME` and `WEKA_PASSWORD` are not set, the CLI uses the token file. * If no CLI user is logged in and no token file exists, the CLI defaults to `admin/admin` credentials. * **Custom token path**: Use the `WEKA_TOKEN` environment variable to specify a custom path for the authentication token file. **Related topics** [user-management](https://docs.weka.io/operation-guide/user-management/user-management "mention") [user-management-1](https://docs.weka.io/operation-guide/user-management/user-management-1 "mention") --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.weka.io/operation-guide/user-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.