LGTM Enterprise 1.22.2

Managing users

You can see details of all currently registered users on the Users administration page. There are two types of account:

  • Externally managed account—users log in to LGTM with a name and OAuth token provided by an external system that's integrated with LGTM.
  • LGTM-managed account —users log in with a name and password that were specified in LGTM.

You can configure LGTM to allow access using one or both methods, according to your requirements.

Externally managed accounts

Unless LGTM is configured to analyze code stored only in Subversion or Git repositories hosted by your company, users will be able to log in to LGTM using an externally managed account. The first step in integrating a repository hosting system, such as GitHub Enterprise or Bitbucket Server, with LGTM is to create an authentication provider. This provider allows users to log in to LGTM using their authentication details for those systems.

This minimizes the amount of work needed to manage users in LGTM. If those externally managed accounts are configured with two-factor authentication, this configuration also provides more secure access to LGTM.

Optionally, when you add a repository provider you can also use information from the repository host to control access to data for projects. For more information about authorization, see Adding authorization providers.

Users logging in using externally managed accounts

When a user first accesses LGTM, they're prompted to log in using one of the external systems you've integrated with LGTM. If they're not already logged into this third-party system, they're prompted to log in to it. Then they're prompted to authorize Semmle to use those account details for LGTM. When a user authorizes access, LGTM adds an LGTM account with the user name and the OAuth access token provided by the external system to the Users administration page.

LGTM-managed accounts

By default, LGTM-managed accounts can only be created by LGTMadministrators. If you want to enable self-registration, see Enabling self-registration.

Adding user accounts

You can add LGTM-managed accounts using the Add new user button displayed at the top of the Users page.

To add a new user:

  1. On the Users administration page, click Add new user.
  2. Define the user's email address.
  3. Define the required password in the Password and Password (confirm) fields.
  4. Define a display name.
  5. Click Add to create the new user.

The new user is created immediately and the Users page redisplayed.

If you have configured your repository provider(s) to use an external authorization provider, the new user will not be able to see any data until you override their default authorization level.

Deleting accounts

You can delete any user account from LGTM. The impact of deleting an account depends on the type of account and on the configuration of LGTM.

If you delete an account with administration access, first verify that at least one other account with administration access is available. For an example, see Replacing the "setup" administration account with an externally managed account below.

To delete an account:

  1. On the Users administration page, enter the user's email address in the search box and press Return.
  2. When the user is listed, click the red Delete icon associated with their account.
  3. A Confirm action page is displayed:
    • To delete this user, click Yes.
    • To cancel the action and redisplay the administration page, click No.
  4. If you confirm the deletion, the user is deleted.

When you delete an account, that user is immediately logged out of LGTM. All data for that user is also deleted. This invalidates any personal access tokens that they have created to use with the API or an LGTM plugin.

LGTM-managed accounts

If you delete an LGTM-managed account, no one can log in to LGTM using the credentials for that account. If you have chosen to enable self-registration, the user will be able to create a new account and log in to LGTM using the new account details. The option for standard users to register themselves as an LGTM user is disabled by default. For details, see Enabling self-registration.

Externally managed accounts

If you delete an externally managed account from LGTM, this will log the user out of LGTM and delete all data associated with that account. This is useful if a laptop is lost and you want to quickly stop anyone using the compromised personal access tokens to access LGTM data. Note that the genuine user can re-authenticate with LGTM using their third-party credentials, and create a new LGTM account linked to the externally managed account.

If you want to remove all access to LGTM from a user with an externally managed account, delete their account in the third-party system before you delete their account in LGTM. They then won't be able to create a new LGTM account using the third-party credentials.

Alternatively, if you want to stop a user who has access to the external system from viewing data in LGTM, you can override their LGTM authorization and set it to none globally.

Accessing the administration options

The administration pages are visible only to users who have been granted admin rights. Every user shown on the Users administration pages has either a Grant admin or Revoke admin button associated with their account:

  • To give a user account administration rights, click Grant admin, then click Yes to confirm the change.
  • To remove administration rights from an account, click Revoke admin, then click Yes to confirm the change.

The change takes affect immediately. Users with administration rights can see an extra Admin option in the menu bar of the main LGTM interface.

Replacing the initial administration account with an externally managed account

When you install LGTM you need to create an LGTM account with administration access. You use this account to set up the basic application configuration. If you want to limit access to externally managed accounts only, you can create a new administration account and then delete this initial administration account.

To replace the administration account created during installation:

  1. Identify an externally managed account to use for LGTM administration.
  2. In a browser tab, log in to LGTM and configure an authentication provider to integrate with the external system that contains this alternative administration account.
  3. Open a new browser tab in incognito or private mode:
    1. Access your instance of LGTM.
    2. When you're prompted to log in, click Log in with <external-system> and log in using the alternative administration account.
  4. In your original browser tab:
    1. Display the Users administration page and locate the alternative administration account.
    2. Click the Grant admin button associated with the alternative administration account, and click Yes to confirm the change.
  5. In the incognito or private tab:
    1. Refresh the LGTM page to show an Admin link in the top menu.
    2. Click Admin to display the administration pages.
    3. When you've confirmed that the alternative administration account has the required administration access, you're ready to delete the initial administration account, created during the installation process. For details, see Deleting accounts above.

More information

To find out more, see: