# User Management

This guide walks through managing users in Aritma IAM — inviting users, listing them, and managing their OIDC roles.

## Prerequisites

- An access token with IAM admin permissions
- A configured tenant


## List users

Retrieve a paginated list of all user subjects in your tenant. You can filter by a search query.

## Get a user

Retrieve a single user by their subject ID.

## Invite a user

Send an invitation email to a user. The recipient will receive a link to complete registration in Aritma ID. Once they register, they become an active subject in your tenant.

| Parameter | Description |
|  --- | --- |
| `email` | The email address to send the invitation to |
| `redirectUrl` | Optional. The URL the user will be redirected to after accepting the invitation. Useful for sending users to your own application after they complete registration |


Note
The user will appear in your tenant after they accept the invitation and complete registration. Until then, they are not listed as an active subject.

## Create a user directly

If your organization has verified domain ownership in Aritma IAM (see [Domains](/apis/platform/iam/guides/domains)), you can create users directly within your tenant without sending an invitation email.

| Parameter | Description |
|  --- | --- |
| `email` | The email address for the new user. Must belong to a verified domain |
| `fullName` | The full name of the new user |
| `phoneNumber` | The phone number of the new user |


## Assign an OIDC role to a user

OIDC roles are claims included in the user's access token. They are used by your applications for their own authorization logic — they do not control access to Aritma resources. To grant access to Aritma resources, use [Policies](/apis/platform/iam/guides/policies) instead.

## Remove an OIDC role from a user

## View a user's permissions

To see the effective permissions for a user subject, use the subject permissions endpoint:

## View a user's group memberships

To see which groups a user belongs to:

## Check your own permissions

Any authenticated subject can check their own permissions using the `/v1/me` endpoints - no admin rights required:

`GetUserClaims` returns the OIDC claims assigned to your subject. Claims are key-value pairs included in your access token and are used by Aritma services and your own applications for authorization decisions.