Users

Overview

The Users page allows administrators to manage user accounts and control access through role-based access control (RBAC).

Roles

There are three roles, each with different permissions:

  • Viewer — read-only access to the dashboard, findings, Jira issues, repositories, and logs. Viewers cannot trigger syncs or modify configuration.
  • Analyst — everything a Viewer can do, plus the ability to trigger syncs, create Jira issues from findings, trigger AI reviews, and sync repositories.
  • Admin — full access including user management, configuration changes, tool credential management, and all analyst capabilities.

Creating Users

Click Create User (admin only) to open the creation form. Fill in the following fields:

  • Username — 3 to 150 characters. Alphanumeric characters, dots, hyphens, and underscores are allowed.
  • Email — the user's email address.
  • Password — 8 to 128 characters.
  • Role — select one of: viewer, analyst, or admin.

Managing Users

The users table displays the following columns:

  • Username — the account username.
  • Email — the account email address.
  • Role — an editable dropdown for admins to change the user's role.
  • Active — a status badge indicating whether the account is active.
  • Created Date — when the account was created.
  • Actions — available management actions.

Admins can change a user's role via the dropdown. Users can be activated or deactivated — deactivated users cannot log in.

Safety restrictions: you cannot deactivate your own account or change your own role.

Default Admin

On first startup, the system creates a default admin account. The password is set via the APPSEC_ADMIN_DEFAULT_PASSWORD environment variable. If not set, it defaults to:

changeme

Change this password immediately after first login.