docs: add knowledge base guides for reporting, compliance, queue operations, user management, and CVE tracking

docs/kb-user-management-guide.md

@@ -0,0 +1,106 @@
+# User Management & Roles Guide
+
+## Overview
+
+The STEAM Security Dashboard uses role-based access control with four user groups. Only administrators can manage users. All user operations are logged in the audit trail.
+
+## User Groups
+
+| Group | Access Level | Description |
+|-------|-------------|-------------|
+| Admin | Full access | All operations including user management, delete, audit log |
+| Standard_User | Operational access | Create, edit, limited delete (own resources only), exports |
+| Leadership | Read-only + exports | View all data, download CSV/XLSX exports |
+| Read_Only | View only | Read-only access to all pages, no modifications |
+
+## Permission Matrix
+
+| Action | Admin | Standard_User | Leadership | Read_Only |
+|--------|-------|---------------|------------|-----------|
+| View findings/CVEs | Yes | Yes | Yes | Yes |
+| Sync Ivanti data | Yes | Yes | No | No |
+| Edit hostname/DNS overrides | Yes | Yes | No | No |
+| Edit notes | Yes | Yes | No | No |
+| Add to queue | Yes | Yes | No | No |
+| Create FP workflows | Yes | Yes | No | No |
+| Edit FP submissions | Yes | Yes | No | No |
+| Upload compliance reports | Yes | Yes | No | No |
+| Add CVEs | Yes | Yes | No | No |
+| Upload documents | Yes | Yes | No | No |
+| Export CSV/XLSX | Yes | Yes | Yes | No |
+| Delete CVEs/documents | Yes | Own only | No | No |
+| Manage users | Yes | No | No | No |
+| View audit log | Yes | No | No | No |
+
+## Managing Users (Admin Only)
+
+### Accessing User Management
+1. Click the user icon in the top navigation bar
+2. Select "User Management" from the menu
+3. The user list shows all accounts with their group, status, and last login
+
+### Creating a New User
+1. Click "Add User"
+2. Fill in the required fields:
+   - **Username** — must be unique
+   - **Email** — user's email address
+   - **Password** — initial password (user should change on first login)
+   - **Group** — select from Admin, Standard_User, Leadership, or Read_Only
+3. Click Save
+
+New users default to Read_Only if no group is specified.
+
+### Editing a User
+1. Click the edit icon on the user row
+2. Modify username, email, or group
+3. Optionally set a new password (leave blank to keep current)
+4. Click Save
+
+### Changing User Groups
+When changing a user's group, a confirmation dialog appears. Extra warnings are shown when:
+- Removing Admin privileges from a user
+- Upgrading a user to Admin
+
+Group changes are logged separately in the audit trail with the previous and new group recorded.
+
+### Deactivating Users
+Users can be deactivated rather than deleted. Deactivated users cannot log in but their data and audit history are preserved.
+
+## Authentication
+
+- Sessions use httpOnly cookies with 24-hour expiry
+- Passwords are hashed with bcryptjs
+- All API endpoints (except login) require a valid session
+- Failed login attempts are not rate-limited at the application level
+
+## Audit Log
+
+The audit log records all significant actions in the dashboard. Only admins can view it.
+
+### What's Logged
+- User creation, updates, group changes, deletion
+- CVE creation, updates, deletion
+- Document uploads and deletions
+- Ivanti sync operations
+- FP workflow submissions and edits
+- Queue operations
+- Compliance uploads
+- Login/logout events
+
+### Audit Entry Fields
+Each entry includes:
+- Timestamp
+- User who performed the action
+- Action type (e.g., user_create, ivanti_fp_workflow_created)
+- Entity type and ID
+- Details (JSON with specifics of what changed)
+- IP address
+
+## Default Admin Account
+
+On first setup (`node setup.js`), a default admin account is created:
+- Username: `admin`
+- Password: set during setup
+- Group: `Admin`
+
+Change the default password immediately after first login.