This is version 2.18 of the AWS Elemental Server documentation. This is the latest version. For prior versions, see the *Previous Versions* section of [AWS Elemental Conductor File and AWS Elemental Server Documentation](https://docs.aws.amazon.com/elemental-server/).

# User Authentication Reference
<a name="config-wrkr-srvr-cg-auth-ref"></a>

Enabling user authentication provides you more control over your AWS Elemental systems. Authentication helps secure your nodes while also allowing you to do the following:
+ Track node activity on a per-user basis.
+ Limit accidental access to a node by allowing distinct login credentials for each node. This way, an operator with access to multiple nodes must enter the credentials for a specific node prior to sending any commands.

Whether or not you enable authentication, we recommend that all of your nodes are installed behind a customer firewall or on a private network.

The following sections provide more information about user authentication.

**Topics**
+ [Supported Types of User Authentication](auth-ref-type-auth.md)
+ [Authentication User Types](auth-ref-type-user.md)

# Supported Types of User Authentication
<a name="auth-ref-type-auth"></a>

AWS Elemental Server supports the following types of user authentication:

**Local authentication**  
An administrator creates and manages user credentials from the AWS Elemental Server node.  
Users logging in to nodes with local authentication enabled must enter valid credentials for access. They must also supply credentials when using the REST API.  
The credentials that users enter are validated against credentials that are housed locally on the node that they're accessing.

**Privileged Access Management (PAM) authentication**  
An administrator creates and manages user credentials from a Lightweight Directory Access Protocol (LDAP) server that's external from the AWS Elemental systems.  
Users logging in to nodes with PAM authentication enabled must enter valid credentials for access. They must also supply credentials when using the REST API.  
The credentials that users enter are validated against credentials that are housed on an external LDAP server.

# Authentication User Types
<a name="auth-ref-type-user"></a>

This table describes the types of users available with authentication.


****  

| User type | How created | Log-in username | Log-in password | Use | 
| --- | --- | --- | --- | --- | 
| Default, remote terminal user | Built-in | Customer-created at install. | Default, or as changed by an administrator. | Users manually enter this information at these times: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elemental-server/latest/configguide/auth-ref-type-user.html) | 
| Admin REST API user | An administrator enables local authentication on the node when they create the administrator user in the command line. | Customer-created. The username must not be the name of a real person. | Customer-created. | The administrator API user is used at these times: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elemental-server/latest/configguide/auth-ref-type-user.html)  | 
| People and third-party clients | An administrator user creates these users either through the node's web interface (for local authentication) or through an LDAP server (for PAM authentication). | Customer-created. | Customer-created. | Users manually enter their log-in credentials when accessing the node through the web interface or REST API. With local authentication. If a person has access to multiple nodes, you must create a user for them in each node. |