Documentation > Administration > User Management

User Management

Complete guide to managing user accounts, roles, permissions, and authentication in SysManage.

Overview

SysManage implements a comprehensive user management system with role-based access control (RBAC), secure authentication, and granular permissions. This system ensures that users have appropriate access to system resources while maintaining security and compliance requirements.

User Account Management

Roles and Permissions

Built-in Roles

Administrator

  • Full system access and control
  • User management capabilities
  • System configuration access
  • Security settings management
  • Audit log access

Operator

  • Host and agent management
  • Package management operations
  • Report generation and viewing
  • Basic monitoring access
  • Limited configuration changes

Viewer

  • Read-only access to most features
  • Dashboard and report viewing
  • Host status monitoring
  • Basic system information access
  • No modification capabilities

Auditor

  • Specialized role for compliance
  • Full audit log access
  • Security report generation
  • User activity monitoring
  • Compliance report access

Permission Matrix

Feature Administrator Operator Viewer Auditor
User Management ✅ Full ❌ None ❌ None 👁️ View Only
Host Management ✅ Full ✅ Full 👁️ View Only 👁️ View Only
Package Management ✅ Full ✅ Full 👁️ View Only 👁️ View Only
System Configuration ✅ Full ⚠️ Limited ❌ None 👁️ View Only
Security Settings ✅ Full ❌ None ❌ None 👁️ View Only
Audit Logs ✅ Full ⚠️ Limited ❌ None ✅ Full
Reports ✅ Full ✅ Full 👁️ View Only ✅ Full

Custom Roles

Create custom roles for specific organizational needs:

  • Department-specific roles: IT, Security, Compliance teams
  • Project-based access: Temporary permissions for specific projects
  • Regional access: Geographic or organizational unit restrictions
  • Specialized functions: Backup operators, monitoring specialists

Creating Custom Roles

curl -X POST "https://your-server.example.com/api/v1/roles" \
     -H "Authorization: Bearer YOUR_JWT_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{
       "name": "backup-operator",
       "description": "Backup and recovery operations",
       "permissions": [
         "hosts.view",
         "reports.view",
         "reports.backup",
         "system.backup",
         "system.restore"
       ]
     }'

Authentication Methods

Local Authentication

Built-in username/password authentication with advanced security features:

  • Password Policies: Configurable complexity requirements
  • Account Lockouts: Protection against brute force attacks
  • Password Expiration: Automatic password aging
  • Password History: Prevention of password reuse

Password Policy Configuration

{
  "password_policy": {
    "min_length": 12,
    "require_uppercase": true,
    "require_lowercase": true,
    "require_numbers": true,
    "require_special_chars": true,
    "max_age_days": 90,
    "history_count": 12,
    "lockout_attempts": 5,
    "lockout_duration_minutes": 30
  }
}

Multi-Factor Authentication (MFA)

Enhanced security through multiple authentication factors:

Supported MFA Methods

  • TOTP (Time-based OTP): Google Authenticator, Authy
  • SMS Codes: Text message verification
  • Email Codes: Email-based verification
  • Hardware Tokens: FIDO2/WebAuthn support

MFA Configuration

  1. User enables MFA in profile settings
  2. System generates QR code for TOTP setup
  3. User scans QR code with authenticator app
  4. User enters verification code to confirm setup
  5. System generates backup codes for recovery

External Authentication

LDAP/Active Directory Integration

{
  "ldap_config": {
    "server": "ldap://corp.example.com:389",
    "base_dn": "dc=corp,dc=example,dc=com",
    "user_dn": "cn=sysmanage,ou=service,dc=corp,dc=example,dc=com",
    "user_filter": "(sAMAccountName={username})",
    "group_filter": "(member={user_dn})",
    "role_mapping": {
      "CN=SysManage-Admins,OU=Groups,DC=corp,DC=example,DC=com": "administrator",
      "CN=SysManage-Operators,OU=Groups,DC=corp,DC=example,DC=com": "operator"
    }
  }
}

SAML 2.0 Integration

  • Single Sign-On (SSO) with identity providers
  • Automatic user provisioning
  • Role mapping from SAML attributes
  • Just-in-time (JIT) account creation

OAuth 2.0 / OpenID Connect

  • Integration with modern identity providers
  • Google, Microsoft, GitHub authentication
  • Token-based authentication flow
  • Refresh token management

Session Management

Session Policies

  • Session Timeout: Automatic logout after inactivity
  • Concurrent Sessions: Limit number of active sessions
  • Session Monitoring: Track active user sessions
  • Force Logout: Administrative session termination

Session Configuration

{
  "session_config": {
    "timeout_minutes": 480,
    "max_concurrent_sessions": 3,
    "remember_me_days": 30,
    "secure_cookies": true,
    "same_site": "strict"
  }
}

Active Session Monitoring

Monitor and manage active user sessions:

  • View all active sessions
  • Session location and IP tracking
  • Device and browser information
  • Last activity timestamps
  • Administrative session termination

API Example: List User Sessions

curl -X GET "https://your-server.example.com/api/v1/users/sessions" \
     -H "Authorization: Bearer YOUR_JWT_TOKEN"

Common User Management Workflows

New Employee Onboarding

  1. Create user account with appropriate role
  2. Configure initial permissions
  3. Set up authentication method (local/SSO)
  4. Enable MFA if required
  5. Assign to relevant host groups
  6. Provide initial training materials
  7. Schedule permission review

Role Change Process

  1. Submit role change request
  2. Manager approval (if required)
  3. Security team review
  4. Update user role and permissions
  5. Notify user of changes
  6. Document change in audit log
  7. Schedule follow-up review

Employee Offboarding

  1. Disable user account immediately
  2. Revoke all active sessions
  3. Transfer resource ownership
  4. Export user-related data
  5. Update documentation
  6. Archive account data
  7. Schedule account deletion review

Security Incident Response

  1. Identify compromised accounts
  2. Immediately disable affected accounts
  3. Force password resets
  4. Revoke all active sessions
  5. Review audit logs for activity
  6. Implement additional security measures
  7. Document incident and remediation

Security Best Practices

Account Security

  • Principle of Least Privilege: Grant minimum necessary permissions
  • Regular Access Reviews: Periodic audit of user permissions
  • Separation of Duties: Distribute administrative responsibilities
  • Account Monitoring: Monitor for unusual account activity
  • Privileged Account Management: Special handling for administrative accounts

Authentication Security

  • Strong Password Policies: Enforce complex password requirements
  • Multi-Factor Authentication: Require MFA for administrative access
  • Session Security: Implement secure session management
  • Login Monitoring: Track and alert on login anomalies
  • Regular Password Updates: Enforce periodic password changes

Compliance Considerations

  • Audit Trail: Maintain comprehensive user activity logs
  • Data Protection: Ensure compliance with privacy regulations
  • Access Certification: Regular attestation of user access
  • Segregation of Duties: Implement role-based controls
  • Documentation: Maintain current user management procedures

Troubleshooting User Issues

Login Problems

  • Account Locked: Check lockout status and unlock if appropriate
  • Password Expired: Force password reset or extend expiration
  • MFA Issues: Provide backup codes or reset MFA
  • Session Limits: Terminate old sessions or increase limits

Permission Issues

  • Access Denied: Review and adjust user permissions
  • Role Conflicts: Resolve conflicting role assignments
  • Resource Access: Check host group assignments
  • Feature Restrictions: Verify role-based feature access

Integration Issues

  • LDAP Connectivity: Test LDAP server connectivity
  • SAML Errors: Verify SAML configuration and certificates
  • Role Mapping: Check external group to role mappings
  • Synchronization: Verify user data synchronization

Quick Navigation

← Administration Overview Host Management →