Skip to main content

Manage Users

Manage user access to your Dremio organization through internal authentication or external identity providers. This page covers user types, account management, and administrative tasks.

All users in Dremio are identified by their email address, which serves as their username. Invitations are sent to users' email addresses to set up their accounts.

User Types

Dremio supports two user types with different authentication and management workflows:

Local UsersSSO UsersService Users
PurposeHuman accessHuman accessService or application access
AuthenticationPassword set in DremioIdentity provider (IdP) credentialsOAuth secret or external JWT
Credential ManagementWithin DremioThrough your IdPDremio or external IdP
ProvisioningManual invitationManual invitation or SCIM automatedManual creation
Password ResetSelf-service or admin-initiatedThrough IdP onlyN/A

Local Users

Local users authenticate with passwords managed directly in Dremio. These users must be invited manually. Use local users when you need standalone accounts for contractors, external partners, or testing and development environments.

SSO Users

SSO users authenticate through your organization's identity provider (IdP) like Microsoft Entra ID or Okta, or through social identity providers like Google or GitHub. These users can be invited manually or provisioned automatically via System for Cross-domain Identity Management (SCIM).

What is SCIM?

SCIM is an open standard protocol that automates user provisioning between your identity provider and Dremio. Instead of manually creating and managing users in multiple systems, SCIM keeps everything synchronized automatically. When you add, update, or remove a user in your IdP, those changes propagate to Dremio without manual intervention.

SCIM Provisioning Benefits

When SCIM is configured, Dremio stays synchronized with your IdP. Deleting a user in your IdP automatically reflects in Dremio. Additional benefits of SCIM integration include:

  • Automatic user creation and deactivation
  • Synchronized user attributes
  • Centralized access management

To learn more:

Service Users

Service users are non-human accounts for programmatic API access. They authenticate using either OAuth client secrets generated in Dremio or external JWT tokens from your identity provider. They cannot log in to the Dremio console. Use service users for applications, scripts, and automated workflows that need to interact with Dremio APIs.

A service user’s username follows this format:

{name}@{organization-id}.dremiosu.app

For example: [email protected]

You choose the {name} portion when creating the service user. Dremio automatically appends the domain suffix using your organization ID.

Manage Your Account

Update Your Password

Local users can reset passwords using either method:

If locked out:

  1. On the login screen, enter your email.
  2. Click Forgot Password?.
  3. Check your email for the reset link.

If logged in:

  1. Hover over the user icon at the bottom of the navigation sidebar.
  2. Select Account Settings.
  3. Click Reset Password.
  4. Check your email for the reset link.

Changing your password ends all existing Dremio web sessions.

SSO users must reset passwords through their organization's identity provider. Contact your authentication administrator for assistance.

Update Your Name

You can change your display name at any time:

  1. Click the user icon on the side navigation bar.
  2. Select Account Settings.
  3. On the General Information page, edit First Name and Last Name.
  4. Click Save.

Administrative Tasks

The following tasks require administrator privileges or the CREATE USER privilege.

View All Users

  1. Click Admin icon in the side navigation bar and select Organization.
  2. Select User management from the organization settings sidebar.

The table displays all local and SSO users with access to your Dremio instance.

Add a User

SSO users are added automatically when you configure SCIM provisioning.

To add a local user:

  1. Click Admin icon in the side navigation bar and select Organization.
  2. Select User management.
  3. Click Add Users.
  4. In the Email address(es) field, enter one or more email addresses separated by commas, spaces, or line breaks.
  5. For Dremio Role, select the roles where the user will be a member. All users are members of the PUBLIC role by default.
  6. Click Add.

Each user receives an invitation email to set up their account. You can configure additional roles after users accept their invitations.

A user's email address serves as their unique identifier and cannot be changed after account creation. If a user's email changes, you must create a new account with the new email address.

If invited users don't receive the email, check spam folders and verify the email addresses are correct.

Edit a User

You can modify a user's name and role assignments. Email addresses cannot be edited—if a user's email changes, you must create a new account.

  1. Click Admin in the side navigation bar and select Organization.
  2. Select User management.
  3. Hover over the user's row and click Edit icon to edit the user.
  4. Details tab: Edit First Name and Last Name, then click Save.
  5. Roles tab: Manage role assignments:
    • Add roles: Search for and select roles, then click Add Roles.
    • Remove roles: Hover over a role and click Remove.
  6. Click Save.

Reset a User's Password

This option is only available for local users. SSO users must reset passwords through their identity provider. To send a password reset email to a local user:

  1. Click Admin icon in the side navigation bar and select Organization.
  2. Select User management.
  3. Click the user's name.
  4. Click Send Password Reset.

The user receives an immediate email with reset instructions.

View All Service Users

  1. Click Admin icon in the side navigation bar and select Organization.
  2. Select User management from the organization settings sidebar.
  3. Click the Service users tab.

The table displays all service users in your Dremio organization.

Add a Service User

  1. Click Admin icon in the side navigation bar and select Organization.
  2. Select User management.
  3. Click the Service users tab.
  4. Click Add service user.
  5. In the New service user dialog, provide a name and description for the service user.
    • Dremio will add a domain suffix @{organization id}.dremiosu.app to the service username to create the username with the domain.
    • The username cannot be changed after completing the initial configuration.

Edit a Service User

You can update a service user's description and manage role assignments.

  1. Click Admin icon in the side navigation bar and select Organization.
  2. Select User management.
  3. Click the Service users tab.
  4. Click the desired service user. You can edit the Description field directly.
  5. Select Granted roles to manage role assignments.
    • Grant roles: Click Grant role and select roles, then click Grant.
    • Revoke roles: Hover over the role and click to the right. Then click Revoke.

Generate an OAuth Client Secret

To authenticate a service user for API access, generate an OAuth client secret that applications will use to obtain access tokens from Dremio.

  1. Click Admin icon in the side navigation bar and select Organization.
  2. Select User management.
  3. Click the Service users tab.
  4. Click the desired service user.
  5. Select Credentials and click Add and select Generate OAuth Secret.
  6. Provide a Label for the secret and a Lifetime between 90 and 180 days, then select Generate.
  7. Important: Copy the OAuth Client Secret and store it in a secure location. It will not be available again.

Configure an External Credential

External credentials allow service users to authenticate using JWT tokens issued by your organization's identity provider.

  1. Click Admin icon in the side navigation bar and select Organization.
  2. Select User management.
  3. Click the Service users tab.
  4. Click the desired service user.
  5. Select Credentials and click Add and select Configure an External Credential.
  6. Provide a Label for the credential.
  7. Provide the target Audience, which identifies the intended recipient for a JWT from the identity provider. See Audience for details.
  8. Complete the User Claim to identify the claim mapping in the external JWT for the service principal in the identity provider. The sub and oid claims typically provide the service principal's unique identifier. See User Claim Mapping for details.
  9. Provide the External ID. For Microsoft Entra ID service principals, this should be the service principal's Object ID.
  10. Provide the Issuer URL, which is the OAuth provider that issues JWT tokens for the associated service account. This is contained in the external JWT's iss claim and identifies the identity provider. See Issuer URL for details.
  11. Record the JWKS URL (optional). If not provided, Dremio retrieves the JWKS URL from {issuer_URL}/.well-known/openid-configuration. See JWKS URL for details.
  12. Click Configure to create the external credential.

Remove a User

To remove an SSO user:

  1. First, remove the user from your external identity provider.
  2. Then follow the steps below to remove them from Dremio.

To remove a local user:

  1. Click Admin icon in the side navigation bar and select Organization.
  2. Select User management.
  3. Click the user's name.
  4. Click Remove icon to remove.
  5. Confirm the deletion.