Frequently Asked Questions (FAQ)

Frequently asked questions covering installation errors, SSL and CSRF setup, user login problems, roles vs groups, 2FA recovery, AD/LDAP troubleshooting, email configuration, and common Django/Nginx errors.

Quick answers to the most common questions about installing, configuring, and using SecBoard. Use Ctrl+F / Cmd+F to search this page for a keyword.

Installation & Infrastructure

A production instance needs at least 2 vCPU, 4 GB RAM, and 40 GB SSD. For teams of 10–50 users, 4 vCPU / 8 GB RAM is comfortable. The stack requires Python 3.10+, MySQL 8+ (or MariaDB 10.6+), Redis 6+, and Nginx. Full details are in the System Requirements article.

For production, the bare-metal / VPS method (Gunicorn + Nginx + systemd) gives the most control and is how SecBoard is shipped. Docker can be used for development or evaluation. See the Installation Guide.

The virtual environment is not activated. The systemd service file must reference the full path to the virtualenv binary:

ExecStart=/srv/SecBoard/venv/bin/gunicorn ... SecBoard.wsgi:application

If you are running commands manually, activate the environment first:

source /srv/SecBoard/venv/bin/activate

Run collectstatic to populate the staticfiles/ directory that Nginx serves:

source /srv/SecBoard/venv/bin/activate
python manage.py collectstatic --noinput

Then verify the Nginx location /static/ block points to the correct alias path and reload Nginx.

Use Certbot with the webroot method. First, deploy the HTTP-only Nginx config and confirm the domain resolves. Then:

sudo certbot certonly --webroot     -w /srv/SecBoard/letsencrypt     -d your-domain.com -d www.your-domain.com

Verify auto-renewal: sudo certbot renew --dry-run. Full steps in SSL, Domain & Reverse Proxy.

Add your HTTPS domain to csrf_trusted_origins in credential.py:

csrf_trusted_origins = [
    'https://your-domain.com',
    'https://www.your-domain.com',
]

Also ensure debug = False is set. Then restart the Gunicorn service.

Initial Configuration

Set debug = False, allowed_hosts, and csrf_trusted_origins in credential.py.
Configure the site name, domain, and protocol in Admin → Site Settings.
Set up at least one Mail Server and Mail Account for sending system emails.
Create your Platform Roles and Access Groups.
Create your administrator user and assign the superuser or appropriate admin group.

In the Django admin panel at /secboard_admin/:

App Conf → Site Settings — site name, domain, protocol, project type, default email.
App Conf → Contact Settings — public contact info, social media links, email recipients for the contact form.

SecBoard supports English, Ukrainian, and Russian by default. Users switch the language via the flag menu in the top navigation bar — their choice is stored in the session. Additional languages are available on request.

Work through this checklist:

Confirm a Mail Server and Mail Account exist in Admin → App Conf.
Check the SMTP host, port, and TLS settings — a common mistake is using port 587 with SSL instead of STARTTLS.
Verify the mail account password is correct by saving it again (the field is encrypted).
Check that the feature requiring email (invitations, risk reports, etc.) has a mail account assigned to it.
Check Django logs at /srv/SecBoard/logs/gunicorn_error.log for SMTP exceptions.

Users, Roles & Access

Check in order:

No password set? New accounts are created without a password. Send the user to /password_reset/ or use the First Login flow at /first_login/.
Account inactive? Open the user in Users → Users and check that Active is ticked, and that the Start Date is not in the future and End Date is not in the past.
AD account disabled? If the user is AD-synced, check whether their Active Directory account has the ACCOUNTDISABLE flag set.
2FA required? If Require Two-Factor Authentication is enabled, the user must complete 2FA setup before they can proceed.

The user has no Access Groups, or their groups have no permissions enabled. Check:

The user is assigned at least one Access Group (Users → Users → Edit → Access Groups).
The group has the relevant module's view permission enabled.
The group has Show link enabled for the module — this is a separate permission from view access and controls whether the module appears in the navigation menu.

Platform Roles define who the user is (e.g. CISO, Risk Analyst) and control which widgets appear on their Executive View dashboard. Access Groups define what they can do — each module has its own boolean permission set (view, add, edit, delete, export) attached to groups. A user can have any number of roles and groups; the two layers are independent. See Roles & Permissions.

Open the user in Users → Users → Edit and either:

Uncheck Active (immediate effect), or
Set an End Date in the past — the account becomes inactive at that point automatically.

This preserves all history, assignments, and data. Deletion is permanent and cannot be undone.

Access to the Users section is controlled by the User Management permission set inside your Access Group. You need at least View Users enabled for your group. Superusers bypass this check automatically. Ask your administrator to enable the appropriate permission on your group, or to grant you superuser status if you manage the platform.

SecBoard does not send an automatic invitation email when you create an account. There are two options:

Password reset: Ask the user to go to /password_reset/ and enter their email — they will receive a one-time reset link (valid 1 hour).
First Login: Share the URL /first_login/ and the company cabinet password (set in Admin → Cabinet Settings). The user enters their email and cabinet password to receive a magic login link by email.

First, ask the user to try their backup codes — they received 10 codes when they set up 2FA. One backup code can be used at the 2FA challenge screen.
If all backup codes are lost, open the user in Users → Users → Edit, turn off Require Two-Factor Authentication, and save. This allows the user to log in without 2FA so they can set up a new authenticator device.
After they set up a new device, re-enable the requirement if needed.

Active Directory & LDAP

Email attribute missing: Check that attr_email is set to the correct AD attribute and that the user has a value for it. SecBoard uses the email as the username.
User object filter too restrictive: The default (objectClass=user) should match standard AD users. If you customised the filter, verify it still matches the user.
Account disabled in AD: SecBoard mirrors the ACCOUNTDISABLE flag — if the AD account is disabled, SecBoard will also disable the user.
Password contains special characters: Ensure the password field is not being URL-encoded or truncated before reaching the LDAP bind.

Group matching is case-sensitive. The SecBoard CabinetGroup name must exactly match the AD group CN (e.g. SecBoard-Risk-Managers, not secboard-risk-managers).
Sync is additive only — groups are added but never removed. If a user has a group in SecBoard that isn't in AD, it stays.
The user must log in again after you configure sync — the sync runs on login, not retroactively.
Check that the SecBoard group is either global (no company set) or belongs to the same company as the user.

Yes. Both backends are active simultaneously. The login form tries the database backend first, then the AD backend. Users with a local SecBoard password use the database backend; users without a local password (AD-provisioned) are authenticated through AD. Mixed environments work without any configuration change.

Email & Notifications

A Mail Server defines the SMTP connection (host, port, TLS/SSL). A Mail Account is a sender address and password tied to a Mail Server. Multiple accounts can share one server (e.g. noreply@ and reports@ both using the company SMTP). Each feature in SecBoard can be assigned a different account.

Check that the default mail account is configured in Admin → App Cabinet → Cabinet Settings for the user's company.
Verify the SMTP credentials by saving the mail account again — the bind password field is encrypted and needs to be re-entered if blank.
Check spam/junk folders on the recipient's side.
Review /srv/SecBoard/logs/gunicorn_error.log for SMTP exception details.
Confirm the sender domain has valid SPF/DKIM records — major email providers reject unsigned mail.

In Admin → App Conf → Contact Settings:

Confirm Auto-Reply Mail Account is set.
Confirm Auto-Reply Subject and body are filled in.
Confirm the contact form's Reply Email is set to a valid address.

Personal Account & Profile

This is expected behaviour. When you change your password from Personal Cabinet → Account Settings, all other active sessions are invalidated immediately. This is a security feature to ensure that anyone who had access to your previous session cannot continue using it.

These fields are read-only on the user's own profile page. Only an administrator with the Edit Users permission can change them. Contact your SecBoard administrator to update your organisational information.

Profile photos must meet all three conditions:

Format: JPEG or PNG (not WebP, GIF, or SVG)
File size: under 2 MB
Dimensions: at least 200 × 200 pixels

Resize or compress the image and try again.

An administrator has enabled Require Two-Factor Authentication on your account. When this setting is on, you cannot disable 2FA yourself. If you believe this is in error, contact your SecBoard administrator.

Common Errors

Ensure csrf_trusted_origins in credential.py includes your full domain with scheme (e.g. https://your-domain.com).
Restart Gunicorn after any credential.py change: sudo systemctl restart secboard.
Clear browser cookies for the domain — a stale CSRF cookie from a previous session can cause this.

The domain is not in allowed_hosts in credential.py. Add it:

allowed_hosts = ['your-domain.com', 'www.your-domain.com', '127.0.0.1']

Restart Gunicorn after the change.

This happens when SECURE_SSL_REDIRECT = True (set by debug = False) but Django doesn't see the X-Forwarded-Proto: https header from Nginx.

Ensure the Nginx config includes:

proxy_set_header X-Forwarded-Proto $scheme;

settings.py already has SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') — the Nginx header is the missing piece.

Check all three services are running:

sudo systemctl status secboard
sudo systemctl status SecBoard_celery
sudo systemctl status SecBoard_celery_beat

Celery requires Redis to be running (sudo systemctl status redis). Check /srv/SecBoard/logs/celery_worker.log and celery_beat.log for error details.

The Nginx client_max_body_size is too low. The default SecBoard Nginx config sets this to 100M. If you reduced it, restore it:

client_max_body_size 100M;

Reload Nginx after the change: sudo systemctl reload nginx.

Didn't find your answer? Browse the full User Manual for detailed articles on each topic, or contact your SecBoard administrator.

Attachments

No attachments for this article.

Frequently Asked Questions (FAQ)

Installation & Infrastructure

What are the minimum server requirements?

Which installation method is recommended?

Gunicorn won't start — "No module named django" error.

Static files return 404 after deployment.

How do I obtain a free SSL certificate?

Django shows CSRF errors after switching to HTTPS.

Initial Configuration

I deployed SecBoard — what should I configure first?

Where do I change the site name, logo, and contact details?

Which interface languages does SecBoard support?

Outgoing emails are not being sent.

Users, Roles & Access

A new user can't log in — what's wrong?

A user can log in but sees a blank dashboard / no modules in the navigation.

What is the difference between a Platform Role and an Access Group?

How do I temporarily disable a user without deleting their data?

I can't access the Users section — getting "Access Denied".

How do I send an invitation to a new team member?

A user forgot their 2FA device. How do I restore access?

Active Directory & LDAP

AD users can't log in — "Test Connection" passes but login fails.

AD group sync is enabled but users aren't getting the right groups.

Can I use AD for some users and email/password for others?

Email & Notifications

What is the difference between a Mail Server and a Mail Account?

Password reset emails aren't arriving.

Contact form submissions aren't triggering an auto-reply.

Personal Account & Profile

I changed my password but got logged out of all other devices.

Why can't I change my company, department, or position?

My profile photo upload fails.

The "Disable 2FA" button is greyed out.

Common Errors

"CSRF verification failed" on login or form submission.

"DisallowedHost" error in the browser or logs.

The platform loads over HTTP but redirects to HTTPS infinitely.

Celery tasks aren't running (scheduled reports, notifications not sent).

File uploads fail with "413 Request Entity Too Large".

Attachments

Related Articles

SecBoard installation — Linux server from build archive (greenfield)

System Requirements & Dependencies

Authentication Integrations (AD/LDAP)

Roles & Permissions

First Login & Administrator Account

User Invitations & Account Management

Article Info

Share

Cookies Notice

Cookie Preferences

Essential Cookies Required

Examples:

Functional Cookies

Examples:

Analytics Cookies

Examples:

Marketing Cookies

Examples: