Skip to main content

User Management

CHAD provides role-based access control (RBAC) to manage who can do what. This guide covers user creation, roles, and permissions.

Roles

CHAD has three built-in roles:
RoleDescription
AdminFull access to all features
AnalystRules, alerts, exceptions - no user management
ViewerRead-only access

Permission Matrix

FeatureAdminAnalystViewer
View dashboard
View alerts
Update alert status
View rules
Create/edit rules
Deploy rules
Create exceptions
View settings
Modify settings
Manage users
View audit log

Creating Users

Admin Console

  1. Navigate to Users
  2. Click Create User
  3. Fill in details:
FieldRequiredDescription
UsernameYesUnique identifier
EmailYesUser’s email address
PasswordYesInitial password
RoleYesAdmin, Analyst, or Viewer
  1. Click Create

First Login

New users must change their password on first login:
  1. User logs in with provided credentials
  2. Prompted to set new password
  3. Password requirements:
    • Minimum 12 characters (recommended)
    • No other requirements enforced (configure as needed)

Two-Factor Authentication

Optional TOTP-based 2FA for enhanced security.

Enable 2FA (User)

  1. Go to Account > Security
  2. Click Enable 2FA
  3. Scan QR code with authenticator app
  4. Enter verification code
  5. Save backup codes

Backup Codes

When enabling 2FA, backup codes are generated:
  • 10 single-use codes
  • Store securely
  • Use if authenticator unavailable

Require 2FA (Admin)

Admins can require 2FA for specific roles:
  1. Go to Settings > Security
  2. Enable Require 2FA for Admins
  3. Users must enable 2FA before next login

Managing Users

Edit User

  1. Go to Users
  2. Click the user
  3. Modify details
  4. Save changes

Change Role

  1. Go to Users
  2. Click the user
  3. Select new role
  4. Save
Reducing permissions takes effect immediately. User’s current session may lose access.

Disable User

Temporarily disable without deleting:
  1. Go to Users
  2. Click the user
  3. Toggle Enabled off
  4. User cannot log in

Delete User

  1. Go to Users
  2. Click the user
  3. Click Delete
  4. Confirm deletion
Deletion is permanent. Consider disabling instead for audit trail preservation.

Password Management

Reset Password (Admin)

  1. Go to Users
  2. Click the user
  3. Click Reset Password
  4. Provide new password
  5. User must change on next login

Change Password (User)

  1. Go to Account
  2. Click Change Password
  3. Enter current password
  4. Enter new password
  5. Confirm

Token Invalidation

When password changes:
  • All existing sessions invalidated
  • User must re-authenticate
  • API keys remain valid (separate credential)

SSO Integration

CHAD supports Single Sign-On via OIDC/SAML.

Enable SSO

  1. Go to Settings > Authentication
  2. Enable SSO provider
  3. Configure OIDC/SAML settings:
SettingDescription
Provider URLOIDC issuer or SAML metadata URL
Client IDOIDC client ID
Client SecretOIDC client secret
Role MappingMap provider groups to CHAD roles

SSO-Only Mode

SSO-only mode disables local password authentication, requiring all users to authenticate via SSO.
SSO-only mode is configured via environment variable, not the GUI. Set CHAD_SSO_ONLY=true at deployment time.
When enabled:
  • Local login form is hidden
  • All users must authenticate via SSO
  • Password reset is disabled
Ensure SSO is fully working before enabling SSO-only mode. If SSO fails, you won’t be able to log in. Test thoroughly in a non-production environment first.

API Keys

Users can create API keys for programmatic access.

Create API Key

  1. Go to Account > API Keys
  2. Click Create API Key
  3. Name the key
  4. Copy the key (shown once only)

API Key Permissions

API keys inherit user’s role permissions but are:
  • Read-only by default
  • Scoped to specific operations
  • Revocable without affecting user password

Revoke API Key

  1. Go to Account > API Keys
  2. Find the key
  3. Click Revoke
See API Keys for detailed documentation.

Security Best Practices

Enforce minimum length and complexity.
Require 2FA for admin accounts at minimum.
Assign the minimum role needed.
Quarterly access reviews identify stale accounts.
Watch audit logs for unusual admin behavior.
Centralized authentication improves security.

Troubleshooting

User cannot log in

  1. Check account is enabled
  2. Verify password is correct
  3. Check 2FA if enabled
  4. Review login attempts in audit log

Permission denied

  1. Verify user’s role
  2. Check if feature requires higher role
  3. Session may be stale - re-login

SSO not working

  1. Check provider configuration
  2. Verify callback URLs
  3. Check provider logs
  4. Test with debug mode

Next Steps

API Keys

Programmatic access

Audit Log

Track user actions