User Accounts

User accounts for authentication when using Stroom’s internal identity provider.

TODO

The Users, Groups and Permissions screens are undergoing significant change in Stroom v7.6. Therefore this section will be updated with more detail in v7.6.

Note

If Stroom is configured to use an external Identity Provider (IDP) Identity Provider (IDP) An Identity Provider is a system or service that can authenticate a user and assert their identity. Identity providers can support single sign on (SSO), which allows the user to sign in once to the Identity Provider so they are then authenticated to all systems using that IDP.Click to see more details… (e.g. Azure Active Directory or AWS Cognito) then all user accounts are managed within that Identity Provider (IDP) Identity Provider (IDP) An Identity Provider is a system or service that can authenticate a user and assert their identity. Identity providers can support single sign on (SSO), which allows the user to sign in once to the Identity Provider so they are then authenticated to all systems using that IDP.Click to see more details… and the Manage Accounts screen in Stroom will not be available. For more details about external Identity Providers, see Open ID Connect.

Accounts vs Stroom Users

See Accounts vs Users for details on the difference between a Stroom User Account and a Stroom User.

Creating User Accounts

User accounts can only be created by a user that holds the Manage Users or Administrator Application permission Application permission This is a permission that is not specific to a single document. It applies to all documents or is not related to documents in any way.Click to see more details....

Create a new user account by selecting

from the main menu.

As a minimum a user account must have a unique identifier that will be used to identify them in Stroom.

If the user’s email address is added then Stroom will be able to email the user to reset their password. This functionality is configured using the properties starting with this prefix stroom.security.identity.email..

Account Flags

User accounts have a number of flags that can be set by an administrator or automatically by Stroom.

Enabled - Enables/disables the account. A disabled account cannot login. Useful for disabling a user that is temporarily on leave.
Locked - Set when a user has too many failed login attempts (controlled by the property stroom.security.identity.failedLoginLockThreshold). Can be un-set by a user with Manage Users Application permission Application permission This is a permission that is not specific to a single document. It applies to all documents or is not related to documents in any way.Click to see more details.... A locked account cannot login.
Inactive - Set automatically in one of these cases:
- A brand new account has not been used for a duration greater than stroom.security.identity.passwordPolicy.neverUsedAccountDeactivationThreshold.
- An account has not been used for a duration greater than stroom.security.identity.passwordPolicy.unusedAccountDeactivationThreshold. An inactive account cannot login.

Last modified April 24, 2026: Fill in 7.12 upgrade notes (597c57e)