User Management

Create and manage administrator accounts in Authority.

Admin Capabilities

Administrators can:

Manage OAuth clients
Create and edit users
Configure scopes
View audit logs
Modify system settings

Admin Dashboard

Create Admin User

Navigate to Admin Dashboard → Users
Click New User
Fill in the form:

Field

Description

Email

Admin email address

Name

Display name

Password

Initial password

Role

Select Administrator

Click Create

Promote Existing User

Navigate to Users
Select the user
Click Edit
Change Role to Administrator
Click Save

Command Line

Create Admin via CLI

crystal run src/tasks/create_admin.cr -- \
  --email admin@example.com \
  --name "Admin User" \
  --password "SecurePassword123"

Using Database Seed

Create admin during initial setup:

ADMIN_EMAIL=admin@example.com \
ADMIN_PASSWORD=SecurePassword123 \
crystal run src/db/seed.cr

API

Create Admin via API

POST /api/users
Content-Type: application/json
Authorization: Bearer {admin_token}

{
  "email": "newadmin@example.com",
  "name": "New Admin",
  "password": "SecurePassword123",
  "role": "admin"
}

Update User Role

PATCH /api/users/{id}
Content-Type: application/json
Authorization: Bearer {admin_token}

{
  "role": "admin"
}

Admin Roles

Role

Permissions

user

Profile management, OAuth authorizations

admin

Full system access

super_admin

Can create other admins

Role Hierarchy

super_admin
    └── admin
        └── user

Security Requirements

MFA for Admins

Require MFA for all admin accounts:

REQUIRE_ADMIN_MFA=true

Admin Password Policy

Enforce stronger passwords for admins:

ADMIN_PASSWORD_MIN_LENGTH=16
ADMIN_PASSWORD_EXPIRY_DAYS=30

IP Restrictions

Limit admin access by IP:

ADMIN_ALLOWED_IPS=10.0.0.0/8,192.168.1.100

Audit Trail

Admin actions are logged:

Event

Description

admin.login

Admin login

admin.created

New admin created

admin.role_changed

Role modified

client.created

Client created by admin

settings.changed

Settings modified

Best Practices

Do:

Use individual accounts (not shared)
Enable MFA for all admins
Regularly review admin list
Limit super_admin count

Avoid:

Shared admin credentials
Admin accounts without MFA
Unnecessary admin access
Using admin accounts for daily work

Removing Admin Access

Demote to User

PATCH /api/users/{id}
Content-Type: application/json
Authorization: Bearer {super_admin_token}

{
  "role": "user"
}

Deactivate Admin

PATCH /api/users/{id}
Content-Type: application/json
Authorization: Bearer {super_admin_token}

{
  "active": false
}

Next Steps

Manage Sessions - Session management
Password Reset - Reset passwords
Enable MFA - Secure admin accounts

PreviousRotate Secrets NextManage Sessions

Last updated 4 days ago

Was this helpful?

hashtagAdmin Capabilities

hashtagAdmin Dashboard

hashtagCreate Admin User

hashtagPromote Existing User

hashtagCommand Line

hashtagCreate Admin via CLI

hashtagUsing Database Seed

hashtagAPI

hashtagCreate Admin via API

hashtagUpdate User Role

hashtagAdmin Roles

hashtagRole Hierarchy

hashtagSecurity Requirements

hashtagMFA for Admins

hashtagAdmin Password Policy

hashtagIP Restrictions

hashtagAudit Trail

hashtagBest Practices

hashtagRemoving Admin Access

hashtagDemote to User

hashtagDeactivate Admin

hashtagNext Steps