User Management
The Manager provides comprehensive user management with role-based access control at project, tenant, and application levels.
Overview
Users in the Productify Framework are managed through Pocket ID. The Manager integrates with Pocket ID to handle authentication and user information.
User Roles
The Manager implements hierarchical role-based access control (RBAC):
Project Roles
- Admin - Full control over the project and all child resources
- Editor - Can modify resources but cannot manage users
- Viewer - Read-only access to project resources
Tenant Roles
- Admin - Full control over the tenant and its applications
- Editor - Can modify tenant resources but cannot manage users
- Viewer - Read-only access to tenant resources
Application Roles
- Admin - Full control over the application
- Editor - Can modify application resources
- Viewer - Read-only access to application resources
Managing Users
Adding Users to Projects
- Navigate to Projects in the sidebar
- Select the project
- Click the Users tab
- Click Add User
- Search for the user by name or email
- Select the appropriate role
- Click Add
Via API:
mutation {
addUserToProject(
projectID: "project-uuid"
userID: "user-uuid"
role: admin
) {
id
role
user {
username
email
}
}
}Adding Users to Tenants
- Navigate to Tenants
- Select the tenant
- Click Users tab
- Click Add User
- Select user and role
- Click Add
Via API:
mutation {
addUserToTenant(tenantID: "tenant-uuid", userID: "user-uuid", role: editor) {
id
role
}
}Adding Users to Applications
- Navigate to Applications
- Select the application
- Click Users tab
- Click Add User
- Select user and role
- Click Add
Via API:
mutation {
addUserToApplication(
applicationID: "app-uuid"
userID: "user-uuid"
role: viewer
) {
id
role
}
}Updating User Roles
Changing Project Roles
- Navigate to Project → Users
- Find the user in the list
- Click the role dropdown
- Select the new role
- Changes are saved automatically
Via API:
mutation {
updateUserProjectRole(id: "user-project-relation-uuid", role: editor) {
id
role
}
}Changing Tenant/Application Roles
Follow the same process as projects, navigating to the respective resource's Users tab.
Removing Users
Removing from Projects
- Navigate to Project → Users
- Find the user
- Click the Remove button
- Confirm the removal
Via API:
mutation {
removeUserFromProject(id: "user-project-relation-uuid")
}WARNING
Removing a user from a project also removes their access to all child tenants and applications within that project.
User Search
Provider User Search
The Manager can search for users in Pocket ID:
query {
userProviderSearch(name: "john") {
id
username
email
displayName
disabled
}
}This is useful when adding new users who haven't yet accessed the Manager.
Current User Information
Get information about the authenticated user:
query {
me {
id
username
email
displayName
disabled
}
}Access Control
Hierarchical Permissions
Access control follows a hierarchical model:
- Project access grants access to all tenants and applications within the project
- Tenant access grants access to all applications within the tenant
- Application access grants access only to that specific application
Permission Inheritance
Permissions do NOT automatically inherit down the hierarchy. Users must be explicitly granted access at each level, unless they have project-level access.
Example:
- User has Project Admin role → Can access all tenants and applications
- User has Tenant Editor role → Can edit tenant and applications, but not other tenants
- User has Application Viewer role → Can only view that specific application
Best Practices
Role Assignment
- Grant the minimum required role for users to perform their tasks
- Use Project Admin sparingly - only for project owners
- Prefer Tenant/Application roles for focused responsibilities
- Use Viewer role for auditors and observers
User Lifecycle
- Onboarding - Add users to appropriate projects/tenants when they join
- Role Changes - Update roles as responsibilities change
- Offboarding - Remove access when users leave or change teams
Security
- Regular Audits - Review user access periodically
- Principle of Least Privilege - Grant minimal necessary permissions
- Segregation of Duties - Separate administrative and operational roles
- Disable Unused Accounts - Remove inactive users
Organization
- Document Roles - Maintain documentation of role responsibilities
- Naming Conventions - Use consistent naming for users
- Group Management - Consider organizing users by team/function
Audit Logging
All user management operations are recorded in the audit log:
query {
auditLogs(
projectID: "project-uuid"
filters: [{ field: "entity_type", value: "User2Project" }]
order: { field: "created_at", direction: DESC }
pagination: { limit: 50, offset: 0 }
) {
id
action
description
user {
username
}
createdAt
}
}See Audit Logs for more details.
Troubleshooting
User Not Found
Issue: User cannot be found when searching
Solutions:
- Verify user exists in Pocket ID
- Check Pocket ID connection
- Ensure user has logged in at least once
- Verify spelling of username/email
Access Denied
Issue: User cannot access resources
Solutions:
- Verify user has appropriate role at correct level
- Check role permissions match required action
- Confirm user is not disabled in Pocket ID
- Review audit logs for permission changes
Cannot Add User
Issue: Unable to add user to project/tenant/application
Solutions:
- Verify you have Admin role at that level
- Check user is not already added
- Ensure user exists in system (may need to login first)
- Verify Pocket ID is accessible
Integration with Pocket ID
The Manager integrates with Pocket ID for user management:
Configuration
Pocket ID API connection is configured in the Manager's config file:
pocket_id:
host: http://pocketid:1411
api_key: your-api-keyUser Authentication
User login via OAuth/OIDC is handled by the Proxy component. See Proxy Configuration for OIDC client setup.
See Configuration for details.
API Reference
Complete user management API documentation:
See the full API Reference for all user management operations.