Users & Accounts

User management is the core of any Enterprise deployment: who has access, what role each person holds, and when access was last used. The Dashboard's Admin → Users page is the one-stop surface.

Creating a user

Admin → Users → New. Fill in:

• Email — login identity; uniqueness-checked
• Display name
• Role — pick from built-in (Admin, Operator, Viewer) or a custom role you've defined
• Tenant (Enterprise) — which tenant workspace this user belongs to
• Initial password — generated or paste one; user is required to change on first login

Save. The user receives an invitation email with their login credentials if SMTP is configured; otherwise copy-paste the one-time credentials to them manually.

Editing a user

Click any user in the list. You can:

• Change role
• Move between tenants (Enterprise only; migration of scoped resources follows)
• Reset password (sends email or shows one-time link)
• Suspend — user remains in the system but can't log in
• Re-activate a suspended user
• Delete — permanent, and user's data becomes orphaned (see below)

Suspended vs deleted

Orphaned data — when a user is deleted, their agents, workflows, memory, and documents stay in the database with a null owner. Admins can reassign orphans to another user via:

sophon admin users reassign --from <old-id> --to <new-id>

Or clean them up:

sophon admin users purge-orphans --older-than 30d

Built-in roles

Custom roles extend beyond these — see RBAC.

Assigning roles

Either at user-create time or later via Edit → Role.

Role changes take effect on the user's next request, not on their current session. If you need an immediate logout, also revoke their active sessions:

sophon admin users logout <user-id>

Account activity

Each user page shows:

• Last login — timestamp + IP + user agent
• Active sessions — current authenticated sessions with device, IP, created date. Revoke individually.
• API tokens — long-lived tokens the user has generated
• Recent actions — last 50 events from the audit log filtered to this user

For a full audit trail, use Admin → Audit with the user filter.

Self-service

Users can manage their own:

• Display name, avatar
• Password
• 2FA (TOTP) — enable / regenerate recovery codes
• API tokens (create / rotate / delete)
• Active sessions

Admins can override any self-service setting. Users can't change their own role or tenant.

Bulk operations

CSV import

Bulk-create users from a CSV:

sophon admin users import users.csv

CSV columns: email,displayName,role,tenant,password.

Missing passwords trigger invitation emails. Role / tenant must match existing definitions or the row is rejected.

CSV export

sophon admin users export --out users.csv

Exports all users with role, tenant, suspended state, last-login, and created-date.

API tokens

API tokens are long-lived alternatives to password login — used for CLI, CI, and custom integrations. Created per-user:

# As the user
sophon auth tokens create --name ci-deploy --expires 365d

Or via Settings → Security → API tokens → Create.

Admins can list and revoke any user's tokens:

sophon admin tokens list --user <id>
sophon admin tokens revoke <token-id>

Revocation is immediate.

2FA (two-factor auth)

TOTP is supported out of the box (Google Authenticator, Authy, 1Password compatible). Admins can require 2FA at the tenant or global level in Admin → Settings → Authentication → Require 2FA.

If a user loses their TOTP device, admins can reset 2FA via Edit → Reset 2FA — the user then re-enrolls at next login.

Session management

Default session lifetime: 8 hours idle, 7 days absolute. Configurable per tenant in appsettings.json:

{
  "Sophon": {
    "Auth": {
      "IdleTimeout": "08:00:00",
      "AbsoluteTimeout": "7.00:00:00"
    }
  }
}

Single-sign-on via OIDC can shorten these — your IdP's session policy wins. See SSO.

Where to go next

• RBAC — custom roles and granular permissions
• SSO — OIDC configuration
• Audit Logging — tracking user actions
• Tenants — multi-tenant isolation