# User management
## Provisioning users
In Server Pro, we only support using a **single** method of authentication at any one time. Once SSO has been enabled, users/administrators won't be able to log in using an Overleaf password, and you won't be able to create new users from the **https\://{your-instance-url}/admin/user** URL.
### Internal accounts
Once you are logged in as an administrator, you can visit /admin/register on your Overleaf instance and create new users. If you have an [email backend configured](/on-premises/configuration/overleaf-toolkit/email-delivery.md) in your settings file, new users will be sent an email with a URL to set their password. If not, you will have to distribute the password reset URLs manually. These are shown when you create a user.
{% hint style="info" %}
You can create multiple accounts at the same time by providing a comma separated list of email addresses.
{% endhint %}
### SSO accounts
When using SAML 2.0 or LDAP authentication, user accounts are automatically provisioned through Just-in-Time (JIT) account creation. This means that the first time a user logs in with their external identity provider credentials, their account is dynamically created within the system. No manual account setup is required beforehand; the user's account infomration is populated using the information provided by the SAML 2.0 or LDAP identity source.
{% hint style="danger" %}
When SSO is enabled, all local account passwords will no longer work (setting/resetting passwords in Server Pro is disabled), meaning that all users (regular users and administrators) **must** be able to authenticate using SSO.
{% endhint %}
For more information, see our configuration guides for [SAML 2.0](/on-premises/configuration/overleaf-toolkit/server-pro-only-configuration/saml-2.0.md) and [LDAP](/on-premises/configuration/overleaf-toolkit/server-pro-only-configuration/ldap.md).
### Administrators
{% hint style="success" %}
From Server Pro Server Pro 5.2.1, the admin role can be granted/revoked via the SSO login process. For me information see our configuration guides for [SAML 2.0](/on-premises/configuration/overleaf-toolkit/server-pro-only-configuration/saml-2.0.md) and [LDAP](/on-premises/configuration/overleaf-toolkit/server-pro-only-configuration/ldap.md).
{% endhint %}
If you're creating your first administrator account we recommend visiting the **https\://{your-instance-url}/launchpad** URL and setting up your account from there.
Alternatively, you can run the following command against you the `sharelatex` Docker container:
# Overleaf Toolkit deployments:
$ bin/docker-compose exec sharelatex /bin/bash -ce "cd /overleaf/services/web && node modules/server-ce-scripts/scripts/create-user --admin --email=joe@example.com"
# Legacy docker-compose.yml deployments:
$ docker exec sharelatex /bin/bash -ce "cd /overleaf/services/web && node modules/server-ce-scripts/scripts/create-user --admin --email=joe@example.com"
The above command will create a user with the provided email address if they don't already exist, and make them an administrator. In the command output, you will be given a URL to visit where you can set the password for this user and log in for the first time.
{% hint style="info" %}
For a more programatic approach, you can use the above script for creating regular users as well as administrators. For regular users you'll need to **omit** the `--admin`flag.
{% endhint %}
If you're using internal accounts for authentication and need to elevate an existing user to an instance admin or revoke existing permissions, you can do this by following these steps:
* Log in as an **existing** administrator
* Click **Admin** -> **Manage** **Users**
* Search for the user and click on their email address
* Scroll down to the **Site Admin** section and click on the (**show)** link
* Check the box **Is Site Admin**
* Click the **Save** button to finish
## Deleting users
As per our guide on [understanding license usage](/on-premises/user-and-project-management/understanding-license-usage.md), in general, it's advisable **not** to delete accounts (unless they are no longer required), as this action would lead to the removal of the account and loss of access to projects for any collaborators.
Presently, there is no provision for deactivating accounts; they either exist with retained data or don't exist at all. The recommended approach is to leave the account and its associated data within Server Pro, ensuring any projects are part of your backup process.
{% hint style="info" %}
By default, accounts are **soft-deleted**. For information regarding permanently removing users from your instance see `ENABLE_CRON_RESOURCE_DELETION` in the [Environment variables](/on-premises/configuration/overleaf-toolkit/environment-variables.md) guide.
{% endhint %}
### Via Admin -> Manage Users
* Log in as an administrator
* Click **Admin** -> **Manage** **Users**
* Search for the user and check the box next to their email address
* Click the bin icon
* Click the **Delete** button to confirm
### Via the Command-line
User can be deleted via the following command. As mentioned above, projects **will** also be deleted so be careful when using this command.
{% code overflow="wrap" %}
```bash
# Overleaf Toolkit deployments:
$ bin/docker-compose exec sharelatex /bin/bash -ce "cd /overleaf/services/web && node modules/server-ce-scripts/scripts/delete-user.mjs --email=joe@example.com"
# Legacy docker-compose.yml deployments:
$ docker exec sharelatex /bin/bash -ce "cd /overleaf/services/web && node modules/server-ce-scripts/scripts/delete-user.mjs --email=joe@example.com"
```
{% endcode %}
{% hint style="danger" %}
The deletion script uses a hard-coded `force` option that ensures the deletion process continues even if the account deletion email fails to send (for example, when the users email address is no longer in service).
{% endhint %}
{% hint style="info" %}
Since version `5.5.0`, the option `--skip-email` can be used to prevent sending an informative email to the deleted user.
{% endhint %}
## Restoring a soft-deleted user
Providing that a user has only been soft-deleted, it's possible to restore their account along with any projects.
* Log in as an administrator
* Click **Admin** -> **Manage** **Users**
* Search for the user you want to restore
* Click the **Display deleted users** button
* Click on the deleted users email address
* Click on the **Recover This Account** button
* Click on the **Recover** button to confirm
{% hint style="danger" %}
When `ENABLE_CRON_RESOURCE_DELETION` is set to `true`, soft-deleted accounts can be restored within a 90-day window. After 90 days, account recovery is not possible.
{% endhint %}
## Counting users
We understand that user metrics is crucial for effective license management. While it is possible to see how many active users your instance has via **** — you may be looking for something a little more programmatic to you can check periodically and export to a third-party application.
# Total number of users
echo 'db.users.countDocuments()' | docker exec -i mongo mongosh --quiet localhost/sharelatex
# overleaf [direct: primary] sharelatex> 16
# Total number of users using metrics endpoint
docker exec sharelatex curl http://127.0.0.1:3000/metrics | grep num_active_users
# # HELP num_active_users num_active_users
# # TYPE num_active_users gauge
# num_active_users{app="web-api",host="b3ae4ff549d8"} 16
# Total number of active users
echo 'db.users.countDocuments({ lastActive: { $gte: new Date(new Date().getTime() - (365 * 24 * 60 * 60 * 1000)) } })' | docker exec -i mongo mongosh --quiet localhost/sharelatex
# overleaf [direct: primary] sharelatex> 10
## Updating user account information
When managing user accounts, the process for updating user profile information depends on whether SSO is enabled.
If SSO is **not** in use, administrators have the ability to modify user account information through the **Admin** -> **Manage Users** interface where they can update a users email addresses, first name and last name, and generate a password reset link, if required.
Regular users can self-serve updating their own account details via **Account** -> **Account Settings.** From there, individuals have the same options but can also change their password and generate Git authentication tokens.
For deployments using SSO, Server Pro can be optionally configured to automatically update a user's first and last name during login. This update occurs using the information received from the configured authentication system during the authentication process.
When `OVERLEAF_SAML_UPDATE_USER_DETAILS_ON_LOGIN` or `OVERLEAF_LDAP_UPDATE_USER_DETAILS_ON_LOGIN` are `true` — the user details form on **** page is disabled and can't be used to update the account information. The first name and last name can only be set in your identity managment system.
For more information on these settings, see our configuration guides for [SAML 2.0](/on-premises/configuration/overleaf-toolkit/server-pro-only-configuration/saml-2.0.md) and [LDAP](/on-premises/configuration/overleaf-toolkit/server-pro-only-configuration/ldap.md).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.overleaf.com/on-premises/user-and-project-management/user-management.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.