# Manage users
{% hint style="info" %}
Coherent's recommendation is to integrate Keycloak, our Identity and Access Management (IAM) with your Identity Provider (IdP). This provides the best security for user accounts. See [Identity and Access Management](/identity-and-access-management/recommendations.md) and [Benefits of IdP versus local accounts](/identity-and-access-management/benefits-of-idp-versus-local-accounts.md).
This functionality may be disabled if [Single Sign-On](/identity-and-access-management/single-sign-on.md) is enabled.
{% endhint %}
## User groups
Tenant administrators (`tenant-admin`s) can create user groups, which act like teams where different users are grouped together if they perform similar actions. For example, the Product team can be a part of the same user group, responsible for adding and updating the Excel files on Spark. User groups can control access to Folders, if part of a [Private tenant](/tenant-administration/private-tenant.md).
* In a *Shared tenant*, where every user has access to all folders and services within a tenant, the relevant user groups are `tenant-admin` and `user:pf`.
* In a [Private tenant](/tenant-administration/private-tenant.md) where users have restricted access to folders and services:
* The relevant user groups also include `supervisor:pf` and any other user groups the administrators may want to create, such as regional or functional teams.
* User groups can also define permissions for [Authorization - API keys](/spark-apis/authorization-api-keys.md).
### Default user groups
| User group | Description |
| ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `supervisor:epos` | This is only used by Coherent Flow tenants. |
| :police\_officer: `supervisor:pf` | This user group by default has access to all Folders and Services. |
| :star2: `tenant-admin` | Realm administrator that can manage User, Groups, Clients, Roles and Realm/Tenant.
In a /pages/xnvs0k85jDD6K3EkGvfi, tenant-admins cannot see all Folders and Services unless they added to the supervisor:pf group.
tenant-admins can also use APIs to access all objects within Spark.
|
| tenant-moderator
| Realm Moderator that can manage only User and Groups.
This group can remain unused.
|
| `tenant-viewer` | Realm Viewer it can only view Users and Groups.
This group can remain unused.
|
| `user:anonymous` | This is only used by Coherent Flow tenants. |
| `user:coherent.forms` | This is only used by Coherent Flow tenants. |
| `user:epos` | This is only used by Coherent Flow tenants. |
| :star: `user:pf` | Access to this user group is mandatory for a user to login to Spark. |
### View user groups
1. Login using `tenant-admin` credentials.
2. Choose **Options** from the [Navigation menu](/navigation/navigation-menu.md#user-menu).
3. In the left-hand navigation that appears, select **User groups**.
4. Click **View users** to see all the users who are members of each user group.
### Add user groups
{% hint style="warning" %}
Newly created user group names should begin with the prefix `user:` or `supervisor:`, for example `user:NewUserGroup`.
{% endhint %}
{% hint style="info" %}
`supervisor` users are able to manage the users for folders they have access to. When a folder is created, `supervisor` user groups are also assigned access by default.
{% endhint %}
1. Follow [#view-user-groups](#view-user-groups "mention") to arrive at the *User groups* screen.
2. Click on **Add user group**.
3. Enter the required information.
4. Existing [#users](#users "mention") on Spark can be added to the user group.
5. Click **Submit** to finish adding the user group.
### Edit user groups
1. Follow [#view-user-groups](#view-user-groups "mention") to arrive at the *User groups* screen.
2. Click on the "three-dot menu" and select **Edit user group**.
3. A similar screen to [#view-user-groups](#view-user-groups "mention") appears.
4. Click **Submit** to finish making changes.
### Delete user groups
* Follow [#view-user-groups](#view-user-groups "mention") to arrive at the *User groups* screen.
* Click on the "three-dot menu" and select **Delete user group**.
* Any permissions related to the deleted user group will no longer apply.
## Users
`tenant-admin`s also have the ability to add users to their Spark environment. Users can be managed from the *Users* page inside Spark. Individual users added to Spark will then have the ability to log in and start creating APIs.
### View users
1. Login using `tenant-admin` credentials.
2. Choose **Options** from the [Navigation menu](/navigation/navigation-menu.md#user-menu).
3. In the left-hand navigation that appears, select **Users**.
4. In the three-dot menu for each user, click **View users** to see all the users who are members of each user group.
### Add users
{% hint style="warning" %}
`user:pf` is a mandatory user group for users to login to Spark!
{% endhint %}
1. Follow [#view-users](#view-users "mention") to arrive at the *Users* screen.
2. Click on **Add user**.
3. Enter the required information.
4. Users can be added to the relevant user groups. `user:pf` is required to access Spark!.
5. Alternatively, user permissions can be copied from an existing user.
6. Users can also be setup to use Multi-Factor Authentication to login. See [Multi-Factor Authentication (MFA)](/identity-and-access-management/multi-factor-authentication-mfa.md) for more information.
7. There is an option to choose between sending the user an invitation link or generating a password.
8. Click **Submit** to finish adding the user.
### Edit users
1. Follow [#view-users](#view-users "mention") to arrive at the *Users* screen.
2. Click on the "three-dot menu" and select *Edit user*.
3. A similar screen to [#add-users](#add-users "mention") appears.
4. Click **Submit** to finish making changes.
### Deactivate users
{% hint style="info" %}
Users cannot be deleted from Spark in order to support internal audit and tracking of events in Spark.
{% endhint %}
1. Follow [#view-users](#view-users "mention") to arrive at the *Users* screen.
2. Click on the "three-dot menu" and select **Deactivate user**.
3. The user account will be deactivated and no longer able to access Spark.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.coherent.global/tenant-administration/manage-users.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.