After defining roles, you can do the following:

  • Create individual accounts manually

  • Provision accounts from an identity provider (Idp)

This section describes how to create a new account manually. To learn how to provision Nexthink accounts from existing accounts in an Idp, refer to the Single sign-on documentation.

Nexthink supports both internal and external management of credentials to authenticate user accounts as follows:

Internally managedExternally managed


single sign-on (SSO)

The credentials are stored in the Nexthink data cloud

The process verifies the credentials by either internal or external means based on the provided login name:

  • If the login name includes an @ character, Nexthink assumes external user authentication. This username format is known as User Principal Name (UPN) and, for example, may look like this: In this case, the configuration determines the external authentication method, and the account is authenticated using Security Assertion Markup Language (SAML).

  • If the login name does not include an @ character, Nexthink authenticates the account with internally stored credentials.

Accessing accounts

Manually, you can only create internally managed accounts. The system creates SSO accounts automatically, using just-in-time (JIT) user provisioning.

To create an individual account:

  1. Log in as an administrator using the web interface.

  2. Select the Administration module from the main menu.

  3. Under the Account management section, select Accounts to open the dashboard.

  4. Select the Add account button in the top-right corner of the page to start the wizard.

Setting personal data and roles

  • Username: Enter the name of the user:

    • To use internal authentication, enter the account name, which will be the user login name. In this case, you cannot use the @ character.

    • To use external authentication, enter the username in a format that includes the @ character. If you use SAML authentication, enter the Name ID of the user, as returned by the Idp. Refer to the Single sign-on documentation for more information.

  • Full name: Enter the full name when using internal authentication.

  • Email address: Enter the user’s email address to send notifications.

  • Password: The password field depends on the user authentication method:

    • Users define their password and configure multi-factor authentication (MFA) using the activation email that the system sends. Administrators can perform the following actions:

      • Resend the activation email if the user is not already active.

      • Reset MFA. In this case, the user has to configure MFA again during the next login.

    • Classic: If you use internal user authentication, type in a password for the user and retype it in the Confirm password field. The default minimum password length for an internally managed account is 8 characters; however, this requirement is configurable.

  • Optional: Select the Never automatically sign out this user while they are active box if you want to override the session timeout control. You can configure the session timeout in the Nexthink web interface.

Roles and permissions

  • Main role: Select the account role from the drop-down list. You must create a role first to see it in the list. Refer to the Roles documentation for more information.

  • Additional roles: Enter the name of one or more additional roles to assign them to the account. Additional roles are optional.

Roles (classic)

Select one or several roles (classic) to grant access to Custom dashboard and Finder content, such as:

  • Modules

  • V6 alerts

  • V6 remote actions


Last updated