# Users Users represent **human identities** that can access Krutrim Cloud resources.\ All access granted to a user is evaluated through **roles and groups**. {% hint style="info" %} Users never receive permissions directly. Permissions are always inherited via roles {% endhint %} *** ### User Types #### Root User * Created during account sign-up * Owner of the account * Can manage all IAM entities * Cannot be modified or deleted by other users #### IAM User * Invited by the root user or an authorized admin * Has scoped permissions * Can have console access, programmatic access, or both {% hint style="warning" %} One email address can be associated with **only one root user**, but may be used for multiple IAM users across different organizations. {% endhint %} *** ### Adding a User Adding a user is a **two-step flow**: 1. Enter user details 2. Assign roles and/or groups Only the **root user** or users with appropriate IAM permissions can add new users. *** #### Step 1: Enter User Details Navigate to **IAM → Users** and click **Add User**. Fill in the following fields: 1. **Email** 1. Email address of the user being invited 2. Used as the login identifier 2. **Username** 1. Unique username within the organization 2. Used for display and identification 3. **Generated Password** 1. System-generated temporary password 2. Cannot be manually edited 3. Can be: 1. Regenerated using the refresh icon 2. Copied using the copy icon Click **Next** to continue. *** #### Step 2: Assign Roles and Groups In this step, you assign **how the user gets permissions**. 1. **Assign Roles** 1. Select one or more roles to attach directly to the user 2. Search is available to quickly find roles 2. Each role shows: 1. Role name 2. Short description 3. **Assign Groups** 1. Switch to the **Groups** tab 2. Select one or more groups 3. The user will inherit all roles attached to those groups {% hint style="info" %} At least one role or group must be assigned {% endhint %} Click **Send Invitation** to complete the process. *** ### What Happens After Invitation * The user receives an email with: * Organization ID * Login email * Preset password * We recommend that the user reset their password after logging in for the 1st time. * Permissions are enforced immediately after login. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloud.olakrutrim.com/basics/identity-access-management/users.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.