User Management¶
This guide covers creating and managing users in the SPSA Portal.
User Administration¶
All user management is done through the SPSA Portal web interface:
- Log in as administrator
- Click your username > Settings
- Select Users
Create User¶
New User¶
- Go to Users
- Click New User
- Configure account settings
Account Settings¶
| Field | Required | Description |
|---|---|---|
| Username | Yes | Login name for SPSA Portal |
| Password | Yes | Initial password |
| Confirm password | Yes | Must match password |
Password Best Practices
Use passwords that:
- Are at least 12 characters
- Include uppercase and lowercase letters
- Include numbers
- Are NOT identical to target system passwords
Profile Settings¶
| Field | Description |
|---|---|
| Full name | Display name for identification |
| Email address | Contact email address |
| Organization | Company or department |
| Role | Job title or function |
Profile fields are optional but useful for identifying users.
Account Restrictions¶
Control when and how users can access SPSA:
| Setting | Description |
|---|---|
| Login disabled | Temporarily disable the account |
| Password expired | Force password change on next login |
| Allow access after time | Time-based access start (e.g., 08:00) |
| Block access after time | Time-based access end (e.g., 17:00) |
| Enable after date | Account activates on date |
| Disable after date | Account expires on date |
| Timezone | User's timezone for time restrictions |
Time-Based Access Example:
To allow a contractor access only during business hours:
| Setting | Value |
|---|---|
| Allow access after time | 08:00 |
| Block access after time | 17:00 |
| Disable after date | Project end date |
- Click Save
User Permissions¶
System Permissions¶
| Permission | Description |
|---|---|
| Administer system | Full administrative access |
| Create new users | Can create user accounts |
| Create new user groups | Can create groups |
| Create new connections | Can create connections |
| Create new connection groups | Can organize connections |
| Change own password | Can change own password |
Recommended Permission Sets¶
Standard User:
- [x] Change own password
- [ ] All other permissions disabled
Help Desk / Support:
- [x] Change own password
- [x] Create new users
- [ ] Administer system (leave disabled)
Full Administrator:
- [x] All permissions enabled
Least Privilege
Only grant the permissions users actually need. Most users only need "Change own password."
Connection Permissions¶
Assign Connections¶
- Edit the user
- Scroll to Connections section
- View tabs:
- Current Connections - Currently assigned
- All Connections - All available connections
- Check boxes next to connections to grant access
- Click Save
Permission Levels¶
When assigning connections, you can set permission levels:
| Permission | Description |
|---|---|
| Read | Can use the connection (default) |
| Update | Can modify connection settings |
| Delete | Can remove the connection |
| Administer | Full control over the connection |
User Visibility
Users only see connections they have been explicitly granted access to. They cannot see other connections.
User Groups¶
Benefits of Groups¶
- Assign connections to groups instead of individual users
- Easier permission management at scale
- Logical organization (by department, role, or project)
Create Group¶
- Go to Groups
- Click New Group
- Configure:
- Group name
- Description (optional)
- Click Save
Assign Users to Group¶
- Edit the group
- Under Members, add users
- Under Connections, assign connections
- Click Save
Group-Based Permissions¶
Users inherit connection access from their group memberships. This allows:
- Add user to "IT Administrators" group → User gets access to all admin connections
- Remove user from group → Access is revoked
Password Management¶
Reset User Password¶
- Go to Users
- Click on the user to edit
- Enter new password in Password field
- Confirm in Confirm password field
- Click Save
Force Password Change¶
To require a user to change their password on next login:
- Edit the user
- Enable Password expired
- Save
Password Best Practices¶
- Use strong, unique passwords
- Do not reuse passwords from other systems
- Change default passwords immediately
- Avoid using characters Z and Y (keyboard layout issues)
Disable/Delete Users¶
Disable User (Temporary)¶
To temporarily block access:
- Edit the user
- Enable Login disabled
- Save
The user cannot log in but the account is preserved.
Delete User (Permanent)¶
- Go to Users
- Select the user
- Click Delete
- Confirm deletion
Permanent Action
Deleting a user is permanent. Use "Login disabled" for temporary suspensions.
Multi-Factor Authentication¶
TOTP MFA¶
SPSA requires TOTP-based MFA for all users. On first login:
- User enters username and password
- QR code is displayed for authenticator app enrollment
- User scans QR code with:
- Google Authenticator
- Microsoft Authenticator
- Other TOTP-compatible apps
- User enters 6-digit code from app
- MFA is activated for the account
MFA for Every Login¶
After initial setup, users must provide:
- Username and password
- Current 6-digit TOTP code
This applies to all users including administrators.
Audit & Compliance¶
Session History¶
View user activity in History:
- Session start and end times
- Connection used
- Duration
- Remote host accessed
User Access Review¶
Regularly review:
- [ ] Active user accounts
- [ ] Connection assignments
- [ ] Group memberships
- [ ] Last login times
Remove unused accounts promptly.
Best Practices¶
Account Management¶
- Create individual accounts per user (no shared accounts)
- Use descriptive usernames (e.g., firstname.lastname)
- Set password expiration for sensitive environments
- Use groups for easier permission management
- Review access regularly (monthly recommended)
Security¶
- Follow least privilege principle
- Use time-based restrictions for contractors/temporary access
- Disable accounts instead of deleting (for audit trail)
- Remove access promptly when users leave
Documentation¶
- Record who has access to what
- Document group membership criteria
- Keep track of temporary access grants