Skip to content
LMA

User Management

User Management

Section titled “User Management”

LMA ships with a built-in User Management page that lets administrators create and delete users directly from the Web UI, without having to log into the AWS console. The feature is admin-only and is enforced at three layers for defense in depth.

Table of Contents

Section titled “Table of Contents”

Overview

Section titled “Overview”

Users are stored in LMA’s Amazon Cognito User Pool (created by the lma-cognito-stack nested stack). The first admin user is created automatically at deployment time from the AdminEmail CloudFormation parameter.

The User Management page provides:

  • A searchable table of every user in the user pool, showing email, role, Cognito status (e.g. CONFIRMED, FORCE_CHANGE_PASSWORD), enabled flag, and creation date.
  • Create user — creates a Cognito user with the chosen role. Cognito emails the new user a temporary password; they must set a new password on first sign-in.
  • Delete user(s) — permanently removes one or more selected users from Cognito, with confirmation.

Roles

Section titled “Roles”

LMA uses two roles:

RoleCognito groupPermissions
AdminAdminFull access: all meeting features and admin-only pages (User Management, MCP Servers, Nova Sonic, Transcript Summary).
User(none)Standard access: Meetings List, Meetings Query, Stream Audio, Virtual Participant, MCP API Keys. No admin pages.

The Admin Cognito group is created by lma-cognito-stack. Membership determines the role. A user that is not in any group is a regular User.

Accessing the User Management page

Section titled “Accessing the User Management page”

Sign in to the LMA Web UI as an Admin user. In the left-hand side navigation, expand the Configuration section and choose User Management. The URL is:

https://<your-cloudfront-domain>/#/configuration/user-management

Non-admin users do not see this link in the navigation, and if they navigate directly to the URL, they get an Access denied message. The GraphQL API also refuses their requests.

Creating a user

Section titled “Creating a user”
  1. On the User Management page, choose Create user.
  2. Enter the user’s email address (used as the Cognito username).
  3. Select a roleUser or Admin.
  4. Choose Create.

The new user receives a Welcome to Live Meeting Assistant! email from Amazon Cognito that includes their temporary password and a clickable link to the LMA Web UI. On first sign-in they are prompted to set a new password.

The Web UI URL in the email is generated by a Cognito CustomMessage Lambda trigger that reads the CloudFront endpoint from the LMA Settings SSM parameter (populated by AISTACK on every stack update). The very first admin user — created at initial stack-create time before AISTACK has populated the parameter — receives a fallback version of the email that refers the user to the CloudFormation stack’s ApplicationCloudfrontEndpoint Output.

Deleting users

Section titled “Deleting users”
  1. Select one or more rows in the users table.
  2. Choose Delete.
  3. Review the confirmation modal and choose Delete to proceed.

Deletion removes the user from the Cognito user pool. It does not delete meetings that user owns or has shared.

Security model

Section titled “Security model”

Authorization for user management is enforced at three independent layers:

  1. AppSync schemalistUsers, createUser, and deleteUser are declared with @aws_cognito_user_pools(cognito_groups: ["Admin"]). Non-admin callers are rejected by AppSync before the Lambda resolver is even invoked. (Note: @aws_cognito_user_pools is the correct directive when the API uses more than one auth type — @aws_auth only works for single-auth APIs.)
  2. Lambda resolverUserManagementFunction re-checks the caller’s cognito:groups claim from the signed JWT that AppSync passes through. This is belt-and-braces protection in case a resolver is ever wired to a field without the directive.
  3. Web UI — the User Management navigation link and page are hidden from non-admin users. Direct navigation shows an access-denied message.

The Lambda’s IAM role grants only the specific cognito-idp actions required to manage users, and is scoped to the LMA user pool ARN:

cognito-idp:ListUsers
cognito-idp:ListUsersInGroup
cognito-idp:AdminGetUser
cognito-idp:AdminCreateUser
cognito-idp:AdminDeleteUser
cognito-idp:AdminAddUserToGroup
cognito-idp:AdminRemoveUserFromGroup
cognito-idp:AdminListGroupsForUser

Guard rails

Section titled “Guard rails”

To reduce the risk of accidental admin lock-out:

  • No self-delete. An admin cannot delete their own account.
  • Last-admin protection. The last remaining Admin user cannot be deleted. Create another Admin first, then delete the original.
  • Email validation. The email address must be well-formed.

If either rule is violated, the API returns a clear error and the UI shows it in the delete dialog.

Email domain restrictions

Section titled “Email domain restrictions”

If you set the AllowedSignUpEmailDomain CloudFormation parameter at deployment time (for example, example.com or a comma-separated list such as example.com,partner.com), then new users created via User Management must have an email address in one of those domains. The restriction is enforced server-side in the Lambda in addition to Cognito’s sign-up trigger. Leave the parameter empty to allow any email domain.

Troubleshooting

Section titled “Troubleshooting”

“Unauthorized” or “Not Authorized” error when opening the page : You are not a member of the Admin Cognito group. Ask an existing Admin to promote you (create a new user with role Admin, then have them delete your old account), or update group membership directly in the Cognito console.

Cognito invitation email never arrives : Check the recipient’s spam folder first. Cognito sends the email from no-reply@verificationemail.com by default. If the email never arrives, an existing Admin can reset the temporary password in the Cognito console (Users → [user] → Reset password).

“Cannot delete the last remaining Admin user” : Create another Admin first, then delete the original. This guard prevents the account from becoming unmanageable.

“Email domain ‘X’ is not allowed” : The AllowedSignUpEmailDomain CloudFormation parameter restricts new user emails to specific domains. Update the parameter on your stack and redeploy, or choose an email in an allowed domain.

CloudWatch Logs for debugging : The Lambda logs all admin actions (create/delete) and all attempts by non-admin callers. Look in CloudWatch Logs under /<stack-name>/lambda/UserManagement.