User Management
TridentStack Control supports role-based access control (RBAC) with OAuth/SSO authentication. Manage who has access to your platform and what they can do.
Authentication
TridentStack Control authenticates users via OAuth 2.0. Supported providers:
- Microsoft (Entra ID / Azure AD)
- Google Workspace
Configure your provider in Settings > Authentication. Tenant administrators can restrict which providers are allowed for their organization.
How User Accounts Are Created
TridentStack Control uses a self-registration model through OAuth. There is no manual user invitation flow. When a new user signs in for the first time:
- The user clicks Sign In and authenticates through your configured OAuth provider.
- TridentStack Control verifies the user's email address with the provider.
- A tenant is resolved from the user's email domain. Corporate domains create shared multi-user tenants, so all employees with the same domain are grouped together.
- A new user account is created in Pending Access status.
- An administrator must approve the user and assign roles before they can use the platform.
The first user to sign in from a new corporate domain is automatically granted Admin access. All subsequent users from that domain are placed in Pending Access until an existing Admin approves them.
Approving Pending Users
- Navigate to Settings > Users.
- Filter by Pending Access to see users waiting for approval.
- Click on a pending user.
- Select the roles to assign.
- Click Approve.
Once approved, the user can sign in and access the platform according to their assigned roles.
Roles and Permissions
Roles define what a user can do across the platform. Each role grants a specific set of permissions organized by module.
Built-in Roles
TridentStack Control includes three system roles that cannot be deleted or modified:
Admin
Full access to all platform features, including:
- All agent and policy management operations
- User management (approve users, assign roles, deactivate)
- Platform settings and configuration
- API key management
- Authentication provider configuration
- Role management
Policy Manager
Can manage policies and updates alongside standard operations:
- All Standard User permissions
- Create and edit configuration policies
- Assign policies to agent groups
- Approve and deploy updates
- Cannot modify platform settings, manage users, or configure authentication
Standard User
Read-only access to core platform modules:
- View agents, policies, vulnerabilities, compliance results, and reports
- View audit logs
- Cannot create, edit, or delete resources
- Cannot execute tasks or trigger actions
Permission Categories
Permissions are organized into 7 categories with granular controls:
| Category | Permissions | Description |
|---|---|---|
| Agents | View, Edit, Delete, Command | Manage agents and send commands (restart, scan, collect logs) |
| Policies | View, Edit, Delete, Assign | Create and assign configuration policies |
| Updates | View, Approve, Deploy | Manage the update approval and deployment workflow |
| Applications | View, Edit | Manage application update configurations |
| Settings | View, Edit | View and modify platform settings |
| Administration | Users View/Edit, Roles View/Edit | Manage users and role definitions |
| Compliance & Reports | Compliance View, Reports View, Reports Export | Access compliance data and export reports |
Custom Roles
Create custom roles in Settings > Roles to match your organization's access requirements.
For example, you might create:
- Security Analyst: view access to everything, plus edit access to vulnerability exceptions and compliance configurations
- Help Desk: view agents and trigger log collection, but no access to policies or settings
- Compliance Officer: view access to compliance results and reports, plus the ability to export data
To create a custom role:
- Navigate to Settings > Roles.
- Click Create Role.
- Enter a role name and description.
- Toggle permissions for each module.
- Click Save.
Assign custom roles to users through Settings > Users.
Always maintain at least two Admin users. If the sole Admin account is locked out, recovery requires direct database access.
User Lifecycle
Users move through the following states:
| State | Description |
|---|---|
| Pending Access | User signed in via OAuth but has not been approved. Cannot access platform features. |
| Active | User has been approved with assigned roles. Full access per role permissions. |
| Deactivated | Access revoked. Cannot sign in. Roles are preserved for potential reactivation. |
Deactivating Users
To revoke a user's access:
- Navigate to Settings > Users.
- Find the user and click Deactivate.
- Confirm the action.
Deactivated users cannot sign in to the platform. Their activity history is preserved in audit logs for compliance and review purposes. Deactivation is reversible: reactivate the user at any time to restore their access with the same roles.