Creating Users and Assigning Roles#
This guide covers how to create users and assign roles to them in OSMO using the osmo user CLI. These operations require the osmo-admin role.
Note
If you use an identity provider (IdP), users can also be created automatically when they first log in (just-in-time provisioning). In that case, you may only need the CLI to manage roles for existing users. See IdP Role Mapping and Sync Modes for how IdP group claims map to OSMO roles.
Prerequisites#
OSMO CLI installed and logged in
Admin privileges (
osmo-adminrole)
Creating a user#
Create a new user with osmo user create. Optionally assign initial roles at creation time with --roles.
# Create a user with no initial roles
$ osmo user create alice@example.com
# Create a user with initial roles
$ osmo user create bob@example.com --roles osmo-user osmo-ml-team
Example output:
User created: bob@example.com
Roles assigned: osmo-user, osmo-ml-team
See Preconfigured Roles (Default) for a description of each built-in role, or Custom Roles and Policies (Advanced) if you need to create custom roles.
Viewing user details#
Retrieve a user’s information and current role assignments:
$ osmo user get alice@example.com
Example output:
User ID: alice@example.com
Created At: 2026-02-20
Created By: admin
Roles:
- osmo-user (assigned by admin on 2026-02-20)
Listing users#
List all users, or filter by ID prefix or role:
# List all users
$ osmo user list
# Filter by ID prefix
$ osmo user list --id-prefix alice
# Filter by role
$ osmo user list --roles osmo-admin
Assigning and removing roles#
Use osmo user update to add or remove roles from an existing user.
Adding roles#
$ osmo user update alice@example.com --add-roles osmo-admin
Removing roles#
$ osmo user update alice@example.com --remove-roles osmo-ml-team
You can combine both in a single command:
$ osmo user update alice@example.com --add-roles osmo-admin --remove-roles osmo-user
Note
When a role is removed from a user, it is automatically removed from all of that user’s access tokens.
Deleting a user#
Delete a user and all associated data (tokens, roles, profile):
$ osmo user delete alice@example.com
Use --force to skip the confirmation prompt:
$ osmo user delete alice@example.com --force
Creating access tokens#
After creating a user and assigning roles, you can create access tokens for programmatic access. Tokens inherit the user’s roles (or a subset specified with --roles).
# Create a token for yourself
$ osmo token set my-token --expires-at 2027-01-01
# Admin: create a token for another user with specific roles
$ osmo token set service-token \
--user alice@example.com \
--expires-at 2027-01-01 \
--roles osmo-user
Important
Save the token securely – it is only displayed once at creation time.
See Service Accounts for detailed guidance on service account patterns and token management.
See also
Preconfigured Roles (Default) for built-in role descriptions
IdP Role Mapping and Sync Modes for IdP role mapping and sync modes
Service Accounts for service account and token management patterns
User CLI for full
osmo userandosmo tokenCLI reference