Principals

A principal at StrongDM refers to an entity that has the ability to log in to your StrongDM organization using some method (the desktop app, the CLI, Admin UI, SDKs, etc). There are several types of users:

Users

Users are managed by either StrongDM or via an SSO provider or through user provisioning. All users are displayed with their name and email address. Users can authenticate in a variety of ways, including via SSO or by email and password directly, and with or without MFA challenges via integrations with MFA providers or StrongDM's TOTP service. Users can be granted access to resources through StrongDM via assigned roles, or through Just-in-Time access using access workflows.

• SSO

• Provisioning

• Authentication

• MFA

Service Accounts

A service account is a slightly different type of entity that allows for programmatic access to StrongDM resources. Unlike a user account, a service account requires only a display name (not a full name and email address) because service accounts are for machines, programs, and applications—not people. Instead of username and password, service accounts authenticate to StrongDM with access tokens in order to perform any automated function that needs resource access. Service accounts can be given access to resources in the same ways that users can, through roles or temporary access.

Admin Tokens

Admin tokens can be utilized for automated actions that require time-bound access to specific administrative functions in an organization, such as creating, updating, or destroying resources. They can similarly manage nodes, users, secrets, and other elements of your StrongDM organization as desired. Each token is able to be scoped to the desired areas of access.