1.3
Manage Users
Demonstrate the ability to manage users: Add SSH keys, add users to projects, manage roles (Admin, Contributor, Reader), and configure permissions.
Exam Critical: User management is essential for the AD0-E717 exam! Know how to add SSH keys, manage users, assign roles (Admin, Contributor, Reader), and understand permission levels.
Cloud User Management
mindmap
root((User Management))
SSH Keys
Account settings
magento-cloud ssh-key add
Per user configuration
Add Users
Project level
Environment level
Email invitation
User Roles
Admin full access SSH
Contributor merge branch
Reader view only
Super User
Access all environments
Override restrictions
Permissions
Per environment control
Redeploy after changes
SSH access via yaml
Support Tickets
magento.com portal
Account owner default
Share Submit Ticket access
User Management Overview
Managing users in Commerce Cloud involves adding SSH keys, creating user accounts, and assigning appropriate roles and permissions.
Practical Experience: It's essential to actually practice these operations in a real Cloud environment!
Add SSH Key
Via Web UI
Navigate to: Account settings → Account Settings → SSH Keys
- Click on your user icon (top-right)
- Select "Account settings"
- Go to "SSH Keys" section
- Click "Add public key"
- Paste your SSH public key
- Give it a descriptive name
- Save
Via CLI
You can also add SSH keys using the magento-cloud CLI:
magento-cloud ssh-key:addThis command will prompt you to select or specify your SSH key file.
Practical Experience: Ensure your SSH key is properly configured in your account. Test SSH access after adding the key:
ssh <environment-id>@ssh.<region>.magento.cloudGenerating SSH Keys
If you don't have an SSH key yet, generate one:
# Generate new SSH key
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
# View your public key
cat ~/.ssh/id_rsa.pubImportant: Always add the public key (.pub file), never the private key!
Add Users to a Project
Via Web UI
- Click the gear icon next to your project
- Select Users
- Click Add User
- Enter user's email address
- Select role and permissions
- Save
The user will receive a welcome email from Magento with instructions on how to get started.
Via CLI
You can also use the magento-cloud CLI to add users:
magento-cloud user:addUser Access Levels
You can allow users access at two levels:
- Project Level: Access to the overall project
- Environment Level: Access to specific environments within the project
Hierarchy: First grant project access, then configure environment-specific permissions.
Super User / Admin
Each user can be designated as a "Super User/Admin":
- Allows them to do anything in any environment
- Overrides environment-specific restrictions
- Full project access without limitations
If Super User is NOT enabled:
- You can designate access per environment
- User only has access to specified environments
- More granular control over permissions
Important: When you change permissions, you must redeploy (if nothing else, using
git commit --allow-empty).User Roles
1. Admin
- Can do just about anything
- Only role that can access SSH by default
- Full environment control
- Can manage settings, deploy, merge, branch
- Can add/remove users
Remember: Admins are the only ones that can access SSH by default!
2. Contributor
- Can merge code to an environment
- Can branch from an environment
- Can push code and trigger deployments
- Cannot SSH by default
Enable SSH for Contributors
You can allow contributors to SSH into an environment by adding this to .magento.app.yaml:
access:
ssh: contributorConfiguration: Use
ssh: contributor in .magento.app.yaml to grant SSH access to contributors.3. Reader
- View-only access
- Can view environments and logs
- Cannot make changes
- Cannot push code, merge, or branch
- Cannot SSH
"Like reading books from the library but more boring (as Magento Cloud is not a historical novel)."
Permission Changes and Redeployment
When you change user permissions, you must redeploy the environment for changes to take effect.
Trigger Redeployment
If no code changes are needed, use an empty commit:
git commit --allow-empty -m "Redeploy for permission changes"
git pushCritical: Permission changes require redeployment to take effect!
Support Ticket Access
Providing access to support tickets is a completely different mechanism than providing access to configure environments.
Where to Manage Support Access
Support ticket access is managed on the magento.com portal, not in the Cloud Admin UI.
Default Permissions
- By default, only the account owner can create support tickets
- Account owner is shown in: Top ribbon → Settings gear icon → Users → Account owner
Share Support Access
The account owner can share "Submit a Ticket" access via their Magento portal:
- Log into magento.com
- Go to account/support settings
- Add users who should be able to submit tickets
- Specify permission level
Two Separate Systems:
- Cloud Admin UI: Manage environment access and permissions
- Magento.com Portal: Manage support ticket access
User Management Best Practices
Security Best Practices
- Least Privilege: Grant only necessary permissions
- Reader Role: Use for auditors, stakeholders, or anyone who only needs to view
- Contributor Role: For developers who push code but don't need SSH
- Admin Role: Only for senior developers or DevOps who need full control
- SSH Keys: Regularly audit and remove unused keys
Environment-Specific Access
- Restrict production access to essential personnel only
- Allow broader access to integration/development environments
- Use Super User designation sparingly
Onboarding Workflow
- Add user to project with appropriate role
- User receives welcome email with instructions
- User adds SSH key to their account
- Configure environment-specific permissions if needed
- Redeploy environments after permission changes
- Test access and SSH connectivity
CLI Commands Reference
SSH Key Management
# Add SSH key
magento-cloud ssh-key:add
# List SSH keys
magento-cloud ssh-key:list
# Delete SSH key
magento-cloud ssh-key:delete <id>User Management
# Add user to project
magento-cloud user:add
# List users
magento-cloud user:list
# Update user role
magento-cloud user:update
# Delete user
magento-cloud user:delete <email>Role Permission Matrix
| Action | Admin | Contributor | Reader |
|---|---|---|---|
| View environments | ✓ | ✓ | ✓ |
| View logs | ✓ | ✓ | ✓ |
| Push code | ✓ | ✓ | ✗ |
| Merge branches | ✓ | ✓ | ✗ |
| Create branches | ✓ | ✓ | ✗ |
| SSH access (default) | ✓ | ✗ | ✗ |
| SSH (with yaml config) | ✓ | ✓ | ✗ |
| Manage users | ✓ | ✗ | ✗ |
| Change settings | ✓ | ✗ | ✗ |
Further Reading
Exam Tips
- SSH Keys: Account settings → SSH Keys; or
magento-cloud ssh-key:add - Add Users: Gear icon → Users → Add User; or
magento-cloud user:add - Admin: Only role with SSH access by default; can do anything
- Contributor: Can merge and branch; SSH via
ssh: contributorin .magento.app.yaml - Reader: View-only access; cannot make changes
- Super User: Access to all environments; overrides restrictions
- Permission Changes: Must redeploy with
git commit --allow-empty - Support Tickets: Managed on magento.com portal, NOT in Cloud Admin UI
- Account Owner: Only one who can create support tickets by default
