Represents a human user. Virtual machines and other automated systems and processes are better represented by Host instead.
Each User has a
api_key, and optional
login the user's unique login name. It may be a simple name like
bob, or a qualified name like
- api_key a randomly generated secret assigned by Conjur.
- password a strong password chosen by the user.
password can be exchanged for API key. The API key is cached
on the local machine, and used to authenticate API and CLI commands.
For more information about login, see the Login Reference.
To authenticate, a user provides both of the following:
For more information about authentication, see the Authentication Reference.
A User is a role. As such, it can have privileges such as the ability to fetch a secret.
For more information about privileges, see the Role section of this Reference.
The id of a User cannot contain special characters such as
:/. It may contain the
The username of a User is the
- CLI version 4.13.1 or higher
- Conjur appliance version 4.3 or higher
In order to support User integration between Conjur and external directories (e.g. ActiveDirectory / LDAP),
Conjur supports a
uidnumber attribute on user records.
User records are searchable by uidnumber via the uidsearch method. Only records visible to the current role are included in the search results.
uidnumber is exposed to systems with Conjur-controlled ssh access via Conjur LDAPS interface.
uidnumber is unique. When somebody tries to create or update user record with a
uidnumber already existing,
attempt will fail with "409 Conflict" error. An additional error message will provide more detail about the conflict,
such as the
login of the user who is already holding the