Aptli

Access

Getting access to the application typically follows one of two flows:

  1. Users request access to the application through the sign up link (/auth/signup)
  2. Users are invited to the application by an admin

Given two possible flows, it's possible for a request to exists while an account already exists. This is harmless and can easily be decluttered through deleting extra requests.

Requesting Access

When a users visits your app they have the option to sign up through the login link. Sign up

Completing the short form will creates the request which can be acted upon by anyone with CreateUser or DeleteUser in the admin/access-requests. Admin Access Requests There are a few aspects worth noting here:

  • Only requests from valid domains are accepted (see Authentication, Allowed Domains); requests outside of valid domains effectively fail silently so the domains you allow is kept private.
  • Only one request can be made by each email address
  • The requestor's message is replaced upon resubmission
  • Declined requests are also deleted. The admin right to viewDeleted is needed to see deleted requests. Undeleting a request requires the admin right createAccessRequest
  • Approving a request creates an account, generates a secure random password, and sends the user an email to validate the request. Upon successful validation, the user will need to reset their password.
  • To allow SSO, a user must exist. SSO details are attached to the user's profile but all details are hidden except for the validation that the user is able to use it. Once the user is logged in they should be able to trigger the SSO flow which associates to the account. Permissions are managed within the application rather than through third party OAuth providers.

Giving Access

Users with the CreateUser admin right can create accounts directly through the Admin → Users menu. For bulk operations, a .csv template is available in the upper right of the Add User panel. Creating accounts automatically set a random secure password and sends a request to validate the account. Users will need to reset their password after the account is created.

While it is possible to create an account outside of the Allowed Domains this does not allow password-setting not allow automatic validation of email addresses or phone numbers.

SSO

Under the default settings, users will need to create an account. Upon navigating back to the login page, they'll see a message to Add SSO. (This option must be activated by the administrator first. See Authentication, Customizing Admin Settings.) Logging in a second time through SSO will automatically associate the SSO settings to the user's account.

Alternatively, if Allow Registration is active in the application settings, users can sign up with SSO directly. While this creates an account automatically it also creates a random secure password which can be reset and used provided the option to login through username/password is active.

SSO settings can be removed from a user's profile by any user with the UserUpdate admin right from the './admin/users' page.