User Management¶
Complete guide to managing users and API tokens in Champa Intelligence.
Overview¶
User management allows administrators to create, edit, and manage user accounts with role-based access control.
Required Permission: manage_users
Navigation: Admin → User Management
User Types¶
Regular Users¶
Characteristics: - Interactive web interface access - JWT tokens with 24-hour expiration - "Remember me" option for 30-day sessions - Subject to brute-force protection
Use Cases: - Process analysts - Operations teams - Management dashboards - Development teams
API Users¶
Characteristics: - Programmatic API access only - Long-lived JWT tokens (7-365 days or never) - No web interface login - Requires api_access permission
Use Cases: - Monitoring systems - Integration scripts - CI/CD pipelines - Data export tools
Managing Users¶
Creating a User¶
Steps:
- Navigate to Admin → User Management
- Click "Create New User"
- Fill in the form:
| Field | Required | Description |
|---|---|---|
| Username | Yes | Unique username (lowercase, no spaces) |
| Yes | Valid email address | |
| Password | Yes | Minimum 8 characters |
| Role | Yes | Select from available roles |
| Is Active | No | Enable/disable account (default: active) |
| Is API User | No | Check for API-only access |
| API Token TTL | If API | Days until token expires (or -1 for never) |
- Click "Create User"
- For API users: Copy the generated token (shown only once!)
Example:
Regular User:
Username: john.doe
Email: john.doe@company.com
Password: SecurePass123!
Role: process_analyst
Is Active: ✓
Is API User: ☐
API User:
Username: prometheus_scraper
Email: monitoring@company.com
Role: api_user
Is Active: ✓
Is API User: ✓
API Token TTL: 90 days
Editing a User¶
- Find user in the list
- Click "Edit" button
- Modify fields (cannot change username)
- Click "Save Changes"
Editable Fields: - Email - Role - Active status - API user settings
Resetting User Password¶
As Administrator:
- Navigate to user in list
- Click "Reset Password"
- Copy generated temporary password
- Provide to user securely
- User must change on first login
Temporary Password: - 12 characters - Random alphanumeric + special chars - One-time use recommended
Regenerating API Token¶
For API Users:
- Find API user in list
- Click "Regenerate API Token"
- Copy new token immediately (shown only once!)
- Update systems using old token
Note: Old token is immediately invalidated.
Deactivating a User¶
- Find user in list
- Click "Toggle Status"
- User status changes to "Inactive"
- User cannot login
- Active sessions remain valid until expiration
vs. Deleting: - Deactivate: Reversible, preserves audit history - Delete: Permanent, removes from database
Deleting a User¶
- Find user in list
- Click "Delete" button
- Confirm deletion
- User is permanently removed
⚠️ Warning: - Cannot delete yourself - Audit log entries remain - Cannot be undone
User List Interface¶
Columns¶
| Column | Description |
|---|---|
| ID | User database ID |
| Username | Login username |
| Email address | |
| Role | Assigned role |
| Is Active | Account status |
| Is API User | API user indicator |
| API Token Expires | Token expiration date (API users) |
| Created At | Account creation date |
| Last Login | Last successful login |
| Actions | Edit/Delete buttons |
Filtering & Search¶
Search by: Username, Email
Filter by: Role, Active Status, API User
Sort by: Username, Created At, Last Login
API Token Management¶
Viewing API Token Info¶
In User List: - "API Token Expires" column shows expiration date - Green: Token valid - Yellow: Expires in <7 days - Red: Expired
Token Expiration Policies¶
| TTL Setting | Days | Recommended For |
|---|---|---|
| 7 days | 7 | Development/testing |
| 30 days | 30 | Short-term integrations |
| 90 days | 90 | Standard production use |
| 365 days | 365 | Long-running services |
| Never | -1 | Critical infrastructure (use cautiously) |
Token Rotation Schedule¶
Best Practice:
Environment | Rotation Frequency
------------|-------------------
Development | 30 days
Staging | 60 days
Production | 90 days
Process:
- Before expiration, regenerate token
- Update all systems with new token
- Verify new token works
- Decommission old systems
Security Best Practices¶
Strong Passwords¶
Requirements: - Minimum 8 characters - Mix of uppercase and lowercase - At least one number - Optional: Special characters
Good Examples: - MySecure2025Pass! - Camunda#Analytics99 - Process@Monitor2024
Bad Examples: - password (too simple) - 12345678 (only numbers) - admin (too common)
Account Hygiene¶
Regular Reviews: 1. Monthly: Review active users 2. Quarterly: Audit role assignments 3. Annually: Remove unused accounts
Red Flags: - Accounts never logged in (>30 days) - Excessive failed login attempts - Role doesn't match job function - API tokens set to "never expire"
API Token Security¶
DO: - ✓ Use environment variables - ✓ Set appropriate TTL - ✓ Rotate regularly - ✓ Use dedicated API users - ✓ Assign minimal permissions
DON'T: - ✗ Hardcode in source code - ✗ Set TTL to "never" unnecessarily - ✗ Share tokens between environments - ✗ Use personal accounts for automation - ✗ Grant excessive permissions
Next Steps¶
- Roles & Permissions - Configure access control
- Session Management - Monitor user activity
- Audit Logging - Review security events
- API Reference - API documentation