User management

The user management allows users to be assigned roles, thereby managing permissions for various actions and access within the platform. Users can decide to use preconfigured roles with static rights or create custom roles with individual rights.

Core concepts

Roles

A role is a set of permissions that can be assigned to a user. Each user in the system can be assigned one or more roles. Roles can either be:

Preconfigured: With a fixed set of permissions.
Custom: Defined by administrators with appropriate permissions.

Permissions

Permissions define access to specific functionalities (i.e., access to specific endpoints) such as viewing users or creating orders. Permissions are always assigned to roles, not directly to users.

Context limitations

To restrict access within permissions, roles can be associated with context limitations. These limit a user’s access to specific parts of the system.

Available context types:

Facility: Access is limited to specific facilities.
Zone: Access is limited to a specific zone.
Userroles: Access is limited to users who have roles with the defined roles. Also, it limits the roles that can be assigned to other users.

Context limitations on roles vs users

A context limitation can be set either on role level or per user assignment.

If a role has no context limitation of a given type, it can define one of that type during user assignment. For example, limiting a supervisor to their facility.

If a role has a context limitation, it applies to all users with that role. User-specific limitations of the same type are then not allowed.

You cannot set a context limitation on a role that is already assigned to users.

Managing users

Creating users

Users can only be created by users with the user_write permission.

Requirements:

The username must be unique.
Umlauts are automatically converted (e.g., ö → oe, ß → ss).
Password must be at least 6 characters long.
A primary language can be assigned.

When a user with context limitations creates another user, the new user must inherit at least the same limitations. Stricter limitations are allowed, broader ones are not.

Editing and deleting users

Users with the USER_MODIFY permission can edit other users or assign roles to them.
Users can delete themselves or be deleted by others with appropriate permissions.
If a user loses access to required permissions (e.g., by role removal or facility reassignment), they are immediately logged out.
Any pending tasks (e.g., pick jobs) are reset and made available again.

Assigning roles

Not only administrators can assign roles — any user with the USER_MODIFY permission can do so.
When assigning a role, the assigner’s context limitations are enforced to avoid privilege escalation.
Users can only assign roles that fall within their own role context limitations.

Managing roles

The ROLE_WRITE permission allows you to create custom roles.

When you change the permissions of a role, the updated permissions take effect immediately for all users who have that role. However, short delays (up to 5 minutes) may occur for technical reasons.

Roles can be deleted, but only if they are not currently assigned to any users. Preconfigured roles cannot be modified or deleted. Each role name must be unique.

When creating custom roles, make sure to read the notes on privilege escalation below to avoid unintended security risks.

Privilege escalation

This section describes safeguards against privilege escalation during role assignment.

Rule 1: Enforced Context Inheritance

If a user with context limitations assigns a role to another user, the assigned user must:

Receive the same or stricter context limitations.
Not receive broader or fewer restrictions than the assigning user has.

✅ Allowed: A user limited to Zone A, Zone B assigns a role to a user which is also limited to Zone A, Zone B, or further restricted to a single zone like only Zone A. ❌ Not allowed: A user limited to Zone A assigns a role to a user without any zone limitation.

Rule 2: Roles With `USER_MODIFY`

Any role that includes the USER_MODIFY permission grants the ability to assign arbitrary roles — including administrator-level roles — unless specifically constrained by a Userrole context limitation.

To prevent unintended elevation, it is recommended to:

Always define a context limitation of type Userrole on such roles.
Ensure the limitation restricts what roles can be assigned (e.g., exclude ADMINISTRATOR).

This ensures that users with the USER_MODIFY permission cannot escalate privileges beyond intended boundaries.

Last updated 9 days ago