Users & Roles
The Users and Roles sections of the Auris Console provide full control over who has access to your systems and what they are permitted to do. Users represents the people who authenticate; Roles represents the sets of permissions those people are granted.
Users
User List
The Users page displays all user accounts in your tenant in a searchable, filterable table.
Table Columns
| Column | Description |
|---|---|
| Name | Full name (first + last) |
| Primary email address | |
| Username | Unique username identifier |
| Roles | Badge list of assigned role names |
| Status | Enabled (green) or Disabled (red) |
| Created | Account creation date |
Filtering
Use the filter controls at the top of the list to narrow results:
- Search: Type any portion of the user’s name, email, or username. Results filter as you type.
- Role: Select a role from the dropdown to show only users who have that role assigned.
- Status: Filter by Enabled or Disabled accounts.
Pagination
The list paginates at 25 users per page by default. Use the pagination controls at the bottom to navigate between pages.
Creating a User
Click Create User
From the Users list, click the Create User button in the top-right corner.
Fill in the user’s details
Complete the form fields:
| Field | Required | Description |
|---|---|---|
| Yes | The user’s primary email address. Must be unique in this tenant. | |
| Username | No | A unique username. If left blank, defaults to the email address. |
| First Name | No | The user’s given name |
| Last Name | No | The user’s family name |
| Password | No | Set an initial password. If left blank, the user must reset via the “Forgot Password” flow. |
| Send Invitation Email | No | Check to send a welcome email with a password reset link |
Assign initial roles
In the Roles section of the create dialog, select one or more roles to assign to this user immediately after creation. You can also assign roles later from the user detail page.
Click Create
The user account is created immediately and is active unless you explicitly disable it.
Note: Newly created users without a password set cannot log in until they complete the password reset flow triggered by the invitation email, or until an administrator sets a password for them from the user detail page.
User Detail Page
Click any user’s name or email in the list to open their detail page. The detail page provides a complete view of the user’s account and activity.
Profile Section
Displays the user’s name, email, username, profile picture (if set), phone number (if set), account creation date, and last login time.
The Edit button opens an inline form to update name, username, and other profile fields. Email address changes trigger a verification email to confirm the new address.
Roles Section
Lists all roles currently assigned to this user. Each role is shown as a colored badge with its name.
Adding Roles
- Click Manage Roles
- In the dialog, check the roles to assign or uncheck roles to remove
- Click Save
Changes take effect immediately. The user’s next token refresh will include the updated role list.
Individual Permission Overrides
In addition to role-based permissions, individual users can have direct permission overrides. These are tri-state: ALLOW (grant even if role doesn’t have it), DENY (block even if role does have it), or INHERIT (defer to role). Set overrides from the user’s role management dialog.
Sessions Section
Lists all currently active sessions for this user:
| Column | Description |
|---|---|
| Session ID | Short identifier for the session |
| IP Address | IP from which the session was created |
| User Agent | Browser or client information |
| Created | When this session was established |
| Last Active | When the session last made an authenticated request |
| Expires | When the session will automatically expire |
Revoking Sessions
- Click Revoke on a single session to invalidate that session immediately
- Click Revoke All Sessions to invalidate all sessions for this user simultaneously
Revoking all sessions is useful when a user reports that their account may have been compromised, or when offboarding a user and you need to ensure immediate access termination.
Activity History
A paginated log of recent actions taken by or related to this user: logins, password changes, role changes, failed login attempts, and MFA enrollments. Each entry shows the action type, timestamp, IP address, and any relevant metadata.
Enabling and Disabling Users
From the Users list, use the Enabled toggle column to enable or disable any user without opening their detail page. The change takes effect immediately.
- Disabled users cannot log in. If they have active sessions, those sessions continue to work until they expire or are explicitly revoked.
- To immediately block access for a disabled user, revoke all their sessions from the detail page after disabling the account.
Soft Delete and Restoration
Deleting a user from the Users list moves them to the trash — the account is disabled and hidden from normal lists but not permanently removed. This preserves the audit trail and any associated records.
Restoring a Deleted User
- Go to Administration → Deleted Users in the sidebar
- Find the user in the deleted users list
- Click Restore
The user’s account is re-enabled and they reappear in the main Users list with all their previous roles intact.
Permanent Deletion
From the Deleted Users list, click Delete Permanently to permanently remove the user account and anonymize their personal data. This action is irreversible and triggers GDPR-compliant data erasure.
Permanently deleted users cannot be restored. All personally identifiable information associated with the account is anonymized. Audit log entries reference the anonymized user ID, not personal data.
Roles
Role List
The Roles page displays all roles defined in your tenant in a table with name, color badge, description, and the count of users currently assigned to that role.
Creating a Role
Click Create Role
From the Roles list, click Create Role.
Enter the role details
| Field | Required | Description |
|---|---|---|
| Name | Yes | The role identifier. Used in the permission format action:resource. Must be unique. |
| Description | No | Human-readable description of what this role represents |
| Color | No | A color used to distinguish this role’s badge in the UI. Choose from presets or enter a hex value. |
Click Create
The role is created with no permissions. Open the role’s detail page to configure permissions.
Role Detail Page
Click a role’s name to open its detail page. The detail page contains a full permission editor organized into 10 categories.
Permission Editor
Each category shows all permissions in that category as a row with the permission name, a short description, and a Switch toggle to enable or disable that permission for this role.
Two buttons at the top of each category allow bulk actions:
- Select All: Enable all permissions in this category
- Deselect All: Disable all permissions in this category
Changes are saved immediately as you toggle each switch — there is no separate Save button.
Permission Categories
| Category | Example Permissions |
|---|---|
| Users | manage:users, view:users, create:users, delete:users |
| Roles | manage:roles, view:roles, create:roles, assign:roles |
| Applications | manage:applications, view:applications, create:applications |
| Organizations | manage:organizations, view:organizations, invite:organization_members |
| Security | manage:ip_rules, manage:attack_protection, view:security_events |
| SSO & Authentication | manage:sso_connections, manage:authentication, view:sso_connections |
| Audit & Compliance | view:audit_logs, export:audit_logs, manage:log_streams |
| Developer | manage:webhooks, manage:actions, view:api_keys |
| FGA | manage:fga_models, manage:fga_tuples, debug:fga |
| Billing | view:billing, manage:subscriptions |
Permission Format
All permissions follow the action:resource pattern:
view:users — read access to users
manage:users — full read/write access to users
create:users — create new users only
delete:users — delete users onlyThe manage action is typically a superset that includes view, create, edit, and delete for that resource. Individual granular permissions (create, edit, delete separately) allow more precise access control when needed.
Tri-State Permission System
Auris uses a three-layer permission model:
- Role permissions: The default set of permissions granted to all users with a given role
- User permission overrides: Individual user-level overrides that modify or extend role permissions
- Effective permissions: The final permission set calculated from all layers
For each user-permission combination, the possible states are:
| State | Meaning |
|---|---|
| ALLOW | Permission is granted, regardless of role configuration |
| DENY | Permission is blocked, even if the role grants it |
| INHERIT | Permission follows the role’s configuration (default) |
User-level overrides are set from the user detail page → Manage Roles dialog. They are useful for granting temporary elevated access to a specific user without modifying their role, or for revoking a specific permission for a user who should not have it despite their role.
Deleting a Role
To delete a role:
- From the Roles list, click the options menu (
...) on the role row - Click Delete
- Confirm the deletion in the dialog
Note: Deleting a role removes it from all users who had it assigned. Those users immediately lose any permissions that were derived solely from that role. If you are retiring a role and replacing it with another, assign the new role to affected users first.
Related Guides
- Managing Users (API) — Programmatic user management via the Auris REST API
- User Import & Export — Bulk import users from CSV or JSON
- RBAC Concepts — How Auris roles and permissions work at a technical level
- Fine-Grained Authorization — Object-level access control beyond roles
- SCIM Provisioning — Automated user lifecycle via Okta, Azure AD, or OneLogin