Skip to content

Users & Roles

SentriKat uses role-based access control (RBAC) to manage user permissions. Users are assigned roles within organizations, and their access is scoped accordingly.

Role Hierarchy

Role Scope Description
super_admin Global Full access to all organizations and system settings
org_admin Organization Full control within their assigned organization
manager Organization Manage products, acknowledge vulnerabilities, view reports
viewer Organization Read-only access to dashboards and vulnerability data

Permission Matrix

Permission Super Admin Org Admin Manager Viewer
View dashboard
View vulnerabilities
Export data
Add/edit products
Acknowledge vulnerabilities
Manage agents
Manage API keys
Manage users (within org)
Manage organizations
System settings
License management

Creating Users

Via the Admin Panel

  1. Go to Admin > Users
  2. Click Add User
  3. Fill in the form:
  4. Email: User's email address (used for login)
  5. Display Name: Full name
  6. Password: Initial password (user can change later)
  7. Organization: Assign to one or more organizations
  8. Role: Select role per organization
  9. Click Create User

Via Invitation

  1. Go to Admin > Users
  2. Click Invite User
  3. Enter the email address and select a role
  4. Click Send Invitation

The user receives an email with a link to set their password and complete registration.

SMTP Required

Email invitations require SMTP to be configured. See Configuration for SMTP settings.

Via API

curl -X POST https://sentrikat.example.com/api/users \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "display_name": "Jane Analyst",
    "password": "initial-password-123",
    "organization_id": 1,
    "role": "manager"
  }'

Managing Users

Editing a User

  1. Go to Admin > Users
  2. Click the user's name
  3. Update fields as needed
  4. Click Save

Changing Roles

  1. Open the user's profile
  2. In the Organizations section, click the role dropdown
  3. Select the new role
  4. Click Save

Warning

Downgrading a user from org_admin to viewer immediately revokes their management permissions. Active sessions are updated on the next page load.

Disabling a User

Rather than deleting, you can disable a user account:

  1. Open the user's profile
  2. Toggle Account Active to off
  3. Click Save

Disabled users:

  • Cannot log in
  • Do not receive alert emails
  • Are preserved for audit trail purposes
  • Do not count against the license user limit

Resetting a Password

  1. Open the user's profile in Admin > Users
  2. Click Reset Password
  3. Enter a new temporary password
  4. Click Save

The user must change this password on next login.

  1. On the login page, click Forgot Password
  2. Enter the registered email address
  3. Follow the link in the reset email
  4. Set a new password

Note

Self-service password reset requires SMTP configuration.

Multi-Organization Access

A single user can belong to multiple organizations with different roles:

# Assign user to additional organization via API
curl -X POST https://sentrikat.example.com/api/users/5/organizations \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "organization_id": 3,
    "role": "viewer"
  }'

When a user belongs to multiple organizations, they can switch context using the organization selector in the top navigation bar.

LDAP/SSO Users

When LDAP or SAML SSO is configured, users are provisioned automatically on first login:

  • Display name and email are synced from the directory
  • A default role is assigned based on group mappings
  • Passwords are managed by the identity provider

See LDAP/SSO for configuration details.

Audit Log

All user actions are recorded in the audit log:

  1. Go to Admin > Audit Log
  2. Filter by user, action type, or date range
  3. Export as CSV if needed

Tracked actions include:

  • Login/logout events
  • Product changes
  • Vulnerability acknowledgments
  • Configuration changes
  • User management actions

Session Management

Setting Default Environment Variable
Session timeout 4 hours PERMANENT_SESSION_LIFETIME
Secure cookies Off SESSION_COOKIE_SECURE
HTTP-only cookies On SESSION_COOKIE_HTTPONLY
SameSite Lax SESSION_COOKIE_SAMESITE

See Configuration for all session settings.

Next Steps