User Management
Users are managed per customer. Each user has a role that determines their permissions.
Role Model
| Role | Permissions |
|---|---|
| System Admin | Full access to all customers and settings. No customer assigned. |
| Customer Admin | Full access to own customer and sub-customers. Can manage users. |
| Manager | Access to sub-customers. Can manage devices and tokens but cannot create admins. |
| Viewer | Read-only access to the assigned customer. |
Escalation Protection
- A user cannot assign a role higher than their own
- An admin cannot deactivate themselves
- A manager cannot create admins for their own customer
Inviting Users
- Open Customer Management and select the customer
- In the Users section, click Add User
- Enter email, username, and password
- Select the role
- The user can log in immediately
Editing Users
Editable fields:
- Email address (requires re-verification)
- Role (with escalation protection)
Resetting Passwords
As an admin, you can reset a user’s password:
- Click Reset Password next to the user
- The user must set a new password on next login
Alternatively, users can request a new password via Forgot Password on the login page.
Managing 2FA
- Users can set up TOTP-based two-factor authentication in their Profile
- As an admin, you can disable 2FA for a user (e.g., if they lost their device)
- Recovery codes are displayed during 2FA setup and should be stored securely
Deactivating Users
- Click Deactivate next to the user
- The user can no longer log in
- Their data is preserved (audit trail)
Deactivated users cannot be reactivated. Create a new account if needed.
Multiple Customers
A user can have access to multiple customers (multi-customer). In the dashboard, the customer switcher in the app bar allows switching between customers.