Skip to main content

Authentication and Users

Authentication and Users

Overview

Authentication controlsand user management control how userspeople sign in, completeactivate activation,accounts, register MFA, usechoose federateda login,timezone, and receive role-scopedbased access to CMS.

Sign-In MethodsOptions

CMS supportscan localshow one or more sign-in options depending on platform settings:

  • CMS loginusername and federatedpassword.
    • login through
  • Microsoft Entra orsign-in.
  • Google whensign-in.
    • those

If an expected sign-in option is missing, a platform administrator should check the Authentication and Portal settings for enabled providers areand enabled in settings. Federatedconfigured provider challenge routes enforce the same enablement settings shown in the login UI.

Microsoft Entra validation can be restricted to a configured tenant by setting AzureAdTenantId. When that setting is blank, the existing multi-tenant Entra behaviour is preserved.details.

Account Activation

UsersSome canenvironments berequire createdusers withto activationactivate fieldstheir includingaccount activationbefore code,normal expiry,portal and email confirmation state.access.

SupportedCommon activation actions include:are:

Action BehaviourWhat happens
Send welcome email PlatformSends administratorsthe can send a welcome email withuser an activation link.link when email delivery is configured.
Reset activation Administrators can generateGenerates a fresh one-hour activation code for an unconfirmed user.
Request a new activation code AAllows a user who can authenticatesign in but is not activated canto request a new code from the login activation form.code.
Activate account The /activate portal page submitsConfirms the activation code and completesallows activation.the user to continue.

Manual Review Required: User creation generatesprepares activation datadetails, but doesoperators notmay automaticallystill need to send the welcome or activation email.email Operators should sendfrom the welcomeuser emailactions or reset activation where needed.menu.

MFA

MFA registration is shown only whenWhen MFA is requiredrequired, andusers theare prompted to register MFA during sign-in. If a user isloses notaccess alreadyto registered.their Resettingauthenticator, MFAan clearsauthorised the stored registration, secret, and QR code so the user re-registers on the next MFA-required sign-in.

Tenant administratorsadministrator can reset MFA enrollment for usersthat inuser.

their

After ownMFA tenant.is Broaderreset, the user administrators can resetregisters MFA onlyagain insidethe theirnext permittedtime hierarchy.they sign in.

User Management

The Users page is available to administrator roles. Platform roles access it under Administration, while tenant, partner, and distributor administrators accesswith the scopedrequired Settingsorganisation group.access.

The user editor includes:

  • User properties.
  • Scope and permissions.
  • Authentication settings.
  • Authentication information.
  • Activation reset.actions.
  • MFA reset.
  • Password reset.
  • Timezone selection.

Role Assignment

Administrator rolesAdministrators can only assign roles withinonly inside their own permitted hierarchy.scope.

Acting role Typical assignment boundary
Platform administrator Platform, distributor, partner, and tenant roles.
Distributor administrator Distributor, partner, and tenant roles in distributor scope.
Partner administrator Partner and tenant roles in partner scope.
Tenant administrator Tenant roles in tenant scope.

PlatformIf readersa haverole readis accessnot whereavailable allowedin butthe cannotselector, create,confirm update,that delete,the resetacting activationuser codes,has orpermission resetto passwords.assign that role and that the target user belongs to the correct organisation scope.

Timezone Preference

JWTsUsers includecan set their own display timezone. If a user does not choose a timezone, CMS uses the system timezone setting. Operational records remain consistent while portal timestamps are shown in the user's TimeZoneIdeffective claim. Users can update their own timezone through the current-user timezone API without broader user administration permissions.

Blank timezone values inherit the Platform > General SystemTimeZoneId setting. Invalid saved values are rejected on save or treated as UTC for display fallback.timezone.

Email Templates

Activation, welcome, invoice, delinquent payment, budget alert, new subscription, and recover account templates are stored in the NotificationTemplates table and managed from Administration > Notifications.Notifications includes templates for account activation, welcome emails, invoices, delinquent payment reminders, budget alerts, and other notification types.

Implementation Gap: NewSubscription and RecoverAccountSome templates appearmay be available before they are connected to be placeholders and are not confirmed asan active sendportal flows.action. PasswordReview resettemplates changesbefore passwordsrelying directlyon andthem does not sendfor a recovercustomer email.process.

SecurityAccess

Users only see user records and Scopingactions

Portalallowed UIby claims are not the authorization boundary. Federated login exchanges identity-provider tokens for CMS-issued JWTs, and API routes enforcetheir role and hierarchyorganisation checksaccess. server-side.

If

Thea portaluser nocannot longersee logsthe refreshUsers tokenpage, valuesa user row, or an action such as password reset or MFA reset, confirm the acting user has the correct administrator role and doesrelationship notto storethe federatedtarget access tokens in plain browser local storage.user.

Back to top