User management

Provisioning users

In Server Pro, we only support using a single method of authentication at any one time. Once SSO has been enabled, users/administrators won't be able to log in using an Overleaf password, and you won't be able to create new users from the https://{your-instance-url}/admin/user URL.

Internal accounts

Once you are logged in as an administrator, you can visit /admin/register on your Overleaf instance and create new users. If you have an email backend configured in your settings file, new users will be sent an email with a URL to set their password. If not, you will have to distribute the password reset URLs manually. These are shown when you create a user.

SSO accounts

When using SAML 2.0 or LDAP authentication, user accounts are automatically provisioned through Just-in-Time (JIT) account creation. This means that the first time a user logs in with their external identity provider credentials, their account is dynamically created within the system. No manual account setup is required beforehand; the user's account infomration is populated using the information provided by the SAML 2.0 or LDAP identity source.

For more information, see our configuration guides for SAML 2.0 and LDAP.

Administrators

If you're creating your first administrator account we recommend visiting the https://{your-instance-url}/launchpad URL and setting up your account from there.

Alternatively, you can run the following command against you the sharelatex Docker container:

# Overleaf Toolkit deployments:
bin/docker-compose exec sharelatex /bin/bash -ce "cd /overleaf/services/web && node modules/server-ce-scripts/scripts/create-user --admin --email=joe@example.com"

# Legacy docker-compose.yml deployments:
docker exec sharelatex /bin/bash -ce "cd /overleaf/services/web && node modules/server-ce-scripts/scripts/create-user --admin --email=joe@example.com"

The above command will create a user with the provided email address if they don't already exist, and make them an administrator. In the command output, you will be given a URL to visit where you can set the password for this user and log in for the first time.

If you're using internal accounts for authentication and need to elevate an existing user to an instance admin or revoke existing permissions, you can do this by following these steps:

• Log in as an existing administrator

• Click Admin -> Manage Users

• Search for the user and click on their email address

• Scroll down to the Site Admin section and click on the (show) link

• Check the box Is Site Admin

• Click the Save button to finish

Deleting users

As per our guide on understanding license usage, in general, it's advisable not to delete accounts (unless they are no longer required), as this action would lead to the removal of the account's projects and prevent any collaborators from accessing them.

Presently, there is no provision for deactivating accounts; they either exist with retained data or don't exist at all. The recommended approach is to leave the account and its associated data within Server Pro, ensuring any projects are part of your backup process.

Via Admin -> Manage Users

• Log in as an administrator

• Click Admin -> Manage Users

• Search for the user and check the box next to their email address

• Click the bin icon

• Click the Delete button to confirm

Via the Command-line

User can be deleted via the following command. As mentioned above, projects will also be deleted so be careful when using this command.

# Overleaf Toolkit deployments:
$ bin/docker-compose exec sharelatex /bin/bash -ce "cd /overleaf/services/web && node modules/server-ce-scripts/scripts/delete-user.mjs --email=joe@example.com"

# Legacy docker-compose.yml deployments:
$ docker exec sharelatex /bin/bash -ce "cd /overleaf/services/web && node modules/server-ce-scripts/scripts/delete-user.mjs --email=joe@example.com"

Restoring a soft-deleted user

Providing that a user has only been soft-deleted, it's possible to restore their account along with any projects.

• Log in as an administrator

• Click Admin -> Manage Users

• Search for the user you want to restore

• Click the Display deleted users button

• Click on the deleted users email address

• Click on the Recover This Account button

• Click on the Recover button to confirm

Counting users

We understand that user metrics is crucial for effective license management. While it is possible to see how many active users your instance has via https://you-instance-url/admin/user#license — you may be looking for something a little more programmatic to you can check periodically and export to a third-party application.

# Total number of users
echo 'db.users.countDocuments()' | docker exec -i mongo mongosh --quiet localhost/sharelatex
# overleaf [direct: primary] sharelatex> 16

# Total number of users using metrics endpoint
docker exec sharelatex curl http://127.0.0.1:3000/metrics | grep num_active_users
# # HELP num_active_users num_active_users
# # TYPE num_active_users gauge
# num_active_users{app="web-api",host="b3ae4ff549d8"} 16

# Total number of active users
echo 'db.users.countDocuments({ lastActive: { $gte: new Date(new Date().getTime() - (365 * 24 * 60 * 60 * 1000)) } })' | docker exec -i mongo mongosh --quiet localhost/sharelatex
# overleaf [direct: primary] sharelatex> 10

Updating user account information

When managing user accounts, the process for updating user profile information depends on whether SSO is enabled.

If SSO is not in use, administrators have the ability to modify user account information through the Admin -> Manage Users interface where they can update a users email addresses, first name and last name, and generate a password reset link, if required.

Regular users can self-serve updating their own account details via Account -> Account Settings. From there, individuals have the same options but can also change their password and generate Git authentication tokens.

For deployments using SSO, Server Pro can be optionally configured to automatically update a user's first and last name during login. This update occurs using the information received from the configured authentication system during the authentication process.

When OVERLEAF_SAML_UPDATE_USER_DETAILS_ON_LOGIN or OVERLEAF_LDAP_UPDATE_USER_DETAILS_ON_LOGIN are true — the user details form on https://your-instance-url/user/settings page is disabled and can't be used to update the account information. The first name and last name can only be set in your identity managment system.

For more information on these settings, see our configuration guides for SAML 2.0 and LDAP.