Creating a User Account
Navigate to Users → Users and click Create User. The creation dialog has two modes — choose the one that fits your situation.
| Mode | When to use |
|---|---|
| Create New User | The person has no SecBoard account yet. A new Django user and cabinet profile are created together. |
| Use Existing User | A Django auth.User already exists (e.g. from a migration or AD) but has no cabinet profile yet. Wrap it into a cabinet profile without re-creating the account. |
Required fields
| Field | Notes |
|---|---|
| First Name | Used in all email notifications sent on behalf of the user |
| Last Name | |
| Must be unique across the platform; becomes the login username | |
| Company | Determines which roles, groups, and quizzes are available |
Optional fields
| Field | Notes |
|---|---|
| Phone | International format; displayed in the directory and user card |
| Profile Photo | JPEG or PNG; max 2 MB; minimum 200 × 200 px |
| User Color | Hex color used to highlight the user in lists and Excel exports |
| Department / Position | Must belong to the selected company; cascades from company selector |
| Start Date / End Date | See Activation by date range below |
| Platform Roles | Job-function roles (CISO, Analyst, etc.) — loaded per company via AJAX |
| Apply groups from roles | Auto-adds all Access Groups defined on the selected roles |
| Additional Cabinet Groups | Manually add groups beyond what the roles provide |
| Quizzes / Tests | Assign mandatory training quizzes at creation time |
| Staff Status | Grants access to the Django admin panel (/secboard_admin/) |
| Require Two-Factor Authentication | Forces the user to set up 2FA before they can use the platform |
Giving Users Their First Access
There are two paths to get a new user into the platform:
Ask the user to go to the login page and click Forgot password?, or send them the URL /password_reset/ directly. They enter their email address and receive a one-time reset link (valid for 1 hour). On click, they set their own password and are ready to log in.
Best for: users who will log in with email + password.
The user goes to /first_login/ and enters their email address plus the control word (company cabinet password) configured in Admin → Cabinet Settings → Cabinet Password for their company. SecBoard emails them a one-time magic login link. On click they are logged in automatically and prompted to complete their profile.
Best for: first-time onboarding without requiring an initial password.
Activation by Date Range
Setting Start Date and End Date on a user account automatically controls whether they can log in, without requiring manual activation or deactivation.
| Scenario | Login allowed? |
|---|---|
| No dates set, Active checkbox ticked | Yes |
| Start date in the future | No (account not yet active) |
| Between start date and end date | Yes |
| End date passed | No (account expired) |
| No dates set, Active checkbox unticked | No |
Active status is evaluated on every login — no cron job or manual step is needed. This is useful for contractors, temporary staff, or employees with a known end date.
Editing a User Account
Click on any user in the Users list to open their profile. Click Edit to open the edit dialog. All fields from the creation form are editable, plus these additional options:
| Option | Description |
|---|---|
| Change Password | Set a new password directly (min 8 characters; must differ from the current password). |
| Force Password Change | Flags the account so the user is prompted to change their password at their next login. |
| Remove Avatar | Deletes the current profile photo. |
| Require Two-Factor Authentication | Can be toggled on or off. When enabled, the user cannot disable 2FA themselves. |
| Refresh from Active Directory | Shown for AD-synced accounts. Re-fetches the latest attributes (name, email, phone, department) from the directory. |
Password Management
Self-service password reset
Available at /password_reset/. The user enters their email; if it matches an account, a reset link is sent immediately. The link is valid for 1 hour. After clicking it, the user sets a new password via the validated form.
Admin-set password
Open the user's Edit dialog → expand the Change Password section → enter and confirm the new password → save. The system enforces that the new password differs from the current one.
Force change at next login
In the Edit dialog, tick Force user to change password at next login. The user can log in once with their current password, but they are immediately redirected to the change-password form. They cannot proceed until they set a new one.
User changes their own password
Logged-in users can change their password at Personal Cabinet → Account Settings (/update_profile/). After saving, all other active sessions are invalidated.
Two-Factor Authentication (2FA)
User-initiated setup
- Log in and go to Personal Cabinet (
/personal-cabinet/). - Find the Two-Factor Authentication section and click Set Up 2FA.
- Scan the QR code with an authenticator app (Google Authenticator, Microsoft Authenticator, Authy, etc.).
- Enter the 6-digit code shown in the app to confirm the setup.
- Save the 10 backup codes shown — they are displayed only once and cannot be recovered.
Admin-enforced 2FA
When Require Two-Factor Authentication is enabled on a user account, they are redirected to the 2FA setup screen immediately after their first login. They cannot access any part of the platform until setup is complete. Once enforced, the user cannot disable 2FA from their profile — only an administrator can turn this off.
Backup codes
If the user loses their authenticator device, they can use a one-time backup code at the 2FA challenge screen. To regenerate a fresh set of 10 codes, go to Personal Cabinet → 2FA section → Regenerate Backup Codes. All previous codes are invalidated immediately.
Searching and Filtering Users
The Users list supports the following filters, combinable in any combination:
| Filter | Values |
|---|---|
| Search | Free-text: searches name, email, phone (case-insensitive contains) |
| Company | Filter to a specific company |
| Department / Position | Filter within the selected company |
| Cabinet Group | Users belonging to a specific access group |
| Status | Active, Inactive, Profile Completed, Staff |
| Employment Status | Currently Active, Future (not started), Past (expired), No Dates Set |
| Date From / Date To | Filter by start date or end date range |
| Per Page | 10, 25, 50, or 100 records per page |
Exporting the User Directory
Click Export to Excel on the Users list. The export respects all active filters — only visible users are included. The downloaded .xlsx file contains:
- Full Name, Email, Phone
- Company, Department, Position
- Account Status (active/inactive)
- Cabinet Groups, Other Groups
- Start Date, End Date
Each row is highlighted with the user's assigned color for quick visual identification.
Deleting a User Account
Open the user's profile and click Delete. Confirm the action in the confirmation dialog.
What Users Can Edit Themselves
From their Personal Cabinet (/personal-cabinet/), users can:
- Update their First Name and Last Name.
- Update their Phone number.
- Upload or replace their Profile Photo (JPEG/PNG, max 2 MB, min 200 × 200 px).
- Change their Password (invalidates all other sessions on save).
- Set up, verify, or disable 2FA (unless 2FA is admin-enforced).
- Regenerate backup codes for 2FA.
Company, department, and position are displayed as read-only — changes require an administrator to edit the account from the Users section.
The Personal Cabinet also shows the user's task list: overdue processes, pending quiz assignments, expiring certificates, asset actualization tasks, access request approvals, and document familiarisation tasks.
Active Directory Accounts
Users provisioned from Active Directory have their profile attributes (name, email, phone, department) automatically refreshed on every login. An administrator can also trigger a manual refresh at any time via the Refresh from AD button in the Edit dialog.
AD-synced accounts are marked with an AD badge in the Users list. Their passwords are managed in the directory, not in SecBoard — the password reset flow has no effect on AD-authenticated users.
Next Steps
Organisational Structure
Create the companies, departments, and positions that appear in user profiles.
Roles & Permissions
Define Platform Roles and Access Groups before creating users, so you can assign them at creation time.