just user-* + per-service recipesCross-service user adds via
just user-add-all, or per-service<svc>-create-user/<svc>-list-users/<svc>-delete-user. Authentik holds identity; downstream services inherit the user.
When SSO is wired (default), creating a user in Authentik is enough — every service learns about them at first login. The recipes here are for explicit bootstrapping (create in Authentik AND pre-provision in services that need it).
| Recipe | What it does |
|---|---|
just user-add-all USERNAME EMAIL |
Create user in Authentik + all SSO-enabled services. Idempotent. |
just users-list-all |
List users across every service (deduplicated by email) |
just user-info EMAIL |
Show one user's status across every service |
| Recipe | What it does |
|---|---|
just authentik-users |
List all Authentik users |
just authentik-user-create USERNAME EMAIL [NAME] |
Create user |
just authentik-user-delete USERNAME |
Delete user |
just authentik-user-password USERNAME |
Reset password (prompts for new one) |
just authentik-groups |
List groups |
just authentik-group-create NAME [--admin] |
Create group |
just authentik-group-add GROUP USERNAME |
Add user to group |
just authentik-group-remove GROUP USERNAME |
Remove user from group |
just authentik-group-members GROUP |
List group members |
just authentik-access |
Show user-application access matrix |
just authentik-apps |
List configured applications |
For every service declaring framework.user_management.enabled: true in its manifest:
| Pattern | Example | What it does |
|---|---|---|
<svc>-create-user ARGS |
redmine-create-user EMAIL |
Pre-provision a user (most services only need email; some need extra args) |
<svc>-list-users |
mattermost-list-users |
List users in the service |
<svc>-delete-user EMAIL |
erpnext-delete-user user@example.com |
Delete a user |
<svc>-list-roles |
erpnext-list-roles |
List available roles |
<svc>-add-role ROLE USER |
erpnext-add-role "System Manager" user@example.com |
Assign a role |
The exact arg signature varies per service (Redmine needs email + login; ERPNext needs email + firstname + lastname; Mattermost needs email + username). Check just --list | grep <svc>-create-user for the specific signature.
# 1. Create them in Authentik (the identity source)
just authentik-user-create alice alice@example.com "Alice Smith"
just authentik-user-password alice
# (prompts for password; share via secure channel)
# 2. Add to relevant Authentik groups
just authentik-group-add admins alice # if they should be admin everywhere
# OR for granular:
just authentik-group-add dev alice
just authentik-group-add ticketing alice
# 3. (Optional) Pre-provision in services that need it
just user-add-all alice alice@example.com
# This creates them in Redmine, Mattermost, ERPNext, etc. so they
# don't have to wait for first-login provisioning.
# Authentik first — this revokes all access immediately
just authentik-user-delete alice
# Optional: clean up service-specific records
just redmine-delete-user alice@example.com
just mattermost-delete-user alice@example.com
just erpnext-delete-user alice@example.com
# (services that keep historical data — like ERPNext — may
# require a "deactivate" instead of "delete" to preserve history)
For >5 users, scripting user-add-all is easier than typing:
while IFS=, read -r username email name; do
just user-add-all "$username" "$email"
done < users.csv
| Scenario | Approach |
|---|---|
| User is in Authentik; service has SSO | First login auto-provisions in the service. No pre-create needed. |
| User is in Authentik; service has SSO but you want them in a role immediately | Create in Authentik + add to a group → service grants the role at first login. |
| User is in Authentik; service does NOT support SSO | Create in Authentik for org tracking + pre-provision in service (separate password). |
| Service needs the user to exist BEFORE first login (rare) | <svc>-create-user followed by Authentik create. |
Most services auto-provision on first SSO login — the explicit recipes are for the cases where you want the user in the service's DB before they log in (sending them a "your account is ready" link).
/pma/learn/04-sso-everywhere — how SSO turns "Authentik user" into "service user"./pma/cookbook/integrate-existing-authentik — using an external Authentik./pma/reference/cli/sso — SSO config recipes.