Users & Access

SPEAR implements role-based access control (RBAC) through a flexible system of users, groups, and roles. This architecture allows granular permission management while keeping administration straightforward.

---

Concepts

Users

Individual accounts with authentication credentials and profile information.

User Properties:

• Name and email
• Password (or OAuth connection)
• Group memberships
• Account status (active/disabled)

Groups

Collections of users that share the same permissions through assigned roles.

Example Groups:

• Senior Consultants
• Junior Analysts
• Project Managers
• Report Reviewers

Roles

Permission sets that define what actions users can perform.

Permission Levels:

Level	Name	Description
0	Super Admin	Full system access including critical operations
1	Admin	Administrative access to most features
2	Manager	Project and team management capabilities
3	Lead	Lead consultant with elevated project access
4	Consultant	Standard consultant access
5	Viewer	Read-only access

---

User Management

🖥️ User Creation Form Screenshot

Creating Users

1. Navigate to Admin > Users & Access
2. Click Create User
3. Fill in required fields:
   • Full Name
   • Email Address
   • Password (or enable OAuth-only)
4. Assign to one or more Groups
5. Click Save

Editing Users

1. Find the user in the user list
2. Click the user row or edit icon
3. Modify fields as needed
4. Click Save Changes

Disabling Users

Disabled users cannot log in but their data and history are preserved.

1. Open user details
2. Toggle Account Status to Disabled
3. Save changes

Deleting Users

Caution

Deleting a user permanently removes their account. Consider disabling instead to preserve audit history.

1. Open user details
2. Click Delete User
3. Confirm deletion

---

Group Management

🖥️ Group Management Interface Screenshot

Creating Groups

1. Navigate to Admin > Users & Access > Groups
2. Click Create Group
3. Enter group name and description
4. Assign roles to the group
5. Add users to the group
6. Click Save

Group Hierarchy

Groups can be nested for organizational clarity:

Organization
├── Security Team
│   ├── Senior Consultants
│   └── Junior Analysts
├── Management
│   ├── Project Managers
│   └── Account Managers
└── Support
    └── Technical Writers

Assigning Roles to Groups

1. Open group settings
2. Navigate to Roles tab
3. Select roles to assign
4. Save changes

All users in the group inherit the assigned role permissions.

---

Permission System

🖥️ Permission Configuration Interface Screenshot

How Permissions Work

1. User logs in
2. System retrieves user’s group memberships
3. System aggregates roles from all groups
4. User receives highest permission level across all roles
5. Specific module permissions are combined additively

Permission Categories

Category	Controls
Projects	Create, view, edit, delete projects
Reports	Create, edit, export reports
Findings	Create, edit findings and library
Assets	Asset management and imports
Admin	Administrative functions
System	System-level operations

Example Permission Configuration

Senior Consultant Role:

Projects: Full Access
Reports: Full Access
Findings: Full Access
Assets: Full Access
Admin: None
System: None

Project Manager Role:

Projects: Full Access
Reports: View + Export
Findings: View
Assets: View
Admin: User Management
System: None

---

API Access

User Tokens

Users can generate API tokens for automation:

1. Go to Account Settings > API Tokens
2. Click Generate Token
3. Set token name and expiration
4. Copy and store the token securely

Token Permissions

API tokens inherit the user’s permissions. For restricted access:

1. Create a dedicated service account user
2. Assign minimal required permissions
3. Generate token for that user

---

Audit Trail

All user and permission changes are logged:

Event	Logged Information
User Created	Creator, timestamp, user details
User Modified	Modifier, timestamp, changed fields
User Deleted	Deleter, timestamp
Group Changed	Modifier, timestamp, membership changes
Login Attempt	User, timestamp, success/failure, IP
Permission Change	Modifier, timestamp, old/new values

View the audit log at Admin > Security > Audit Log.

---

Bulk Operations

🖥️ Bulk Operations for User Management Screenshot

Import Users

Import multiple users from CSV:

1. Navigate to Admin > Users & Access
2. Click Import Users
3. Download the template CSV
4. Fill in user data
5. Upload the completed CSV
6. Review and confirm

CSV Format:

name,email,groups
John Smith,[email protected],"Consultants,Project A"
Jane Doe,[email protected],Managers

Bulk Group Assignment

Assign multiple users to a group:

1. Select users in the user list
2. Click Bulk Actions > Assign to Group
3. Select target group
4. Confirm assignment

---

Best Practices

Least Privilege

Assign the minimum permissions required for each role:

• Start with restricted access
• Add permissions as needed
• Regular permission audits

Group-Based Management

• Assign permissions to groups, not individual users
• Create functional groups (by role) not organizational groups
• Use descriptive group names

Service Accounts

For automated systems:

• Create dedicated service account users
• Use descriptive names (e.g., “Jenkins CI Bot”)
• Limit to specific required permissions
• Rotate tokens regularly

Regular Audits

Schedule periodic reviews:

• Quarterly permission audits
• Remove unused accounts
• Verify group memberships
• Review API token usage

---

Troubleshooting

User Can’t Access Feature

1. Check user’s group memberships
2. Verify group has required roles assigned
3. Check specific permission for the feature
4. Review audit log for recent permission changes

Permission Not Taking Effect

1. User may need to log out and back in
2. Check for conflicting group assignments
3. Verify role permissions are correctly configured

Locked Out Admin

If all admin accounts are inaccessible:

1. Access PocketBase admin panel at /_/
2. Use the superuser account created during setup
3. Reset user passwords or create new admin account