Skip to main content
Version: current [26.x]

Manage Users

Manage user access to your Dremio environment through internal authentication or external identity providers. This page covers user types, account management, and administrative tasks.

User Types

Dremio supports several user types with different authentication and management workflows:

FeatureLocal UsersLDAP/AD UsersSSO UsersService Users
PurposeHuman accessHuman accessHuman accessProgrammatic/API access
AuthenticationPassword in DremioLDAP/AD directoryIdP (SAML/OIDC)OAuth secret or external JWT
Credential ManagementWithin DremioLDAP/AD adminThrough your IdPDremio and optionally external IdP
ProvisioningManual creationLDAP syncManual creation or SCIMManual creation
Password ResetSelf-service or adminThrough LDAP/ADThrough IdPN/A

Local Users

Local users authenticate with passwords managed directly in Dremio. These users must be invited manually. Use local users when you need standalone accounts for contractors, external partners, or testing and development environments.

LDAP/AD Users

LDAP/AD users authenticate against your organization's directory server. User accounts are synchronized from your LDAP or Active Directory. Use LDAP/AD authentication when you have existing directory infrastructure for centralized user management.

SSO Users

SSO users authenticate through your organization's Enterprise OIDC Provider like Microsoft Entra ID or Okta. These users can be created manually or provisioned automatically via System for Cross-domain Identity Management (SCIM).

What is SCIM?

SCIM is an open standard protocol that automates user provisioning between your identity provider and Dremio. Instead of manually creating and managing users in multiple systems, SCIM keeps everything synchronized automatically. When you add, update, or remove a user in your IdP, those changes propagate to Dremio without manual intervention.

SCIM Provisioning Benefits

When SCIM is configured, Dremio stays synchronized with your IdP. Deleting a user in your IdP automatically reflects in Dremio. Additional benefits of SCIM integration include:

  • Automatic user creation and deactivation
  • Synchronized user attributes
  • Centralized access management

Using SCIM

Dremio supports the following SCIM functionality:

  • Nested Roles (Groups) - Group memberships from your identity provider automatically translate to corresponding roles in Dremio.

  • User Lifecycle Management - Your identity provider can automatically activate, deactivate, create, and delete user accounts in Dremio.

    tip

    You cannot reset or change an external user's password from Dremio, as this is governed by your organization's identity manager. If you delete an external user from Dremio, your OIDC provider will re-add their account the next time that user attempts to log in. To properly revoke access to Dremio, you must delete the user in your OIDC provider.

  • Password Synchronization - When external authentication is not configured, user passwords sync directly from your identity provider.

The following SCIM features are not currently supported:

  • Advanced Search Filters - Dremio only supports exact username matching.
  • Entity Tags (ETags) - SCIM responses do not include ETags.

Service users

Service users are non-human accounts for programmatic API access. They authenticate using either OAuth client secrets generated in Dremio or external JWT tokens from your identity provider. Use service users for applications, scripts, and automated workflows that need to interact with Dremio APIs.

Administrative Tasks

The following tasks require administrator privileges or the CREATE USER privilege.

View All Users

  1. Click Settings on the left navigation bar and choose User Management.
  2. Select the Users tab.

The table displays all local and SSO users with access to your Dremio cluster.

Add a User

  1. Click Settings on the left navigation bar and choose User Management.
  2. Select the Users tab.
  3. Click Add User.
  4. Provide a Username, which will be used when logging into Dremio. The username cannot be changed after completing the initial configuration.
  5. Select the User Type as Local or External.
  6. For local users, provide:
    • First Name - The first name of the user.
    • Last Name - The last name of the user.
    • Email - The email address of the user.
    • Password - Local user passwords can contain special characters for any character except the first character. If you use a special character for the first character in the password, the password will fail.
    For external users, provide:
    • First Name - The first name of the user.
    • Last Name - The last name of the user.
    • Email - The email address of the user.
  7. Click Save.

Edit a User

You can modify a user's name and role assignments.

  1. Click Settings on the left navigation bar and choose User Management.
  2. Select the Users tab.
  3. Click the desired user and modify any mutable user information.
  4. Click Granted Roles.
  5. To grant additional roles, click Grant Roles. Revoke existing roles by clicking Revoke next to the role.

Add a Service User

  1. Click Settings on the left navigation bar and choose User Management.
  2. Select the Service users tab.
  3. Click Add Service User.
  4. From the New Service User configuration page, provide a Username and description for the service user. The username cannot be changed after completing the initial configuration.

Edit a Service User

By editing a service user, you can grant roles and credentials.

  1. Click Settings on the left navigation bar and choose User Management.
  2. Select the Service users tab.
  3. Click the desired service user. The description can be modified.
  4. Select Granted Roles to add the service user to system or custom roles.

Generate an OAuth Client Secret

To authenticate a service user for API access, generate an OAuth client secret that applications will use to obtain access tokens from Dremio.

  1. Click Settings on the left navigation bar and choose User Management.
  2. Select the Service users tab.
  3. Click the desired service user.
  4. Select Credentials and click Add to select Generate OAuth Secret.
  5. Provide a Label for the secret and a Lifetime between 90 and 180 days, then select Configure.
  6. Copy the OAuth Client Secret and store it in a secure location. It will not be available again.

Configure an External Credential

External credentials allow service users to authenticate using JWT tokens issued by your organization's identity provider.

  1. Click Settings on the left navigation bar and choose User Management.
  2. Select the Service users tab.
  3. Click the desired service user.
  4. Select Credentials and click Add to select Configure an External Credential.
  5. Provide a Label for the credential.
  6. Provide the target Audience, which identifies the intended recipient for a JWT from the identity provider. See Audience for details.
  7. Complete the User Claim to identify the claim mapping in the external JWT for the service principal in the identity provider. The sub and oid claims typically provide the service principal's unique identifier. See User Claim Mapping for details.
  8. Provide the External ID. For Microsoft Entra ID service principals, this should be the service principal's Object ID.
  9. Provide the Issuer URL, which is the OAuth provider that issues JWT tokens for the associated service account. This is contained in the external JWT's iss claim and identifies the identity provider. See Issuer URL for details.
  10. Record the JWKS URL (optional). If not provided, Dremio retrieves the JWKS URL from {issuer_URL}/.well-known/openid-configuration. See JWKS URL for details.
  11. Click Configure to create the external credential.

Remove a User

  1. Click Settings on the left navigation bar and choose User Management.
  2. Select the Users or Service users tab.
  3. Click the user's name.
  4. Click Remove icon to remove.
  5. Confirm the deletion.