Prerequisites
- Active IDP user account in a tenant
- For tenant admin functions: your IDP user must have Tenant Administrator status
- For role management: role with roles.view / roles.create / roles.edit / roles.delete
- For assignment management: role with access_grants.view / access_grants.manage
- For IDP user/group viewing: role with idp.view
- For IDP user/group management: idp.manage plus tenant admin status
Logging in (IDP flow)
Cadres uses a two-phase login. First authenticate your identity, then select an account context. Users with access to a single account skip the selection step.
- Navigate to the login page at your Cadres URL.
- Enter your email address and password.
- If MFA is enabled on your account, enter the 6-digit TOTP code from your authenticator app (Google Authenticator, Authy, etc.).
- If you have access to one account: you are automatically logged in and redirected to the dashboard.
- If you have access to multiple accounts: a selection screen appears. Choose the account you want to work in.
- A session token scoped to the selected account is created. All subsequent actions are authorized within that account context.
Multi-account users
You can switch accounts at any time using the account switcher in the top navigation bar. This creates a new session token scoped to the selected account.
Logging out
- Click Logout from the user menu in the top-right corner.
- Your token is immediately revoked across all server instances. Even in multi-instance deployments, logout takes effect instantly on every node -- there is no propagation delay.
Setting up MFA
TOTP-based multi-factor authentication. Once enabled, a 6-digit code is required on every login.
- Navigate to Identity Center > My Profile.
- Click Setup MFA. A QR code appears on screen.
- Scan the QR code with your authenticator app (Google Authenticator, Authy, Microsoft Authenticator, etc.).
- Enter the 6-digit verification code displayed in your authenticator app.
- MFA is now active. You will be prompted for a code on every subsequent login.
Disabling MFA
- Navigate to Identity Center > My Profile.
- Click Disable MFA.
- Enter your current password for confirmation.
- MFA is removed from your account.
Enforcing tenant-wide MFA
- Navigate to Identity Center > Security Settings (requires tenant admin).
- Toggle MFA Required to on.
- All users in the tenant must now enable MFA before they can log in.
Managing tenant users
Tenant admins can create, update, and deactivate user accounts. Requires idp.manage and tenant admin status.
- Navigate to Identity Center > Users.
- Create user: Click "Add User". Enter email, password (8-72 characters), and name. Optionally toggle tenant admin status.
- Update user: Click a user row to edit name, phone number, active status, or admin status.
- Reset password: Click "Reset Password" on the user row. Enter the new password (8-72 characters, bcrypt limit).
- Delete user: Click "Delete" to deactivate the user. You cannot delete yourself or the last remaining admin.
Constraints
You cannot delete your own account -- another admin must do it. The system prevents deleting the last tenant administrator to avoid lockout.
Managing groups
Groups allow bulk role assignment. Add users to a group, then assign roles to the group -- all members inherit those permissions.
- Navigate to Identity Center > Groups.
- Create group: Click "Add Group". Enter a name and description.
- Add members: Open the group detail page, search for users by email or name, and add them to the group.
- Remove members: Click "Remove" next to a member's name in the group detail.
- Grant account access: In group detail, click "Add Account Access" and select the target account and access level.
- Grant org access: In group detail, click "Add Org Access" and select the organization and role.
- Delete group: Click "Delete". This is a hard delete -- the group and all its memberships are permanently removed.
Configuring SAML SSO
Integrate with an external identity provider for single sign-on. Requires tenant admin status and idp.manage.
- Navigate to Identity Center > SSO.
- Enter your SAML Identity Provider details: Entity ID, SSO URL, and SLO URL (optional).
- Paste the IdP's X.509 certificate.
- Configure the attribute mapping JSON to map IdP attributes to SPOG fields (email, name, groups, etc.).
- Toggle Enabled to activate SSO.
- Click Save. Users can now authenticate via your external IdP.
Creating roles
Roles define what a user can do. Each role is a set of permission keys organized by domain. Roles can be scoped to the entire account or a specific organization.
- Navigate to Access Control > Roles.
- Click Create Role.
- Enter a name and description.
- Choose scope: Account (global -- applies to all orgs) or Organization (select a specific org).
- Use the permission editor to toggle permission keys. Permissions are organized by category (Hosts, Alerts, Patches, etc.) with checkboxes for each key.
- Optionally start from a built-in template to pre-populate permissions.
- Click Save.
Built-in role templates
| Template | Description |
|---|---|
| Account Administrator | Full access to all features. System role -- cannot be modified or deleted. |
| Helpdesk Technician | View hosts, run diagnostics, manage services and processes. No patch or compliance access. |
| Read-Only Auditor | View-only access across all domains. No mutation permissions. |
| Patch Manager | Full patch management access plus host viewing. |
| Security Analyst | Alerts, compliance, vulnerability, and fingerprint access. |
| Network Operator | SNMP, discovery, and network diagnostic access. |
Managing role assignments
Assignments link roles to users or groups. Multiple roles can be stacked -- permissions are additively merged.
Creating an assignment
- Navigate to Access Control > Role Assignments.
- Click Add Assignment.
- Search for a user (by email or name) or group (by name). Search is scoped to tenants linked to your account.
- Select the role to assign.
- Optionally set an expiration date for time-limited access (e.g. contractor engagement, temporary escalation).
- Click Assign.
Removing an assignment
- Navigate to Access Control > Role Assignments.
- Find the assignment in the list.
- Click Remove.
Last-admin protection
You cannot remove the last Account Administrator assignment. At least one user must always hold this role to prevent lockout.
Auto-expiry
Assignments with an expiration date are automatically deactivated when they expire. A background scheduler checks every 30 minutes and proactively deactivates expired assignments. Expired assignments are also filtered out at query time -- no manual cleanup required.
Viewing your access
- Navigate to Identity Center > My Access.
- View all accounts and organizations you can access, along with the permissions granted.
- Each permission source is labeled as direct (assigned to you personally) or group:{name} (inherited from a group membership).
Permission reference
| Action | Permission | Additional Requirement |
|---|---|---|
| View IDP users and groups | idp.view | -- |
| Create, update, delete IDP users | idp.manage | Must be tenant admin |
| Create, update, delete groups | idp.manage | Must be tenant admin |
| Configure SAML/SSO | idp.manage | Must be tenant admin |
| View roles | roles.view | -- |
| Create roles | roles.create | -- |
| Edit roles | roles.edit | Cannot edit system roles |
| Delete roles | roles.delete | Cannot delete system roles or roles with assigned users |
| View role assignments | access_grants.view | -- |
| Create or delete assignments | access_grants.manage | Cannot remove last Account Administrator |
| View own profile | (any authenticated user) | -- |
| Update own profile | (any authenticated user) | -- |
| Setup or disable MFA | (any authenticated user) | Password required to disable |
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| "Invalid email or password" | Wrong credentials or user is inactive | Verify email, reset password if needed, check that the user account is active |
| "MFA code required" | MFA enabled but code not provided | Enter 6-digit code from your authenticator app |
| "Invalid MFA code" | Code expired or wrong TOTP secret | Wait for the next 30-second cycle and try again. If persistent, admin can reset MFA. |
| "Please select an account context first" | Using identity token where session token is needed | Complete the account selection step after login |
| "No access to this account" | User has no role assignments for the selected account | Admin must create a role assignment linking the user to the account |
| "System roles cannot be modified" | Trying to edit or delete the Account Administrator role | System roles are immutable. Create a custom role instead. |
| "Cannot remove the last Account Administrator" | Trying to remove the only admin assignment | Assign another user as Account Administrator first |
| "Cannot delete your own account" | Self-deletion attempted | Another admin must delete your account |
| User can log in but sees no accounts | No role assignments exist for this user | Admin must create role assignment with target account |
| Group members don't see expected permissions | Group not assigned a role for the account | Create a role assignment with the group as the target |
| Permissions don't update after role change | Permissions resolved per-request from DB | Changes take effect on the next request -- no cache to invalidate |
| Vendor user creation fails with domain error | Domain matching is enforced and email domain doesn't match | Use an email address matching the tenant's configured domain |