Skip to Content
Admin ConsoleUsers & Roles

Users & Roles

The Users and Roles sections of the Auris Console provide full control over who has access to your systems and what they are permitted to do. Users represents the people who authenticate; Roles represents the sets of permissions those people are granted.


Users

User List

The Users page displays all user accounts in your tenant in a searchable, filterable table.

Table Columns

ColumnDescription
NameFull name (first + last)
EmailPrimary email address
UsernameUnique username identifier
RolesBadge list of assigned role names
StatusEnabled (green) or Disabled (red)
CreatedAccount creation date

Filtering

Use the filter controls at the top of the list to narrow results:

  • Search: Type any portion of the user’s name, email, or username. Results filter as you type.
  • Role: Select a role from the dropdown to show only users who have that role assigned.
  • Status: Filter by Enabled or Disabled accounts.

Pagination

The list paginates at 25 users per page by default. Use the pagination controls at the bottom to navigate between pages.


Creating a User

Click Create User

From the Users list, click the Create User button in the top-right corner.

Fill in the user’s details

Complete the form fields:

FieldRequiredDescription
EmailYesThe user’s primary email address. Must be unique in this tenant.
UsernameNoA unique username. If left blank, defaults to the email address.
First NameNoThe user’s given name
Last NameNoThe user’s family name
PasswordNoSet an initial password. If left blank, the user must reset via the “Forgot Password” flow.
Send Invitation EmailNoCheck to send a welcome email with a password reset link

Assign initial roles

In the Roles section of the create dialog, select one or more roles to assign to this user immediately after creation. You can also assign roles later from the user detail page.

Click Create

The user account is created immediately and is active unless you explicitly disable it.

Note: Newly created users without a password set cannot log in until they complete the password reset flow triggered by the invitation email, or until an administrator sets a password for them from the user detail page.


User Detail Page

Click any user’s name or email in the list to open their detail page. The detail page provides a complete view of the user’s account and activity.

Profile Section

Displays the user’s name, email, username, profile picture (if set), phone number (if set), account creation date, and last login time.

The Edit button opens an inline form to update name, username, and other profile fields. Email address changes trigger a verification email to confirm the new address.

Roles Section

Lists all roles currently assigned to this user. Each role is shown as a colored badge with its name.

Adding Roles

  1. Click Manage Roles
  2. In the dialog, check the roles to assign or uncheck roles to remove
  3. Click Save

Changes take effect immediately. The user’s next token refresh will include the updated role list.

Individual Permission Overrides

In addition to role-based permissions, individual users can have direct permission overrides. These are tri-state: ALLOW (grant even if role doesn’t have it), DENY (block even if role does have it), or INHERIT (defer to role). Set overrides from the user’s role management dialog.

Sessions Section

Lists all currently active sessions for this user:

ColumnDescription
Session IDShort identifier for the session
IP AddressIP from which the session was created
User AgentBrowser or client information
CreatedWhen this session was established
Last ActiveWhen the session last made an authenticated request
ExpiresWhen the session will automatically expire

Revoking Sessions

  • Click Revoke on a single session to invalidate that session immediately
  • Click Revoke All Sessions to invalidate all sessions for this user simultaneously

Revoking all sessions is useful when a user reports that their account may have been compromised, or when offboarding a user and you need to ensure immediate access termination.

Activity History

A paginated log of recent actions taken by or related to this user: logins, password changes, role changes, failed login attempts, and MFA enrollments. Each entry shows the action type, timestamp, IP address, and any relevant metadata.


Enabling and Disabling Users

From the Users list, use the Enabled toggle column to enable or disable any user without opening their detail page. The change takes effect immediately.

  • Disabled users cannot log in. If they have active sessions, those sessions continue to work until they expire or are explicitly revoked.
  • To immediately block access for a disabled user, revoke all their sessions from the detail page after disabling the account.

Soft Delete and Restoration

Deleting a user from the Users list moves them to the trash — the account is disabled and hidden from normal lists but not permanently removed. This preserves the audit trail and any associated records.

Restoring a Deleted User

  1. Go to AdministrationDeleted Users in the sidebar
  2. Find the user in the deleted users list
  3. Click Restore

The user’s account is re-enabled and they reappear in the main Users list with all their previous roles intact.

Permanent Deletion

From the Deleted Users list, click Delete Permanently to permanently remove the user account and anonymize their personal data. This action is irreversible and triggers GDPR-compliant data erasure.

Permanently deleted users cannot be restored. All personally identifiable information associated with the account is anonymized. Audit log entries reference the anonymized user ID, not personal data.


Roles

Role List

The Roles page displays all roles defined in your tenant in a table with name, color badge, description, and the count of users currently assigned to that role.


Creating a Role

Click Create Role

From the Roles list, click Create Role.

Enter the role details

FieldRequiredDescription
NameYesThe role identifier. Used in the permission format action:resource. Must be unique.
DescriptionNoHuman-readable description of what this role represents
ColorNoA color used to distinguish this role’s badge in the UI. Choose from presets or enter a hex value.

Click Create

The role is created with no permissions. Open the role’s detail page to configure permissions.


Role Detail Page

Click a role’s name to open its detail page. The detail page contains a full permission editor organized into 10 categories.

Permission Editor

Each category shows all permissions in that category as a row with the permission name, a short description, and a Switch toggle to enable or disable that permission for this role.

Two buttons at the top of each category allow bulk actions:

  • Select All: Enable all permissions in this category
  • Deselect All: Disable all permissions in this category

Changes are saved immediately as you toggle each switch — there is no separate Save button.

Permission Categories

CategoryExample Permissions
Usersmanage:users, view:users, create:users, delete:users
Rolesmanage:roles, view:roles, create:roles, assign:roles
Applicationsmanage:applications, view:applications, create:applications
Organizationsmanage:organizations, view:organizations, invite:organization_members
Securitymanage:ip_rules, manage:attack_protection, view:security_events
SSO & Authenticationmanage:sso_connections, manage:authentication, view:sso_connections
Audit & Complianceview:audit_logs, export:audit_logs, manage:log_streams
Developermanage:webhooks, manage:actions, view:api_keys
FGAmanage:fga_models, manage:fga_tuples, debug:fga
Billingview:billing, manage:subscriptions

Permission Format

All permissions follow the action:resource pattern:

view:users — read access to users manage:users — full read/write access to users create:users — create new users only delete:users — delete users only

The manage action is typically a superset that includes view, create, edit, and delete for that resource. Individual granular permissions (create, edit, delete separately) allow more precise access control when needed.


Tri-State Permission System

Auris uses a three-layer permission model:

  1. Role permissions: The default set of permissions granted to all users with a given role
  2. User permission overrides: Individual user-level overrides that modify or extend role permissions
  3. Effective permissions: The final permission set calculated from all layers

For each user-permission combination, the possible states are:

StateMeaning
ALLOWPermission is granted, regardless of role configuration
DENYPermission is blocked, even if the role grants it
INHERITPermission follows the role’s configuration (default)

User-level overrides are set from the user detail page → Manage Roles dialog. They are useful for granting temporary elevated access to a specific user without modifying their role, or for revoking a specific permission for a user who should not have it despite their role.


Deleting a Role

To delete a role:

  1. From the Roles list, click the options menu (...) on the role row
  2. Click Delete
  3. Confirm the deletion in the dialog

Note: Deleting a role removes it from all users who had it assigned. Those users immediately lose any permissions that were derived solely from that role. If you are retiring a role and replacing it with another, assign the new role to affected users first.