3.6 KiB
User Management & Roles Guide
Overview
The STEAM Security Dashboard uses role-based access control with four user groups. Only administrators can manage users. All user operations are logged in the audit trail.
User Groups
| Group | Access Level | Description |
|---|---|---|
| Admin | Full access | All operations including user management, delete, audit log |
| Standard_User | Operational access | Create, edit, limited delete (own resources only), exports |
| Leadership | Read-only + exports | View all data, download CSV/XLSX exports |
| Read_Only | View only | Read-only access to all pages, no modifications |
Permission Matrix
| Action | Admin | Standard_User | Leadership | Read_Only |
|---|---|---|---|---|
| View findings/CVEs | Yes | Yes | Yes | Yes |
| Sync Ivanti data | Yes | Yes | No | No |
| Edit hostname/DNS overrides | Yes | Yes | No | No |
| Edit notes | Yes | Yes | No | No |
| Add to queue | Yes | Yes | No | No |
| Create FP workflows | Yes | Yes | No | No |
| Edit FP submissions | Yes | Yes | No | No |
| Upload compliance reports | Yes | Yes | No | No |
| Add CVEs | Yes | Yes | No | No |
| Upload documents | Yes | Yes | No | No |
| Export CSV/XLSX | Yes | Yes | Yes | No |
| Delete CVEs/documents | Yes | Own only | No | No |
| Manage users | Yes | No | No | No |
| View audit log | Yes | No | No | No |
Managing Users (Admin Only)
Accessing User Management
- Click the user icon in the top navigation bar
- Select "User Management" from the menu
- The user list shows all accounts with their group, status, and last login
Creating a New User
- Click "Add User"
- Fill in the required fields:
- Username — must be unique
- Email — user's email address
- Password — initial password (user should change on first login)
- Group — select from Admin, Standard_User, Leadership, or Read_Only
- Click Save
New users default to Read_Only if no group is specified.
Editing a User
- Click the edit icon on the user row
- Modify username, email, or group
- Optionally set a new password (leave blank to keep current)
- Click Save
Changing User Groups
When changing a user's group, a confirmation dialog appears. Extra warnings are shown when:
- Removing Admin privileges from a user
- Upgrading a user to Admin
Group changes are logged separately in the audit trail with the previous and new group recorded.
Deactivating Users
Users can be deactivated rather than deleted. Deactivated users cannot log in but their data and audit history are preserved.
Authentication
- Sessions use httpOnly cookies with 24-hour expiry
- Passwords are hashed with bcryptjs
- All API endpoints (except login) require a valid session
- Failed login attempts are not rate-limited at the application level
Audit Log
The audit log records all significant actions in the dashboard. Only admins can view it.
What's Logged
- User creation, updates, group changes, deletion
- CVE creation, updates, deletion
- Document uploads and deletions
- Ivanti sync operations
- FP workflow submissions and edits
- Queue operations
- Compliance uploads
- Login/logout events
Audit Entry Fields
Each entry includes:
- Timestamp
- User who performed the action
- Action type (e.g., user_create, ivanti_fp_workflow_created)
- Entity type and ID
- Details (JSON with specifics of what changed)
- IP address
Default Admin Account
On first setup (node setup.js), a default admin account is created:
- Username:
admin - Password: set during setup
- Group:
Admin
Change the default password immediately after first login.