-
Notifications
You must be signed in to change notification settings - Fork 0
User Account Management
Andrew den Hertog edited this page Dec 3, 2025
·
1 revision
This guide covers creating, managing, and deleting user accounts in Codex Web.
- Creating User Accounts
- Managing Existing Users
- User Roles and Permissions
- Password Management
- Account Status Control
- User Deletion
- Bulk Operations
Before creating a user account:
- ✅ You must be a Platform Admin
- ✅ Have the user's email address
- ✅ Know which group(s) they should belong to
- ✅ Cognito or Google OAuth configured
-
Navigate to Admin Panel:
- Log in to Codex Web
- Click profile menu → Admin Panel
- Go to Users section
-
Click "Create User" Button
-
Fill in User Information:
Email (required)
- User's email address
- Must be unique in the system
- Will be used for authentication
- Format:
user@example.com
Name (optional, recommended)
- User's full name or display name
- Shown in UI and logs
- Example: "John Smith"
Username (optional)
- Auto-generated from email if not provided
- Can be customized
- Must be unique
Temporary Password (optional)
- Initial password for the user
- If blank, user receives password reset email
- Must meet auth provider requirements
Send Invite (checkbox)
- ✅ Checked: User receives welcome email
- ❌ Unchecked: User created without notification
Is Admin (checkbox)
- ✅ Checked: User gets Platform Admin privileges
- ❌ Unchecked: Regular user
Groups (multi-select)
- Select one or more groups
- User can access workspaces in these groups
- Can be empty (user won't have workspace access)
- Can add more groups later
-
Click "Create User"
-
Note the User ID:
- System generates unique user ID
- Format:
usr_abc123... - Save for reference
# Set your auth token
export TOKEN="your-jwt-token"
export API_URL="https://your-codex.com/api"
# Create user
curl -X POST "${API_URL}/admin/users" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"email": "newuser@example.com",
"name": "New User",
"temporaryPassword": "TempPass123!",
"sendInvite": true,
"isAdmin": false,
"groups": ["grp_abc123", "grp_xyz789"]
}'Response:
{
"id": "usr_def456",
"username": "newuser",
"email": "newuser@example.com",
"name": "New User",
"groups": ["grp_abc123", "grp_xyz789"],
"groupMemberships": [
{"groupId": "grp_abc123", "role": "member"},
{"groupId": "grp_xyz789", "role": "member"}
],
"isAdmin": false,
"createdAt": "2024-12-03T10:00:00Z"
}-
Validation:
- Email uniqueness check
- Group existence verification
- Input validation
-
Cognito User Creation (if enabled):
- User created in Cognito User Pool
- Email verified (or verification sent)
- Password set (temporary or generated)
- User added to groups if admin
-
Database Record:
- User record created in DynamoDB
- Unique user ID generated
- Group memberships stored
- Admin status recorded
-
Audit Log:
- Admin action logged
- Includes who created the user
- Records timestamp
- Stores user details
-
Notification (if enabled):
- Welcome email sent
- Contains login instructions
- Includes temporary password (if set)
- Links to platform
Verify Creation:
- Check user appears in user list
- Verify group memberships
- Confirm role assignments
- Test user can log in
Communicate with User:
- Send login URL
- Provide temporary password (if used)
- Explain first steps
- Link to user documentation
Documentation:
- Record user creation in your system
- Note which groups assigned
- Document any special access
- Update team rosters
Via Admin UI:
- Go to Admin Panel → Users
- Search by:
- Name
- Username
- Click user to view details
Via API:
# Get specific user
curl -H "Authorization: Bearer $TOKEN" \
"${API_URL}/admin/users/{userId}"
# Search users
curl -H "Authorization: Bearer $TOKEN" \
"${API_URL}/admin/users?search=john"Basic Information:
- User ID
- Username
- Name
- Creation date
- Last login date
Access Information:
- Groups the user belongs to
- Role in each group (member/admin)
- Platform admin status
- Total workspace count
Activity:
- Number of workspaces
- Last workspace accessed
- Recent activity
Via Admin UI:
- Navigate to user details
- Click Edit button
- Update name or email
- Click Save
Via API:
curl -X PATCH "${API_URL}/admin/users/{userId}" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Updated Name",
"email": "newemail@example.com"
}'Important:
- Email changes may require re-verification
- Cognito user is updated automatically
- Old email may receive notification
- Audit log records the change
Add User to Group:
Via UI:
- Go to user details
- Click Add to Group
- Select group
- Choose role (member/admin)
- Click Add
Via API:
curl -X POST "${API_URL}/admin/users/{userId}/groups" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"groupId": "grp_abc123",
"role": "member"
}'Remove User from Group:
Via UI:
- Go to user details
- Find group in memberships list
- Click Remove button
- Confirm removal
Via API:
curl -X DELETE "${API_URL}/admin/users/{userId}/groups/{groupId}" \
-H "Authorization: Bearer $TOKEN"Change Role in Group:
Via API:
curl -X PATCH "${API_URL}/admin/users/{userId}/groups/{groupId}/role" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"role": "admin"}'Note: User must not have active workspaces in a group before removal.
Promoting to Platform Admin:
Via UI:
- Go to user details
- Click Promote to Admin
- Confirm the action
Via API:
curl -X POST "${API_URL}/admin/users/{userId}/promote" \
-H "Authorization: Bearer $TOKEN"What Changes:
-
isAdminflag set totrue - User added to admin group in Cognito (if enabled)
- User gains full platform access
- Can access admin panel
- Can manage all users and groups
Demoting from Platform Admin:
Via UI:
- Go to user details
- Click Demote from Admin
- Confirm the action
Via API:
curl -X POST "${API_URL}/admin/users/{userId}/demote" \
-H "Authorization: Bearer $TOKEN"Restrictions:
- ❌ Cannot demote yourself
⚠️ Ensure at least one other admin exists- ✅ User retains group memberships
- ✅ Existing workspaces unaffected
Promoting to Group Admin:
Via API:
curl -X POST "${API_URL}/admin/users/{userId}/groups/{groupId}/promote" \
-H "Authorization: Bearer $TOKEN"Effect:
- User's role in that group becomes "admin"
- Can manage all workspaces in the group
- Cannot add/remove group members
- Still not a Platform Admin
Demoting from Group Admin:
Via API:
curl -X POST "${API_URL}/admin/users/{userId}/groups/{groupId}/demote" \
-H "Authorization: Bearer $TOKEN"Effect:
- User's role in that group becomes "member"
- Can only manage own workspaces
- Loses group admin privileges
See Privilege Guidelines for complete permission details.
Requirements (enforced by auth provider):
- Minimum 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character
Best Practices:
- Use temporary passwords for new users
- Force password change on first login
- Enable MFA when possible
- Rotate credentials regularly
Via Admin UI:
- Go to user details
- Click Reset Password
- Enter new temporary password
- Choose "Permanent" or "Temporary"
- Temporary: User must change on next login
- Permanent: Password is kept
- Click Reset
Via API:
curl -X POST "${API_URL}/admin/users/{userId}/reset-password" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"newPassword": "TempPass123!",
"permanent": false
}'What Happens:
- Password set in Cognito
- User notified (if configured)
- Must use new password to log in
- Audit log records admin action
Note: This only works when Cognito is configured. For Google OAuth, users must reset via Google.
User-Initiated Reset:
- User clicks "Forgot Password" on login
- Redirected to auth provider
- Receives reset email
- Sets new password
- Can log in with new password
Admin-Initiated Reset:
- Admin sets temporary password
- Admin communicates password to user securely
- User logs in with temporary password
- User forced to change password
- User sets permanent password
When to Disable:
- Temporary leave of absence
- Security investigation
- Policy violation (temporary)
- Account review pending
How to Disable:
Via UI:
- Go to user details
- Click Disable Account
- Confirm action
Via API:
curl -X POST "${API_URL}/admin/users/{userId}/disable" \
-H "Authorization: Bearer $TOKEN"Effect:
- User cannot log in
- Active sessions terminated
- Workspaces remain but inaccessible
- Group memberships retained
- Database record unchanged
Restrictions:
- ❌ Cannot disable yourself
How to Enable:
Via UI:
- Go to user details
- Click Enable Account
- Confirm action
Via API:
curl -X POST "${API_URL}/admin/users/{userId}/enable" \
-H "Authorization: Bearer $TOKEN"Effect:
- User can log in again
- All access restored
- Workspaces accessible
- No data loss
| State | Can Log In | Can Access Workspaces | Can Be Modified |
|---|---|---|---|
| Active | ✅ Yes | ✅ Yes | ✅ Yes |
| Disabled | ❌ No | ❌ No | ✅ Yes |
| Deleted | ❌ No | ❌ No | ❌ No |
Pre-Deletion Checklist:
- ✅ Confirm user should be deleted
- ✅ Check if user has workspaces
- ✅ Decide what to do with workspaces
- ✅ Notify stakeholders
- ✅ Document the deletion
- ✅ Have manager/HR approval (if required)
Workspace Handling:
Option A: Delete workspaces
- All user's workspaces deleted
- All workspace data lost
- Resources freed immediately
Option B: Transfer workspaces (manual process)
- Admin manually re-assigns workspaces
- Update workspace ownership in database
- Preserve data for team
Option C: Backup then delete
- Export important workspace data
- Document workspace configurations
- Then delete workspaces
Via Admin UI:
- Go to user details
- Check workspace count
- Click Delete User
- Warning dialog appears:
Delete User: user@example.com? This user has 3 workspace(s). Deleting the user will NOT delete workspaces. Are you sure? [Cancel] [Delete User] - Confirm deletion
Via API:
curl -X DELETE "${API_URL}/admin/users/{userId}" \
-H "Authorization: Bearer $TOKEN"-
Validation:
- Check if user exists
- Verify you're not deleting yourself
- Confirm admin privileges
-
Workspace Check:
- Count user's workspaces
- Log warning if workspaces exist
- Workspaces remain but orphaned
-
Cognito Deletion (if enabled):
- User deleted from Cognito
- Cannot log in anymore
- Email freed for re-use
-
Database Deletion:
- User record removed from DynamoDB
- Group memberships cleared
- User ID freed
-
Audit Log:
- Deletion recorded
- Includes admin who deleted
- Records timestamp
- Notes deleted user email
Immediate Effects:
- User cannot log in
- User removed from all groups
- Email can be reused for new account
- User ID can be reused
Workspace Orphaning:
- Workspaces still exist
-
userIdfield still set - User doesn't appear in UI
- Platform admin can still delete workspaces
Cleanup Orphaned Workspaces:
# List all workspaces for deleted user
curl -H "Authorization: Bearer $TOKEN" \
"${API_URL}/admin/workspaces" | jq '.[] | select(.userId == "usr_deleted")'
# Delete each workspace
curl -X DELETE -H "Authorization: Bearer $TOKEN" \
"${API_URL}/admin/workspaces/{workspaceId}"User deletion is irreversible!
If deleted by mistake:
- Create new user with same email
- New user ID will be different
- Cannot restore old workspaces to new user
- Must manually transfer data
Prevention:
- Always double-check before deleting
- Use disable instead when unsure
- Have a second admin review
- Document deletion reason
Via CSV Upload (if implemented):
- Prepare CSV file:
email,name,groups,isAdmin user1@example.com,User One,grp_abc123,false user2@example.com,User Two,grp_abc123;grp_xyz789,false
- Upload via admin UI
- Review preview
- Confirm creation
Via Script:
#!/bin/bash
# bulk_create_users.sh
TOKEN="your-jwt-token"
API_URL="https://your-codex.com/api"
while IFS=',' read -r email name groups isAdmin; do
curl -X POST "${API_URL}/admin/users" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "{
\"email\": \"$email\",
\"name\": \"$name\",
\"groups\": [\"$groups\"],
\"isAdmin\": $isAdmin,
\"sendInvite\": true
}"
echo "Created $email"
sleep 1 # Rate limiting
done < users.csvAdd Multiple Users to Group:
#!/bin/bash
# bulk_add_to_group.sh
TOKEN="your-jwt-token"
API_URL="https://your-codex.com/api"
GROUP_ID="grp_abc123"
for USER_ID in usr_001 usr_002 usr_003; do
curl -X POST "${API_URL}/admin/users/${USER_ID}/groups" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"groupId\": \"$GROUP_ID\", \"role\": \"member\"}"
echo "Added $USER_ID to $GROUP_ID"
doneExport All Users:
curl -H "Authorization: Bearer $TOKEN" \
"${API_URL}/admin/users?limit=1000" > all_users.json
# Convert to CSV
jq -r '.items[] | [.id, .email, .name, .isAdmin, .createdAt] | @csv' \
all_users.json > users.csvOnboarding:
- Create accounts before user's start date
- Send welcome email with instructions
- Assign to appropriate groups immediately
- Set temporary password
- Include link to documentation
Naming:
- Use real names when possible
- Consistent format (e.g., "First Last")
- Avoid special characters
- Use corporate email
Principle of Least Privilege:
- Start with minimal access
- Add groups as needed
- Review permissions regularly
- Remove unnecessary access
Group Assignment:
- Assign users to groups at creation
- Document group purposes
- Don't create users without groups
- Review memberships quarterly
Admin Privileges:
- Minimize number of platform admins
- Document why user needs admin
- Use group admin where possible
- Review admin list monthly
Password Security:
- Always use temporary passwords
- Force change on first login
- Never share passwords
- Use strong passwords
Account Reviews:
- Quarterly access reviews
- Disable inactive accounts
- Remove departed users promptly
- Audit admin accounts monthly
Audit Logging:
- Review admin actions weekly
- Investigate anomalies
- Document all deletions
- Maintain log retention
User Communication:
- Welcome email for new users
- Notice before disabling
- Explanation for deletions
- Documentation links
Documentation:
- Record all admin actions
- Note special circumstances
- Update team rosters
- Maintain user database
Error: "Email already exists"
- Check if user already in system
- Search by email
- Delete old user or use different email
- Check Cognito user pool
Error: "Group not found"
- Verify group ID is correct
- Check group exists
- Use
GET /api/groupsto list groups - Create group if needed
Error: "Cognito error"
- Check Cognito configuration
- Verify user pool ID
- Check IAM permissions
- Review Cognito error logs
Check:
- User exists in system
- Account is enabled (not disabled)
- Password is correct
- Cognito user exists
- Email is verified
Solutions:
- Reset password
- Enable account if disabled
- Verify email in Cognito
- Check Cognito status
- Review auth logs
User Not Seeing Group:
- Verify user added to group
- Check group membership API
- Refresh browser/re-login
- Check group exists
User Can't Create Workspace:
- Verify group membership
- Check group has resources
- Verify user role
- Check for errors in logs
- Privilege Guidelines - Detailed role and permission information
- Group Management - Managing groups and resources
- Monitoring and Logs - Tracking admin actions