# User Management ### 👥 **Who It Applies To** | Role | Capabilities | | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | **Admins** | Admins have full control of all users in your organization. They can sync and edit records, manage roles, on/offboard users and oversee app access. | | **Manager** | They can manage and edit the records of their own reports but cannot make organization-wide changes to users. | *** ### 📖 Key Concepts * **User Overview**: Central place to view and manage all users in Cakewalk. * **Sources**: Users can come from HRIS, IdP, integrations or manual invites. * **Roles**: Define what permissions a user has within Cakewalk (User, Admin, General Manager). * **Statuses**: Define whether a user is governed, visible, and able to act (Discovered, Active, Ignored, Offboarding, Deactivated). See the [User Data Model](/concepts/data-models/user-data-model.md) for details. * **NHI visibility**: Non-human identities (NHIs) are shown in a separate read-only NHI table under Users. They are not stored in the User model. * **Joiner–Mover–Leaver (JML)**: Automates lifecycle changes incl. onboarding, role/team/department moves and offboarding. * **Merging**: Combines duplicate records (e.g., one discovered via login, one synced from HRIS) into a single identity. * **App Access**: Shows all apps a user has access to and allows granting/removing access directly. :bulb:*Why this matters*: User Management ensures your directory reflects reality. No duplicates, no stale accounts and accurate lifecycle governance. *** ### :tools: User Management **Workflows** #### Import & Sync Users * **Navigation**: *Settings* → *Data sources*. * **Actions**: * Connect HRIS or IdP to import users (supports 100+ systems). * Automatically syncs user details including **Manager**. * Users sync automatically every 2 hours to trigger JML updates. * Option to invite users not part of connected systems. * **Who can do this**: * **Admins** can connect systems and import/sync all users. * **Managers** can only invite their own reports. *** #### View & Edit User Details * **Navigation**: *User overview* → contextual menu → *Edit user*. * **Actions**: Edit Name, Manager, Team, Category, Email, Aliases. * **Who can do this**: * **Admins** for all users. * **Managers** for their own reports. *** #### Manage User Roles * **Navigation**: *User overview* → contextual menu → *Edit user*. * **Actions**: Change a user’s designated role. * **Reference**: Read more about roles & permissions [here](/concepts/cakewalk-roles-and-permissions.md). * **Who can do this**: Only **Admins**. *** #### Manage User Status * **Definition**: Status controls whether a user is governed, visible, and able to act. See the [User Data Model](/concepts/data-models/user-data-model.md) for details. * **Navigation**: *User overview* → contextual menu. * **Actions**: Transition users between statuses (e.g., Discovered, Active, Ignored, Offboarding, Deactivated). * **Who can do this**: * **Admins** can set or transition any status. * **Managers** can only trigger onboarding/offboarding for their reports. *** #### Joiner–Mover–Leaver (JML) * **Navigation**: *User overview*. * **Actions**: * **Joiner**: Onboard automatically via HRIS/IdP or directly via *New user*. * **Mover**: Update access automatically when role/team/department changes. * **Leaver**: Trigger offboarding workflows and revoke access. * **Reference**: Read more about JML [here](/how-to-guides/users-and-groups/joiner-mover-leaver-jml.md). * **Who can do this**: * **Admins** for the entire org. * **Managers** only for their reports. *** #### Merging Users * **Navigation**: *User overview* → contextual menu → *Merge user*. * **Actions**: Merge duplicate records so data, aliases, and access history are combined into one primary identity. * **Outcome**: Retains one primary user; other emails become aliases. * **Benefit**: Prevents duplicate tasks, misrouted requests, incomplete reviews. * **Who can do this**: Only **Admins**. *** #### Manage App Access * **Navigation**: * To **assign**: *User overview* → contextual menu → *Assign app(s)*. * To **remove**: *User overview* → select user → *Access* table → remove app directly. * **Actions**: Grant or remove app access for users. * **Visibility**: View all assigned apps in the *User overview*. * **Auditing**: All changes logged for compliance. * **Who can do this**: * **Admins** for all users. * **Managers** only for their reports. *** #### View Non-Human Identities (NHI Table) * **Navigation**: *Users* → *NHI*. * **What you see**: Read-only table with **Name**, **App**, **Discovery Source**, and **Discovered On**. * **Table behavior**: * Search, filter, and sort supported. * No row click-through. * **Visibility rules**: * Access to the NHI table depends on workspace feature-flag and permissions. * The table can be visible even when there are currently no NHIs (empty state). * NHIs discovered through access sync are removed when that access sync is removed. * **Scope constraints**: * No request, policy, or provisioning actions for NHIs. * NHI records are separate from Users and do not affect user lifecycle workflows. *** ### 📋 User Management Actions at a Glance | Action | Who performs it | What happens | Why it matters | | ----------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | | **Import & Sync Users** | Admins, Managers | Admins connect HRIS/IdP to import and sync users every 2 hours. Managers can invite their own reports. | Keeps directory up to date and triggers JML events promptly. | | **View & Edit User Details** | Admins, Managers | Edit name, manager, team, email, aliases. Admins for all users; Managers for their reports only. | Ensures user data stays accurate and organizational context is reflected. | | **Manage User Roles** | Admins only | Change a user’s designated role. | Controls permissions framework consistently across Cakewalk. | | **Manage User Status** | Admins, Managers | Transition between statuses (Discovered, Active, Ignored, Offboarding, Deactivated). Managers can only trigger onboarding/offboarding for reports. | Defines whether a user is governed, visible, and able to act. | | **Joiner–Mover–Leaver (JML)** | Admins, Managers | Automates onboarding, role/team/department changes, and offboarding. Managers can only apply to their reports. | Ensures lifecycle changes are reflected consistently and least privilege is enforced. | | **Merge Users** | Admins only | Merge duplicate user records into a single identity with aliases. | Prevents duplicate tasks, misrouted requests and incomplete reviews. | | **Manage App Access** | Admins, Managers | Assign or remove apps per user. Admins for all users; Managers for their reports. | Centralizes app access, supports audits, and enforces governance policies. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.getcakewalk.io/how-to-guides/users-and-groups/user-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.