Access control documented
This commit is contained in:
@@ -1 +1,31 @@
|
||||
# Admins
|
||||
Admins are users who are not tied to specific companies and are responsible for administering Sentri.
|
||||
## View admin
|
||||
To view admins, you need the `admin-access-admins` RO permission.
|
||||
|
||||
In the admins list, click the **view** icon to open an admin and see additional details.
|
||||
## Add admin
|
||||
To create a new admin, you need the `admin-access-admins` RW permission.
|
||||
|
||||
Complete the form and click **Add admin**. The admin will be created in a **Pending** state.
|
||||
|
||||
After creation, an invitation email is sent. The recipient must verify their account and set a password. Once completed, the admin becomes **Active**.
|
||||
## Modify admin
|
||||
To manage admins, you need the `admin-access-admins` RW permission.
|
||||
|
||||
You can edit an admin by clicking the **edit** icon in the admin list or by selecting **Edit** while viewing the admin details.
|
||||
### Send password reset email
|
||||
To send a password reset email, you need the `admin-access-admins-resetpassword` RW permission.
|
||||
|
||||
Open the admin details and click **Send password reset email** in the user management section.
|
||||
### Disable two factor authentication
|
||||
To disable two-factor authentication for another admin, you need the `admin-access-admins-mfa` RW permission.
|
||||
|
||||
Open the admin details and click **Disable two-factor authentication** in the user management section.
|
||||
# Admin status
|
||||
An admin can have one of the following statuses:
|
||||
|
||||
- **Active** – The admin is active and can log in.
|
||||
- **Pending** – The admin has been created but has not yet verified their account or set a password via the invitation email.
|
||||
- **Banned** – The admin is blocked due to suspicious or policy-violating behavior and cannot log in.
|
||||
- **Inactive** – The admin account is disabled and cannot log in.
|
||||
@@ -1 +1,17 @@
|
||||
# Permissions
|
||||
# Permissions
|
||||
Many actions in Sentri require specific permissions. These permissions are configured per user group and can be set to one of the following levels:
|
||||
|
||||
- NA (Not Available)
|
||||
- RO (Read Only)
|
||||
- RW (Read Write)
|
||||
|
||||
> [!INFO]
|
||||
> The **superuser** account has RW access to all permissions by default. This behavior is intentional and cannot be changed.
|
||||
## Viewing or modifying permissions
|
||||
To view permissions, you need the `admin-access-control-permissions` RO permission.
|
||||
|
||||
To modify permissions, you need the `admin-access-control-permissions` RW permission.
|
||||
|
||||
Navigate to **Access control** > **Permissions** and click the **view** icon. You will see the permission set assigned to each user group.
|
||||
|
||||
If you want to view or modify all permissions for a specific user group, go to **Access control** > **User groups**, then click the **view icon** next to the user group you want to view or modify. This will display the full list of permissions configured on that group.
|
||||
@@ -1 +1,20 @@
|
||||
# User groups
|
||||
# User groups
|
||||
All users in Sentri are assigned to a user group. There are currently two types of user groups:
|
||||
|
||||
- **Administrator** – Users not tied to specific companies. They are responsible for administering Sentri and are created [[Admins|here]].
|
||||
- **User** – Intended for future use for users linked to specific companies. This group type is not yet active in Sentri.
|
||||
|
||||
## User group weight
|
||||
Each user group has an associated **weight**, which is used to enforce hierarchy and prevent privilege escalation.
|
||||
|
||||
For example, if your current user group has a weight of **10**, you cannot create or assign a user to a group with a lower weight (e.g. **1**) if that would result in higher permissions than your own. This ensures users cannot create accounts with greater access than their own.
|
||||
## Adding a user group
|
||||
To add a user group, you need the `admin-access-control-user-groups` RW permission.
|
||||
|
||||
Navigate to **Access Control** > **User groups** and click **Add user group**. Enter a name and select the group type.
|
||||
|
||||
After creation, you will be able to configure the group’s [[Permissions|permissions]]. To modify permissions, you also need the `admin-access-control-permissions` **RW** permission.
|
||||
## Viewing user groups
|
||||
To view user groups, you need the `admin-access-control-user-groups` RO permission.
|
||||
|
||||
Go to **Access Control** > **User groups** and click the **view icon** next to a user group. This will show detailed information about the group, including all configured [[Permissions|permissions]].
|
||||
Reference in New Issue
Block a user