Users¶
Where: avatar menu → Users (admin only) · /auth/users
The page uses the shared ops-hero (role / 2FA coverage pulse). Each user card shows last login (app timezone) and a link to that user’s Audit trail.
Create a user¶
- Open Create user (header button) — form is a modal.
- Enter email and role (viewer / operator / admin).
- Generate password (or set manually). Strength meter + policy apply.
- After submit, a confirmation modal shows login URL, email, temporary password, and invite text — shown once. Copy before closing.
- New users have
must_change_passworduntil first reset.
Password policy¶
- ≥ 10 characters
- Upper + lower + digit
- At most 72 Latin letters/digits (emoji/symbols count as more)
Configurable admin policy (custom min length / classes) is post-RC — see roadmap.
Roles and delete¶
- Change role from the list (sole-admin rules).
- Delete requires confirm; you cannot delete yourself.
Open registration¶
Only the first account self-registers (becomes admin). After that, login points people to ask an admin (Users → Create user).
ALLOW_OPEN_REGISTRATION=true re-enables public sign-up if you intentionally want it. Later self-registered accounts become operator (not admin, not viewer). Leave this off in production and create viewers/operators via the Users UI.