User Management Quick Reference¶
Quick command reference for managing users in Slidefactory.
Prerequisites¶
For Docker Users:
- Docker containers must be running:
docker-compose up -d - Run CLI commands inside the web container using
docker-compose exec web slidefactory
Command Format:
Common Commands¶
List Users¶
# Basic list
docker-compose exec web slidefactory user list
# With scopes
docker-compose exec web slidefactory user list --show-scopes
# Entra users only
docker-compose exec web slidefactory user list --provider azure_ad --show-groups
Show User Details¶
Create Local User¶
# Admin
docker-compose exec web slidefactory user create-local admin@example.com \
--name "Admin User" \
--preset admin
# Workflow user
docker-compose exec web slidefactory user create-local user@example.com \
--name "Team Member" \
--preset workflow-user \
--workflow esg2
# API user
docker-compose exec web slidefactory user create-local api@example.com \
--name "API Account" \
--preset api-user
# Custom scopes
docker-compose exec web slidefactory user create-local custom@example.com \
--name "Custom User" \
--scopes "presentations:read,results:read"
Manage Scopes¶
# Add scope
docker-compose exec web slidefactory user add-scope user@example.com "presentations:generate"
# Remove scope
docker-compose exec web slidefactory user remove-scope user@example.com "workflows:esg3:read"
# Replace all scopes
docker-compose exec web slidefactory user set-scopes user@example.com \
"workflows:read,presentations:read,presentations:generate"
Entra Users¶
# Reset to group-based scopes
docker-compose exec web slidefactory user reset-to-groups user@example.com
# List group mappings
docker-compose exec web slidefactory user list-groups
Account Status¶
# Activate
docker-compose exec web slidefactory user activate user@example.com
# Deactivate
docker-compose exec web slidefactory user deactivate user@example.com
Password Management¶
# Change password (local users only)
docker-compose exec web slidefactory user change-password user@example.com
Scope Presets¶
| Preset | Scopes | Use Case |
|---|---|---|
admin | * | Full system access |
workflow-admin | Workflow management + templates:write | Workflow owner |
workflow-user | Workflow execution + presentations:generate | Regular team member |
viewer | presentations:read + results:read | Read-only access |
api-user | presentations:generate + workflows:read | Service accounts |
Usage:
docker-compose exec web slidefactory user create-local user@example.com \
--name "User" \
--preset <preset> \
[--workflow <workflow_id>] # Required for workflow-admin/workflow-user
Scope Reference¶
Common Scopes¶
* # Full admin access
workflows:read # View all workflows
workflows:{id}:read # View specific workflow
workflows:{id}:execute # Execute workflow
templates:{id}:read # Read templates
templates:{id}:write # Manage templates
presentations:read # View presentations
presentations:generate # Generate presentations
results:read # View results
contexts:read # View documents
users:write # Manage users
Docker Examples¶
First-Time Setup¶
# 1. Start services
docker-compose up -d
# 2. Create admin
docker-compose exec web slidefactory user create-local \
admin@company.com \
--name "Administrator" \
--preset admin
Create Team Members¶
# Multiple users
docker-compose exec web slidefactory user create-local \
user1@company.com --name "User 1" --preset workflow-user --workflow esg2
docker-compose exec web slidefactory user create-local \
user2@company.com --name "User 2" --preset viewer
docker-compose exec web slidefactory user create-local \
api@company.com --name "API Account" --preset api-user
Grant Additional Access¶
# Add workflow access
docker-compose exec web slidefactory user add-scope \
user@company.com "workflows:esg3:execute"
# Verify
docker-compose exec web slidefactory user show user@company.com
Revoke Access¶
# Deactivate user
docker-compose exec web slidefactory user deactivate user@company.com
# Or remove specific scope
docker-compose exec web slidefactory user remove-scope \
user@company.com "workflows:esg3:execute"
Troubleshooting¶
User can't log in¶
# Check if user exists and is active
docker-compose exec web slidefactory user show user@example.com
# Activate if needed
docker-compose exec web slidefactory user activate user@example.com
# Reset password (local users)
docker-compose exec web slidefactory user change-password user@example.com
Wrong permissions¶
# Check current scopes
docker-compose exec web slidefactory user show user@example.com
# For Entra users: reset to groups
docker-compose exec web slidefactory user reset-to-groups user@example.com
# Or manually adjust
docker-compose exec web slidefactory user add-scope user@example.com "needed:scope"
Database connection issues¶
# Verify database is running
docker-compose ps postgres
# Test database connection from inside container
docker-compose exec postgres pg_isready
# Test CLI access
docker-compose exec web slidefactory user list
CLI not working¶
# Ensure containers are running
docker-compose ps
# Rebuild image if needed (after updates)
docker-compose build web
# Restart services
docker-compose restart web
Authentication Providers¶
Local Users¶
- Username/password in database
- Managed via CLI
- Good for: Development, service accounts
docker-compose exec web slidefactory user create-local user@example.com \
--name "Local User" \
--preset viewer
Entra (Azure AD)¶
- SSO with Microsoft
- Auto-created on first login
- Group-based scopes
Configuration:
# .env.local
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-secret
Manage:
# List Entra users
docker-compose exec web slidefactory user list --provider azure_ad --show-groups
# Reset user to group scopes
docker-compose exec web slidefactory user reset-to-groups user@company.com
Best Practices¶
- Use presets - Consistent permissions
- Entra for teams - Better security + SSO
- Local for services - API accounts, CI/CD
- Minimum privilege - Grant only what's needed
- Deactivate, don't delete - Preserve audit trail
- Test changes - Verify permissions work as expected
See Also¶
- USER_MANAGEMENT.md - Full documentation
- BRANDING.md - Whitelabel configuration
Source Code Reference (not in documentation): - app/auth/entra_mappings.py - Group mappings
Version: 1.0 Last Updated: 2025-11-04