# Users & Roles ## Table of Contents 1. [Overview](#1-overview) 2. [Browsing Users](#2-browsing-users) 3. [Adding a User](#3-adding-a-user) 4. [Resetting a User's Password](#4-resetting-a-users-password) 5. [Browsing Role Assignments](#5-browsing-role-assignments) 6. [Assigning a Role](#6-assigning-a-role) 7. [Editing a Role Assignment Scope](#7-editing-a-role-assignment-scope) 8. [Removing a Role Assignment](#8-removing-a-role-assignment) 9. [Understanding Scopes](#9-understanding-scopes) *** ## 1. Overview User and role management in Axilon DevOps Desktop controls who can access the system and what they can do. There are two pages: * **Users** -- View all users, create new accounts, and reset passwords. * **Role Assignments** -- Assign roles to users and manage the scope of those roles. These pages are accessible from the **Users** section in the sidebar: * **List Users** is visible only to Global Admins. * **Role Assignments** is visible to Global Admins and Machine Admins. *** ## 2. Browsing Users > **Required role:** Global Admin ### Steps 1. Click **Users > List Users** in the sidebar. 2. The page displays a table of all users. ### Table Columns | Column | What It Shows | | -------------- | --------------------------------------------------- | | **Avatar** | User avatar image. | | **Username** | The user's login name. | | **Name** | The user's display name. | | **Role** | The assigned role (if any). | | **Created At** | Account creation date. | | **MFA Status** | Whether MFA is enabled for this user. | | **Actions** | Change Password, Assign Role (if no role assigned). | *** ## 3. Adding a User > **Required role:** Global Admin ### Steps 1. Go to **Users > List Users**. 2. Click **"Add User"** in the page header. 3. Fill out the form: | Field | Required | Rules | Notes | | ------------ | :------: | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------ | | **Name** | Yes | 5--100 characters; letters (including accented), dashes, apostrophes, spaces | The user's full display name. | | **Username** | Yes | 3--30 characters; lowercase letters, numbers, underscores. Must start with a letter. | The login identifier. Cannot be changed later. | | **Password** | Auto | Auto-generated | A system-generated password is displayed in a read-only field. Click the copy button to copy it. | 4. Click **"Create"**. 5. On success, the user is created. > **Important:** You must copy the generated password and provide it to the user. The password cannot be retrieved later. The "Create" button is disabled until you have copied the password. *** ## 4. Resetting a User's Password > **Required role:** Global Admin ### Steps 1. Go to **Users > List Users**. 2. Find the user in the table and click **"Change Password"** in their actions menu. 3. A confirmation dialog appears. Click **"Confirm"**. 4. A new system-generated password is displayed. Copy it before closing. 5. The modal's close button is disabled until you have copied the password. Provide the new password to the user. They will be required to change it on their next login (via the onboarding flow). *** ## 5. Browsing Role Assignments > **Required role:** Global Admin or Machine Admin ### Steps 1. Click **Users > Role Assignments** in the sidebar. 2. The page displays a paginated table (10 items per page by default). ### Table Columns | Column | What It Shows | | --------------- | ------------------------------------------------------------------------ | | **User** | The user this role is assigned to. | | **Role** | The role name (Global Admin, Machine Admin, or Developer). | | **Scope** | Either "Full access" (for Global Admin) or a count of assigned machines. | | **Assigned At** | When the role was assigned. | | **Actions** | Edit Scope, Remove Assignment (permission-dependent). | ### Filtering | Filter | Description | | ------------- | ------------------------ | | **User** | Search by user. | | **Role Name** | Filter by role. | | **Machine** | Filter by machine scope. | *** ## 6. Assigning a Role > **Required role:** Global Admin or Machine Admin ### Steps 1. Go to **Users > Role Assignments**. 2. Click **"Assign Role"** in the page header. (Alternatively, click **"Assign Role"** on a user row in the Users list if they have no role.) 3. Fill out the form: | Field | Required | Notes | | --------- | :---------: | --------------------------------------------------------------------------------------------------------------------------- | | **User** | Yes | Select the user to assign a role to. | | **Role** | Yes | Select the role: Global Admin, Machine Admin, or Developer. A description of the selected role is shown below the dropdown. | | **Scope** | Conditional | See [Section 9](#9-understanding-scopes). Not required for Global Admin. | 4. Click **"Submit"**. 5. A confirmation notification appears on success. *** ## 7. Editing a Role Assignment Scope > **Required role:** Global Admin or Machine Admin You can change the machine scope for Machine Admin and Developer role assignments. > **Note:** Global Admin assignments have "Full access" scope and cannot be edited. ### Steps 1. In the Role Assignments table, click **"Edit Scope"** in the row's actions menu. 2. Modify the machine selections in the scope picker. 3. Click **"Submit"**. *** ## 8. Removing a Role Assignment > **Required role:** Global Admin or Machine Admin (with restrictions) ### Steps 1. In the Role Assignments table, click **"Remove"** in the row's actions menu. 2. Confirm the removal in the dialog. 3. A confirmation notification appears on success. ### Restrictions | Role Being Removed | Who Can Remove It | | ------------------ | ----------------------------- | | **Global Admin** | Global Admin only | | **Machine Admin** | Global Admin or Machine Admin | | **Developer** | Global Admin or Machine Admin | *** ## 9. Understanding Scopes Role assignments for **Machine Admin** and **Developer** roles can be scoped to specific machines. ### How Scoping Works | Role | Scope Behavior | | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | **Global Admin** | Always has full access. No scope selection needed. | | **Machine Admin** | Can be scoped to specific machines. If no machines are selected, the role is unscoped (access to all machines within their permission level). | | **Developer** | Can be scoped to specific machines. Same behavior as Machine Admin regarding empty scope. | ### Scope Picker When assigning a Machine Admin or Developer role, the scope picker allows you to: 1. **Select machines** -- Choose which machines this user can manage or access. 2. **Leave empty** -- An unscoped assignment gives access based on the role's default permissions. The scope determines which machines the user can see and interact with across the application (configurations, snapshots, restores, clones, etc.).