You can create Redis Enterprise Software (RS) users and assign them to roles with permissions for:

  • Cluster management - The areas of the cluster web UI and API that a user can access and edit.
  • Database connections - Commands and keys that an authenticated user can use in database connections.

You can manage users and roles in access control or with the REST API.

Adding a user

To add a user to the cluster:

  1. Go to: access control

  2. Click Add.

  3. Enter the name, email and password of the new user and select the role to assign to the user.

  4. Select the type of user:

    • internal - Authenticates with RS
    • external - Authenticates with an external LDAP server
    How do I create an external user?
  5. For the email alerts, click Edit and select the alerts that the user receives. You can select:

    • Receive alerts for databases - The alerts that are enabled for the selected databases are sent to the user. You can either select all databases, or you can select Customize and select the individual databases to send alerts for. All databases include existing and future databases.
    • Receive cluster alerts - The alerts that are enabled for the cluster in settings > alerts are sent to the user.
    How do I select email alerts?

    Then, click Save.

  6. Click Save.

To edit the name, password, role or email alerts of a user, hover over the user and click ![Edit] (/images/rs/icon_edit.png#no-click “Edit”). To change a user from internal to external, you must delete the user and re-add it.

User account security

To make sure your user accounts are secured and not misused, RS supports enforcement of:

  • Password complexity
  • Password expiration
  • Account lock on failed attempts
  • Account inactivity timeout

To enforce a more advanced password policy that meets your contractual and compliance requirements and your organizational policies, we recommend that you use LDAP integration with an external identity provider, such as Active Directory.

Resetting user passwords

To reset a user password from the CLI, run:

rladmin cluster reset_password <username>

You are asked to enter and confirm the new password.

Setting up local password complexity

RS lets you enforce a password complexity profile that meets most organizational needs. The password complexity profile is defined by:

  • At least 8 characters
  • At least one uppercase character
  • At least one lowercase character
  • At least one number (not first or last character)
  • At least one special character (not first or last character)
  • Does not contain the User ID or reverse of the User ID
  • No more than 3 repeating characters
Note -
The password complexity profile applies to when a new user is added or an existing user changes their password.

To enforce the password complexity profile, run:

curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator-user-email>:<password>" -d '{"password_complexity":true}' https://<RS_server_address>:9443/v1/cluster

Setting local user password expiration

RS lets you enforce password expiration to meet your compliance and contractual requirements. To enforce an expiration of a local user password after a specified number of days, run:

curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator_user>:<password>" -d '{"password_expiration_duration":<number_of_days>}' https://<RS_server_address>:9443/v1/cluster

To disable password expiration, set the number of days to 0.

Account lock on failed attempts

To prevent unauthorized access to RS, you can enforce account lockout after a specified number of failed login attempts.

Session timeout

When you log in to the Web UI, your account is automatically logged out after 15 minutes of inactivity.

If you want to change duration of inactivity that causes the timeout:

  • From rladmin, run: rladmin cluster config cm_session_timeout_minutes <minutes>

  • From the REST API, run:

curl --request PUT \
  --url https://localhost:9443/v1/cluster \
  --header 'content-type: application/json' \
  --data '{
	"cm_session_timeout_minutes": <minutes>