User Administration
User Administration refers to the tools and processes used to manage:
- Who can log in (users), and
- What they can do (roles & permissions)
This is a critical part of application security and usability, ensuring that only authorized users can access sensitive data and perform actions appropriate to their roles.
User Administration Tasks
Creating a User
To create a new user in Shesha, follow these steps:
Editing a User
To edit an existing user in Shesha, follow these steps:
Assigning Roles to Users
To assign roles to users in Shesha, follow these steps:
Disabling/Locking a User
To disable a user account in Shesha, follow these steps:
Core Concepts
Shesha's user management framework is built around a few key concepts that form the foundation of how users, roles, and permissions interact. Understanding these concepts is essential for effective user administration.
- Users → Individual accounts representing system actors (people or integrations). For example, an employee logging into the HR system or a backend integration account for an external service.
- Persons → Represents individuals in the system, which may or may not be linked to a users. A
Person
can exist without aUser
(e.g., a client who does not log in). - Roles → Named sets of permissions that define what a user can do. For example, a "Manager" role might have approval rights, while a "Viewer" role has read-only access.
- Permissions → Granular controls over specific features or actions. For example,
Account-View
orAccount-Update
permissions assigned to roles.
Role and Permission Management
Configuring Roles
- Navigate to: Admin UI → Roles
- Create new roles or edit existing ones
- Add or remove permissions inside each role
Configuring Permissions
- Create new permissions under: Admin UI → Permissions
- Use clear, consistent names for permissions
- Map permissions to roles (not directly to users, where possible)
See Also
- Adding custom user fields (profile extensions)
- Integrating with external identity providers (Azure AD, OAuth)
- Configuring audit trails for user actions
- Enforcing security best practices
- Viewing logon audit trails
- Viewing role assignment audit trails
User administration is a crucial aspect of any application, and Shesha provides a robust framework for managing users, roles, and permissions. This document outlines the key concepts and practices for user management in Shesha.
Key Concepts
- User: Represents a system user who can log in and perform actions within the application.
- Person: Represents an individual, which can be a system user or not. A
User
is associated with aPerson
. - Role: A collection of permissions that define what actions a user can perform within the system.
- Permission: A specific action or operation that can be performed within the system, such as viewing, creating, updating, or deleting an entity.
- Module: A logical grouping of related functionalities and permissions within the system.
User Management Overview
Shesha's user management system is designed to provide a flexible and secure way to manage users, roles, and permissions. The framework allows for easy creation, modification, and deletion of users and roles, as well as the assignment of permissions to roles.
User Registration
Users can register through the application interface, where they provide necessary information such as username, password, and email address. The registration process may include email verification to ensure the validity of the user's email address.
User Activation and Deactivation
Users can be activated or deactivated based on their status. An activated user can log in and perform actions, while a deactivated user cannot access the system. This is useful for managing user accounts that are no longer active or for temporarily suspending access.
User Roles
Roles are used to group permissions and assign them to users. A user can have multiple roles, and each role can have multiple permissions. This allows for a flexible and scalable approach to managing user access within the system.
Assigning Users to Roles
In Shesha, users are assigned to roles to control their access within the system. This process involves selecting the appropriate roles that align with the user's responsibilities and the permissions required for their tasks.
Permissions
Permissions define the specific actions that users can perform within the system. They are associated with roles, and users inherit permissions from the roles they are assigned. This allows for fine-grained control over what actions users can take, such as viewing, creating, updating, or deleting entities.
User Management Best Practices
- Use Roles for Permission Management: Instead of assigning permissions directly to users, use roles to group permissions. This simplifies management and allows for easier updates when permissions change.
- Regularly Review User Access: Periodically review user roles and permissions to ensure they align with current business needs and security policies.
- Implement Strong Password Policies: Enforce strong password requirements to enhance security and protect user accounts.
User Management in Shesha
Shesha provides a comprehensive user management framework that allows for the creation, modification, and deletion of users, roles, and permissions. The framework is designed to be flexible and extensible, allowing developers to customize user management functionalities to meet specific application requirements.
User Management in Shesha
Understanding 'Person' and 'User' entities
Shesha comes with both Person
and User
entities as part of its core domain model and it is important to understand the difference and relationship between both.
Whereas the Person
entity is used to store and manage information relating to persons (whether the Person is a system user or not), the User
entity is specifically used to manage system users.
In order for a person to be a system user, both a Person
entity and a matching User
record need to exist.
Since the information a system needs to store about a person will often differ depending on the requirements, it is expected that in most implementations, the Person
entity will be extended by creating sub-classes with additional properties.
In contrast, since the User
entity is used purely for managing the system accounts, it is not expected to be extended as the framework should already provide all the necessary account management features required (e.g. creation, password management, lock-out, activation, etc...) via the UserManager
class.
Example
Imagine you are building a system used to manage client information but where only company employees should have access to the system.
Since both Clients and Employee are more specific types of persons, you would create Client
and Employee
sub-classes that inherit from the Person
class and add the relevant properties to each. You would however only create matching User
records for the Employee
entities.
Should you in the future want to create a client portal so that your clients can also access some limited functions of your system, you could then create User
records for them as they register onto the portal. You would limit their access to certain functions only by assigning them different roles than you would for your internal employees.
UserManager and UserAppService classes
All system account management functions (such as account registrations, activiation/deactivation, password management, etc...) you require should already be supported by the framework via the UserAppService
and UserManager
classes.
TODO : Assigning Roles