-
-
Notifications
You must be signed in to change notification settings - Fork 0
Users and Security
Two roles, enforced server-side on every endpoint (not just hidden buttons): admin (everything) and user (read-only: dashboard, events, snapshots browse). The free Community tier includes the single admin created at first run; adding users requires a paid license.
Two ways to create a user. Send invite link: the account starts as a pending invite and a one-time link lets them set their own password; if SMTP is configured the invite is emailed, and either way you get a copyable link. Set password now: the admin sets an initial password and the account is active immediately - no email required. Share it securely; the user can change it in their profile.
-
Passwords are hashed with scrypt; sessions are server-side (revocable), with Secure/HttpOnly cookies behind HTTPS.
-
Every user can enable TOTP two-factor from their profile (QR enrollment); MFA is enforced at sign-in.
-
Admins can reset a user's password or reset MFA (lost authenticator); resets also revoke trusted devices.
-
Optional trusted-device window: after a successful code, skip the MFA prompt on that browser for N days (0 = always prompt, the default).
Failed logins lock the account after a configurable number of attempts (default 5) for a configurable duration (default 15 minutes), tracked per account and audit-logged.
Every mutating action (logins, tenant changes, restores, settings, license and user changes) is recorded with actor and detail in the Audit page.