Access control documented

This commit is contained in:
Marco Mooij | DigiState
2026-05-15 13:43:56 +02:00
parent 8e4ea9d4a0
commit db2b6e62b8
11 changed files with 95 additions and 24 deletions

View File

@@ -1 +1,31 @@
# Admins
Admins are users who are not tied to specific companies and are responsible for administering Sentri.
## View admin
To view admins, you need the `admin-access-admins` RO permission.
In the admins list, click the **view** icon to open an admin and see additional details.
## Add admin
To create a new admin, you need the `admin-access-admins` RW permission.
Complete the form and click **Add admin**. The admin will be created in a **Pending** state.
After creation, an invitation email is sent. The recipient must verify their account and set a password. Once completed, the admin becomes **Active**.
## Modify admin
To manage admins, you need the `admin-access-admins` RW permission.
You can edit an admin by clicking the **edit** icon in the admin list or by selecting **Edit** while viewing the admin details.
### Send password reset email
To send a password reset email, you need the `admin-access-admins-resetpassword` RW permission.
Open the admin details and click **Send password reset email** in the user management section.
### Disable two factor authentication
To disable two-factor authentication for another admin, you need the `admin-access-admins-mfa` RW permission.
Open the admin details and click **Disable two-factor authentication** in the user management section.
# Admin status
An admin can have one of the following statuses:
- **Active** The admin is active and can log in.
- **Pending** The admin has been created but has not yet verified their account or set a password via the invitation email.
- **Banned** The admin is blocked due to suspicious or policy-violating behavior and cannot log in.
- **Inactive** The admin account is disabled and cannot log in.

View File

@@ -1 +1,17 @@
# Permissions
# Permissions
Many actions in Sentri require specific permissions. These permissions are configured per user group and can be set to one of the following levels:
- NA (Not Available)
- RO (Read Only)
- RW (Read Write)
> [!INFO]
> The **superuser** account has RW access to all permissions by default. This behavior is intentional and cannot be changed.
## Viewing or modifying permissions
To view permissions, you need the `admin-access-control-permissions` RO permission.
To modify permissions, you need the `admin-access-control-permissions` RW permission.
Navigate to **Access control** > **Permissions** and click the **view** icon. You will see the permission set assigned to each user group.
If you want to view or modify all permissions for a specific user group, go to **Access control** > **User groups**, then click the **view icon** next to the user group you want to view or modify. This will display the full list of permissions configured on that group.

View File

@@ -1 +1,20 @@
# User groups
# User groups
All users in Sentri are assigned to a user group. There are currently two types of user groups:
- **Administrator** Users not tied to specific companies. They are responsible for administering Sentri and are created [[Admins|here]].
- **User** Intended for future use for users linked to specific companies. This group type is not yet active in Sentri.
## User group weight
Each user group has an associated **weight**, which is used to enforce hierarchy and prevent privilege escalation.
For example, if your current user group has a weight of **10**, you cannot create or assign a user to a group with a lower weight (e.g. **1**) if that would result in higher permissions than your own. This ensures users cannot create accounts with greater access than their own.
## Adding a user group
To add a user group, you need the `admin-access-control-user-groups` RW permission.
Navigate to **Access Control** > **User groups** and click **Add user group**. Enter a name and select the group type.
After creation, you will be able to configure the groups [[Permissions|permissions]]. To modify permissions, you also need the `admin-access-control-permissions` **RW** permission.
## Viewing user groups
To view user groups, you need the `admin-access-control-user-groups` RO permission.
Go to **Access Control** > **User groups** and click the **view icon** next to a user group. This will show detailed information about the group, including all configured [[Permissions|permissions]].