User Management

User accounts are managed at Organisation > Users. The manageUser permission is required. All actions described here are scoped to the currently active organisation.

Creating a user

  1. Click Add User in the top-right toolbar.

  2. Fill in the following fields:

    • Login — the user’s email address. Must be unique across the platform.

    • Full name — display name shown in case assignments and task lists.

    • Profile — the permission set the user holds in this organisation. See Administration for the list of available profiles.

  3. Click Save. The platform sends an email invitation with a link to set a password. The account is inactive until the user clicks the link.

Editing a user

Click the edit (pencil) icon in the user row to change the user’s name, login, or profile within the current organisation. Changes take effect on the user’s next request.

Locking and unlocking accounts

Click the lock icon in the user row to toggle the account between active and locked. A locked account cannot authenticate. Existing sessions remain active until they expire or are killed manually.

Killing a session

To force a user out immediately, click Kill Session in the user row. The user’s active session token is invalidated. They are redirected to the login page on their next request.

See also the organisation-level session management in Administration.

API keys

API keys are created by the organisation administrator from the user row in the organisation’s Users list (Create API Key button). Once created, the user can view and manage the key from the Account menu → SettingsAPI key.

To regenerate a key, click Renew in the user row or in account settings. The previous key stops working immediately.

API keys authenticate REST requests using a Bearer token header:

Authorization: Bearer <api-key>

API keys cannot log in to the web interface. They bypass session inactivity timeouts and MFA requirements.

Multi-factor authentication

MFA is enabled by default on the platform. Each user enrolls their own TOTP authenticator from their account settings (Settings > 2FA Authentication). Enrollment requires scanning a QR code with an authenticator app (Authy, Microsoft Authenticator, or any TOTP-compatible app) or entering the displayed secret manually.

Administrators cannot enroll MFA on behalf of a user. If a user loses access to their authenticator, contact the platform operator to reset the MFA configuration for that account.

The MFA issuer name shown in authenticator apps is set in Authentication.

User across multiple organisations

A user account exists once at the platform level but can be added to multiple organisations with different profiles in each. To add a user to a second organisation, switch to that organisation and use Organisation > Users > Add User, entering the same login (email). The platform links the existing account without sending a new invitation.

The user switches between organisations using the shuffle icon in the header. Permissions and data access update immediately for the selected organisation.