IdentityDoor Lynio-Support

Managing Users in Lynio IAM

User Management Overview

Lynio IAM provides robust capabilities for managing user accounts within your tenant. Administrators can manage users either through the graphical LYNIO Console or programmatically via the REST HTTP API. Every user belongs to a specific tenant, ensuring strict isolation of user data and security settings.

Console User Operations

Within the LYNIO Console, user management is located under the Identity & Access Management section (/identity) under the Users tab. The interface displays a list of users in a tabular layout containing the user's name, email, MFA status badge (green for enabled, gray for disabled), active status badge (green for active, red for suspended), and accessible action buttons.

Creating a User

To add a new user to the tenant:

  1. Click the Add User button.
  2. In the modal, fill in the following fields:
    • First Name (optional)
    • Last Name (optional)
    • Email (required, must be unique)
    • Phone (optional)
    • Password (must conform to the tenant's password complexity policy)
  3. Click save. The system will hash the password using bcrypt and store the user with a unique lid.user.<uuid> identifier.

Editing a User

To modify a user's details:

  1. Locate the user in the table and click the Edit action icon.
  2. In the edit modal, you can update:
    • First Name
    • Last Name
    • Email
    • Phone
  3. Save the changes to persist them to the database.

Suspending or Activating a User

To toggle a user's active status:

  1. Locate the user in the table and click the Suspend (or Activate) action icon.
  2. A confirmation dialog will appear.
  3. Confirming the suspension updates the user's status to inactive (active = false). Inactive users are blocked from logging into the platform.

Resetting Passwords

Administrators can perform password resets:

  1. Click the Reset Password action icon for the target user.
  2. Enter a new password (must be at least 8 characters and satisfy complexity rules).
  3. Confirm the action. This action updates the user's password hash and marks the password as changed (password_changed_at is updated).

Resetting Multi-Factor Authentication (MFA)

If a user loses access to their authenticator device, administrators can reset their MFA settings:

  1. Locate the user (the Reset MFA grape action icon is only visible if the user has MFA enabled).
  2. Click the icon and confirm the reset in the dialog.
  3. The system will clear the user's totp_secret and backup_codes, and set mfa_enabled to false. On the next login, the user will be prompted to set up MFA again if MFA is enforced.

Viewing Login History

Administrators can view recent login activities directly in the table:

  1. Click on the user's table row to expand it.
  2. The expanded area displays the user's unique UUID (lid.user.<uuid>) and a table of their Recent Login History containing the timestamp, client IP address, user agent, and a status badge (e.g., success, failure, denied).

Deleting a User

To permanently remove a user:

  1. Click the red trash icon (Delete) for the target user.
  2. Confirm the deletion in the modal. This permanently removes the user's record from the database.

HTTP API Integration

For automated user provisioning and scripting, the HTTP API offers the following endpoints scoped to /api/v1/users.

List Users

  • Endpoint: GET /api/v1/users
  • Description: Returns an array of user objects within the caller's tenant.

Create User

  • Endpoint: POST /api/v1/users
  • Request Payload:
    {
      "email": "user@example.com",
      "password": "SecurePassword123!",
      "first_name": "Jane",
      "last_name": "Doe",
      "phone": "+31600000000"
    }
    

Update User

  • Endpoint: PUT /api/v1/users/:id
  • Request Payload:
    {
      "email": "jane.doe@example.com",
      "first_name": "Jane",
      "last_name": "Doe",
      "phone": "+31611111111"
    }
    

Toggle Active Status

  • Endpoint: PUT /api/v1/users/:id/status
  • Request Payload:
    {
      "active": false
    }
    

Reset MFA

  • Endpoint: POST /api/v1/users/:id/reset-mfa
  • Description: Clears the TOTP secret, backup codes, and disables MFA for the specified user.

Admin Reset Password

  • Endpoint: POST /api/v1/users/:id/reset-password
  • Request Payload:
    {
      "password": "NewSecurePassword456!"
    }
    

Retrieve Recent Logins

  • Endpoint: GET /api/v1/users/:id/logins
  • Description: Retrieves the 20 most recent login audit log entries for the specified user, returning the time, IP address, user agent, and status.

Delete User

  • Endpoint: DELETE /api/v1/users/:id
  • Description: Deletes the specified user record.