User Management Overview
Overview
The User Management system in ASCEND provides comprehensive tools for managing the complete user lifecycle within your organization. Administrators can invite users, assign roles, monitor activity, and manage access controls with enterprise-grade security and full audit trail capabilities.
User management is critical for maintaining security posture and ensuring compliance with regulations like SOC 2, HIPAA, and PCI-DSS that require strict access control and accountability.
Prerequisites
org_admin,Admin, orSuper_Adminrole- Access to the Admin Console
- Available user seats (check your subscription limits)
Key Concepts
User States
Users in ASCEND can exist in one of four states:
| State | Description | Icon | Can Login |
|---|---|---|---|
| Active | Normal operational state | Green badge | Yes |
| Pending | Invited but never logged in | Gray badge | Yes (first login) |
| Suspended | Temporarily disabled | Orange badge | No |
| Deactivated | Soft-deleted from organization | Red badge | No |
User Lifecycle
Invite --> Pending --> Active --> (Suspended) --> Deactivated
^ |
|_____________| (Reactivate)
- Invite: Administrator sends invitation
- Pending: User receives email, has not logged in
- Active: User has completed first login
- Suspended: Temporarily blocked (reversible)
- Deactivated: Removed from organization (soft delete)
Step-by-Step Guide
Viewing Users
- Navigate to Admin Console
- Click the "Users" tab
- View the user table with columns:
- User (avatar, name)
- Role
- Status
- Last Active
- Actions
Filtering and Searching
- Use the search box to filter by name or email
- Filter by status using the dropdown
- Click column headers to sort
Inviting a New User
- Click "+ Invite User" button
- Enter required information:
- Email address
- First name
- Last name
- Select role from dropdown:
- Viewer
- Analyst
- Admin
- Organization Admin
- Click "Send Invitation"
- User receives welcome email with temporary password
Managing Individual Users
Click the three-dot menu on any user row to access:
| Action | Description |
|---|---|
| Edit Profile | Update user's personal information |
| View Activity | See audit log of user's actions |
| Suspend/Reactivate | Temporarily disable or re-enable access |
| Reset Password | Send password reset email |
| Force Logout | Immediately terminate all sessions |
| Remove User | Permanently remove from organization |
Bulk Operations
For managing multiple users simultaneously:
- Select users using row checkboxes
- Bulk action bar appears at top
- Choose operation:
- Suspend all selected
- Reactivate all selected
- Change role for all selected
- Delete all selected
- Provide reason (for audit trail)
- Confirm action
Configuration Options
| Option | Description | Default |
|---|---|---|
| include_inactive | Show deactivated users in list | false |
| User Limit | Maximum users per subscription tier | Tier-dependent |
| Invitation Expiry | How long invitation links remain valid | 7 days |
| Password Policy | Minimum password requirements | Cognito default |
User Attributes
Core Attributes
| Attribute | Description | Editable |
|---|---|---|
| User's email address | Yes (triggers verification) | |
| first_name | Given name | Yes |
| last_name | Family name | Yes |
| role | Access role | Yes (by admin) |
| is_org_admin | Organization admin flag | Yes (by admin) |
Extended Attributes
| Attribute | Description | Editable |
|---|---|---|
| phone | Phone number | Yes |
| department | Organizational unit | Yes |
| job_title | Position/title | Yes |
| approval_level | RBAC access level (0-5) | Yes (by admin) |
System Attributes (Read-Only)
| Attribute | Description |
|---|---|
| id | Unique user identifier |
| created_at | Account creation timestamp |
| last_login | Most recent login timestamp |
| cognito_user_id | AWS Cognito identifier |
| token_version | Session invalidation counter |
User Actions Reference
Edit Profile
Updates user personal information:
- Name changes take effect immediately
- Email changes require re-verification
- Changes are logged in audit trail
View Activity
Displays user's audit history:
- Actions performed by the user
- Actions performed on the user
- Includes timestamps and IP addresses
- Filterable and exportable
Suspend User
Temporarily blocks access:
- User cannot log in
- Existing sessions remain valid until token expires
- Can be reactivated without data loss
- Requires reason for compliance
Reactivate User
Restores suspended user:
- Access immediately restored
- User can log in with existing credentials
- Activity logged with reason
Reset Password
Triggers password reset flow:
- Cognito sends reset email to user
- User must set new password
- All existing sessions remain valid
- Consider combining with Force Logout for security incidents
Force Logout
Immediately terminates all sessions:
- Invalidates all active tokens
- Cognito global sign-out
- User must re-authenticate
- Use for security incidents or device loss
Remove User
Permanently removes from organization:
- Soft delete (is_active = false)
- User cannot log in
- Data retained for audit purposes
- Cognito user not deleted (can be recovered)
API Reference
List Users
GET /api/admin/users?include_inactive=false
Authorization: Bearer <token>
Invite User
POST /api/admin/users/invite
Authorization: Bearer <token>
X-CSRF-Token: <csrf_token>
Content-Type: application/json
{
"email": "new.user@company.com",
"first_name": "New",
"last_name": "User",
"role": "analyst"
}
Update User Role
PATCH /api/admin/users/{user_id}/role
Authorization: Bearer <token>
X-CSRF-Token: <csrf_token>
Content-Type: application/json
{
"role": "admin",
"is_org_admin": false
}
Suspend User
PATCH /api/admin/users/{user_id}/suspend
Authorization: Bearer <token>
X-CSRF-Token: <csrf_token>
Content-Type: application/json
{
"suspended": true,
"reason": "Policy violation - pending review"
}
Best Practices
-
Onboarding Process
- Invite users before their start date
- Assign appropriate role based on job function
- Verify users complete MFA setup
-
Offboarding Process
- Immediately suspend upon termination notice
- Force logout all sessions
- Review and reassign ownership of resources
- Deactivate account after transition period
-
Regular Audits
- Review user list monthly
- Verify role assignments quarterly
- Export and archive audit logs
- Remove stale pending invitations
-
Security Incident Response
- Force logout affected users immediately
- Suspend if compromise is suspected
- Reset password after investigation
- Review activity logs for unauthorized access
-
Principle of Least Privilege
- Assign minimum necessary role
- Upgrade access only when justified
- Document role assignment decisions
- Regularly review elevated privileges
Compliance Mapping
| Requirement | Standard | Implementation |
|---|---|---|
| Access provisioning | SOC 2 CC6.2 | User invitation workflow |
| Access revocation | SOC 2 CC6.3 | Deactivation and force logout |
| Unique identification | HIPAA 164.312(a)(2)(i) | Unique user IDs |
| Automatic logoff | HIPAA 164.312(a)(2)(iii) | Session timeout and force logout |
| User access review | PCI-DSS 8.1.4 | Activity logs and bulk operations |
| Account management | NIST AC-2 | Full lifecycle management |
Related
- Inviting Users - Detailed invitation guide
- Role Assignment - Role permissions reference
- Admin Console Overview - Console navigation
- Audit Logs - Activity monitoring