User Management

1. Document Purpose

This guide provides essential guidance for managing users, roles, and access control in the Karios platform. It is designed for administrators and team leads responsible for user provisioning and access management.

2. Document Scope

• User accounts

• Role assignment

• Security configuration

• License overview and activation flow

3. Important First Login Context

The administrator should first log in using credentials provided during Bootstrap.

Tip

First-time user path: start with 1. Document Purpose, 2. Document Scope, 3. Important First Login Context, and 4. Quick Start (First 10 Minutes) before jumping into the task-focused sections.

4. Quick Start (First 10 Minutes)

1. Confirm your own permissions in My Profile.

2. Create one test user in User Management.

3. Assign a limited role (not System Admin) and save.

4. Ask test user to logout/login once, then confirm only expected modules are visible.

5. Document what was assigned and why.

Note

Single-admin environment: validate test-user login in an incognito/private window or a separate browser profile/session.

Start Here by Goal (Fast Routes)

Use this shortcut if you do not need the full page in one pass:

• Verify your own access posture first: go to 6.1. Step: Review My Profile.

• Need to add a user quickly: go to 8.1. Workflow 1: Create New User.

• Add or edit users quickly: go to 8. User Lifecycle Workflows.

• Build or update role definitions: go to 9. Role Management.

• Review trial/paid socket licensing flow: go to 10. License.

• Resolve common blockers fast: go to 12.2. Quick Fixes.

Quick Task Pages

If you only need a specific operation, use the task-focused page first:

• User Management Quick Tasks

4.1. New User Runbook (Required Order)

Canonical first-time path (single workflow path):

1. Validate your own access in 6.1. Step: Review My Profile.

2. Create the account in 8.1. Workflow 1: Create New User.

3. Assign minimum roles in 8.5. Workflow 3: Assign Roles.

4. Apply account controls in 8.3. Workflow 2: Edit User Settings.

5. Validate login and module visibility using the 8.2. Workflow 1 Validation Checklist, 8.6. Workflow 3 Validation Checklist, and 8.10. Workflow 5 Validation Checklist checklists as needed.

6. If licensing is in scope, complete 10. License.

Note

Operational steps are maintained only in 8. User Lifecycle Workflows to avoid duplicated instructions.

4.2. Pass/Fail Criteria

• Pass: user create, role assign, and login visibility checks all succeed.

• Fail: user cannot login, wrong modules are visible, or role/security settings do not persist.

4.3. Quick Troubleshooting Entry Points

Symptom	First checks
User Management tab missing	Confirm USER_MANAGE permission and account scope
User cannot login	Check account Active state and credential correctness
Wrong module access	Re-validate assigned role and permission mapping
Role assignment not saving	Confirm admin scope and retry shield workflow

5. Navigation and Access

5.1. User Section Location

Path: Bottom-left navigation panel -> User icon

Note

If User Management or Role Management is missing, your account likely does not have USER_MANAGE.

5.2. Available Modules

Module	Purpose	Required Permission
My Profile	View personal account information	All users
User Management	Create and manage user accounts	USER_MANAGE
Role Management	Configure roles and permissions	USER_MANAGE
License	Review trial/paid license status, upload license file, and review node socket registrations.	Role-based access (confirm with administrator)

Note

Sidebar entries can vary by role and deployment policy. If License is missing, confirm access scope with your administrator.

5.3. Role Label Mapping (Flow vs UI)

The main documentation flow uses role labels such as Infra Admin, VM Admin, and User Admin. In the UI, use these practical mappings:

Flow Label	Typical UI Role Match
User Admin	System Admin or role containing USER_MANAGE
VM Admin	VM Admin or role containing VM_MANAGE + required network/storage view permissions
Infra Admin	System Admin / Node Admin / Cluster Admin (or equivalent roles with infrastructure manage permissions)
Ops/Admin	Roles with monitoring/alerts visibility and incident-response permissions

Note

Exact role names can differ by deployment policy. Permission scope (for example *_MANAGE) is the authoritative check.

Quick permission check by function:

• User administration: USER_MANAGE (and USER_VIEW for read visibility)

• VM operations: VM_MANAGE + related *_VIEW permissions for dependent modules

• Infrastructure operations: ZONE_MANAGE, POD_MANAGE, CLUSTER_MANAGE, NODE_MANAGE

• Zone operations: ZONE_VIEW / ZONE_MANAGE

6. My Profile

6.1. Step: Review My Profile

When to Use:

Use this page to confirm your account identity, security status, and assigned access scope.

Purpose:

Validate your own user posture before creating users, assigning roles, or troubleshooting missing access.

My Profile page with profile information, security status, and assigned roles.

Steps:

1. Open My Profile.

2. Verify account fields: Username, Email, Full Name, Created At, Updated At.

3. Review security badges: 2FA Enabled, 2FA Required, and Requires Approval.

4. Review each role card and permission tags.

5. If expected access is missing, compare required permission tags with your assigned roles.

Expected Outcome:

• Your identity fields are correct.

• Security requirements for your account are clear.

• Assigned role scope matches your job function.

If this fails:

1. Capture the missing field/permission evidence from My Profile.

2. Contact your administrator for role or security-policy update.

3. Re-login after role/security changes to refresh session permissions.

6.2. Profile Information

This section shows your account identification and contact details.

Field	Description
Username	Your unique login identifier used to access the Control Center. Read-only.
Email	Your registered email address. Used for notifications and account recovery.
Full Name	Your complete name as displayed in the system.
Created At	Timestamp when your user account was created.
Updated At	Timestamp of the last modification to your profile.

Tip

Username is permanent. Keep Email current for notifications and recovery workflows.

6.3. Security Settings

6.3.1. 2FA Enabled

Display: Yes or No status badge.

Description: whether Two-Factor Authentication is enabled on your account.

• Enabled: requires a second factor in addition to password.

• Disabled: password-only login.

6.3.2. 2FA Required

Display: Yes or No status badge.

Description: whether Two-Factor Authentication is mandatory for your account.

• Required: you must complete 2FA to sign in.

• Not Required: 2FA is optional per policy.

Warning

If 2FA Required is enabled and you lose access to your authenticator device, contact an administrator for account recovery.

6.3.3. Requires Approval

Display: Yes or No status badge.

Description: whether sensitive operations on your account require administrative approval.

• Required: selected actions need approval workflow.

• Not Required: actions proceed without approval workflow.

6.4. Roles and Permissions

Each assigned role appears as a card in My Profile.

Element	Description
Role Name	Assigned role name (for example: System Admin, Zone Admin, VM Admin).
Default Badge	Indicates default role for operations.
Description	Role scope and purpose.
Permissions Count	Number of permissions in the role.
Permission Tags	Individual permission names (for example: VM_VIEW, VM_MANAGE, NETWORK_VIEW).

For complete default-role catalog and scope, use 9.4. Role Types.

6.5. Permission Tags Reference

Use these quick patterns:

• *_VIEW: read-only visibility.

• *_MANAGE: create/modify/delete operations.

• Combined assignment is additive across roles.

For full permission matrix, use 15. Appendix: Permission Reference.

6.6. Understanding Effective Permissions

• Role assignment is administrator-driven.

• Effective access is additive: your permission set is the union of all assigned role permissions.

• Zone/Pod/Cluster scope restrictions still apply even when role access is broad.

• Least-privilege review should be part of regular account audits.

6.7. What You Can and Cannot Do

You can:

• View your profile information and assigned roles.

• See permission tags assigned through your roles.

• Validate whether your current scope matches expected access.

You cannot (from My Profile):

• Change your username.

• Add or remove your own roles.

• Disable mandatory security requirements.

• Bypass approval requirements enforced by policy.

6.8. Related Tasks

• Manage other users: see 7. User Management.

• View or maintain role definitions: see 9. Role Management.

• Change policy-enforced security requirements: contact your administrator.

7. User Management

7.1. Step: Review Users Management Dashboard

When to Use:

Use this page to manage user access, monitor account status, and review role and security posture.

Purpose:

Get a centralized operational view of all users in the Control Center.

Users Management Dashboard showing account metrics, user table, and row-level actions.

Steps:

1. Open User Management from the left navigation.

2. Review summary cards: Total Users, Active Users, and Inactive Users.

3. Review table columns for target user: Full Name, Roles, Status, 2FA, Approval, Created, Last Updated.

4. Use row action icons to manage the selected user.

5. Use search and filters to narrow audit scope.

Expected Outcome:

• You can identify account state and security posture quickly.

• You can locate and manage target users from a single page.

If this fails:

1. Verify your account includes USER_MANAGE.

2. Confirm the account is in the correct domain/scope.

3. Contact an administrator if the page or actions are unavailable.

7.2. Summary Cards

Card	Description
Total Users	Total number of user accounts in the system.
Active Users	Users with active status who can currently access the system.
Inactive Users	Users with inactive status who cannot currently access the system.

Tip

Review Inactive Users regularly to identify accounts that should be removed after retention policy is met.

7.3. Users Table

Column	Description
Full Name	User’s complete name. Click the user row/name to open profile-level details.
Roles	Assigned roles; can collapse with +X more when many roles are assigned.
Status	Active or Inactive login state.
2FA	Two-Factor Authentication status.
Approval	Whether sensitive actions require approval.
Created	Account creation age in relative format.
Last Updated	Last account modification age in relative format.
Actions	Row-level controls for user operations.

7.4. Status, 2FA, and Approval

Status:

• Active: user can sign in and use permitted functions.

• Inactive: user cannot sign in.

2FA:

• Enabled: second authentication factor is required at login.

• Disabled: password-only authentication.

Approval:

• Required: selected sensitive actions require approval workflow.

• Not Required: actions execute directly within permission scope.

Warning

Administrative accounts should use 2FA Enabled and follow your approval policy for sensitive operations.

7.5. Quick Actions

Row action icons used for user management operations.

Action	Icon	Description
Edit	Pencil	Modify user information and selected account settings.
Assign Roles	Shield	Assign or revoke roles and permissions.
Reset Password	Key	Set a new temporary password for the user account.
Deactivate	Person-with-X (orange)	Disable account login access.

To open full user details:

1. Click the target user row (name).

2. Review profile information, security status, approvers, and assigned roles on the details page.

7.6. Step: Create New User

When to Use:

Use this when starting user onboarding from the dashboard.

Purpose:

Open the create flow entry point from User Management.

Steps:

1. Click + Create User.

2. Continue with 8.1. Workflow 1: Create New User for complete field, validation, and post-create steps.

Expected Outcome:

• Create-user drawer opens and workflow handoff is clear.

If this fails:

1. Confirm + Create User button visibility and access scope.

2. If action is unavailable, verify USER_MANAGE with administrator.

7.7. Filtering and Search

Use filters and search to run targeted audits:

• Filter by Status to review active or inactive accounts.

• Filter by 2FA to identify accounts requiring security hardening.

• Search by name or username to find a specific user.

• Use combined filters for account review, offboarding checks, and security audits.

7.8. Role Assignment Context

Roles shown on the dashboard should follow least-privilege design:

• Assign only roles required for the user job function.

• Remove unused roles during periodic audits.

• Use 6. My Profile for role definitions and permission-tag meaning.

7.9. User Lifecycle Overview

User lifecycle operations in this dashboard:

• Onboarding: create user, assign roles, validate access.

• Active management: update details, review roles, monitor 2FA and approval.

• Offboarding: set user inactive and remove unnecessary role access.

Detailed step-by-step procedures are in 8. User Lifecycle Workflows.

7.10. Security and Audit Best Practices

• Enforce strong passwords and 2FA for privileged accounts.

• Audit accounts and role assignments periodically.

• Deactivate or remove unused accounts.

• Keep user identity data (name/email) current.

• Maintain an audit trail for role and status changes.

8. User Lifecycle Workflows

8.1. Workflow 1: Create New User

When to Use:

Use this when onboarding a new user account.

Purpose:

Create a user account, apply minimum required access, and validate first-login scope.

Create New User drawer. Complete all required fields before submitting.

Required Fields

Field	What to Enter	Validation / Rule
Username	Permanent login ID (example: alice.johnson)	Must be unique; should follow org naming standard
Email	User’s active mailbox (prefer corporate email)	Must be valid format (name@domain)
Password	Strong temporary password for first login	Minimum 12 characters and include uppercase, lowercase, number, and special character
First Name	User’s given name	Required
Last Name	User’s family name	Required

Password Policy (Current Baseline)

Use this baseline when creating or resetting passwords in User Management:

• Minimum length: 12 characters

• Include at least one uppercase letter

• Include at least one lowercase letter

• Include at least one number

• Include at least one special character

Tip

For privileged accounts, use a password manager-generated value instead of a human-chosen password whenever policy allows it.

Steps:

1. Open User Management.

2. Click + Create User (top-right).

3. Fill all required fields in the drawer.

4. Click Create User.

5. Confirm the user appears in the list.

6. Click shield icon (Assign Roles) and grant minimum required role(s).

7. If governance requires it, click pencil icon (Edit User) and enable Requires Approval.

8. Securely hand off credentials and require password change at first login.

9. Validate module visibility after user logout/login.

Expected Outcome:

• User account is created and visible in User Management.

• Role assignment and security settings are applied.

• User can access only intended modules.

If this fails:

1. Confirm username/email uniqueness and required fields.

2. Re-check password policy compliance.

3. Verify role assignment was saved.

4. Retry with corrected values and re-test logout/login.

Total time: 3-4 minutes.

Note

Username is permanent. Plan a naming standard before onboarding large teams.

Tip

New users start with no roles by default. Account creation alone does not grant access.

8.2. Workflow 1 Validation Checklist

• User appears in User Management list

• Role is assigned

• Login succeeds with updated password

• User can access only intended modules

8.3. Workflow 2: Edit User Settings

When to Use:

Use this when account state, approval requirement, or 2FA requirement must be updated.

Purpose:

Apply account-control changes from the user edit drawer.

Edit User drawer for account and security controls.

Setting	Options	Effect
Account Status	Active enabled/disabled	Enable or disable login
Approval Settings	Requires Approval enabled/disabled	User actions need approval

Steps:

1. Open User Management.

2. Click pencil icon on the target user row.

3. Update Account Status as required.

4. Update Requires Approval and Require Two-Factor Authentication based on policy.

5. Click Save Changes.

6. Confirm changes persist after refresh or re-login.

Expected Outcome:

• Account and security settings are updated for the selected user.

• Updated controls remain consistent after session refresh.

If this fails:

1. Re-open edit drawer and verify selected toggle states.

2. Confirm you have permission to edit user settings.

3. Save again and re-test with a fresh login session.

Tip

Use Requires Approval for sensitive operator accounts where change oversight is needed.

8.4. Workflow 2 Validation Checklist

• Updated settings are visible after save

• User logout/login reflects new approval behavior

8.5. Workflow 3: Assign Roles

When to Use:

Use this when a user needs new access scope or role cleanup.

Purpose:

Assign least-privilege role sets from the role-assignment drawer.

Assign Roles drawer used to add or remove role memberships.

Steps:

1. Open User Management.

2. Find the target user row.

3. Click shield icon (Assign Roles).

4. Unselect roles no longer required.

5. Select minimum roles needed for the user job.

6. Click Save Changes.

7. Ask user to logout/login once to refresh session permissions.

Role selection baseline:

• Use 6.4. Roles and Permissions as the role-scope reference.

• Use 9. Role Management for role-definition and permission-design checks.

Expected Outcome:

• Role badges update on the user row immediately

• User menu visibility matches assigned role scope

• Restricted pages return access denied for unauthorized modules

If this fails:

1. Re-open Assign Roles and verify checkbox state.

2. Check for overlapping roles that broaden access unexpectedly.

3. Confirm session refresh (logout/login) was completed.

4. Re-test required page visibility.

Warning

Avoid assigning System Admin unless full platform control is explicitly required.

8.6. Workflow 3 Validation Checklist

• Selected role badges are visible for the user after save

• User can access allowed modules and cannot access restricted modules

• Role changes are documented with owner and reason

8.7. Workflow 4: Reset Password

When to Use:

Use this when a user cannot log in due to a forgotten or unknown password. The reset requires coordination between an administrator and the user. The administrator generates a one-time password (OTP) and shares it with the user out-of-band. The user then completes the reset from the login screen.

Step 1 (Admin): Generate OTP

Admin-side OTP generation dialog. Share the OTP via a secure out-of-band channel only.

1. Open User Management and locate the target user.

2. Click the key icon (Reset Password) on the user row.

3. The Reset Password — Generate OTP dialog appears with a one-time password.

4. Share the OTP with the user via a secure out-of-band channel (phone call or in-person).

Warning

Do not send the OTP over email or chat. The OTP expires in 15 minutes. Generating a new OTP invalidates the previous one.

5. Click Done to close the dialog.

Step 2 (User): Complete Reset from Login Screen

Login screen — click Forgot password? to start the reset flow.

1. Open the Control Center login screen.

2. Click Forgot password? below the Sign In button.

Reset Password form — enter username, OTP from admin, and new password.

3. On the Reset Password page, enter:

• Username — your account username.

• One-Time Password (OTP) — the OTP received from your administrator.

• New Password — minimum 8 characters, must include uppercase, number, and special character.

• Confirm New Password — re-enter the new password.

4. Click Reset Password.

Success confirmation — password has been reset and login is now available.

5. Confirm the success message: “Password reset successful. You can now sign in with your new password.”

6. Click Back to sign in and log in with the new password.

Expected Outcome:

• Password is updated and the user can log in immediately with the new credentials.

• Previous password no longer works.

If this fails:

1. Confirm the username entered matches the registered account exactly.

2. Check that the OTP has not expired (15-minute window). Ask admin to generate a new one if needed.

3. Confirm the new password meets the minimum complexity requirements shown on the form.

4. If the reset page is inaccessible, escalate to the administrator for an alternate recovery path.

Note

For recovery when no working admin session is available, follow Appendices under Credential Recovery Workflow.

8.8. Workflow 4 Validation Checklist

• Admin OTP dialog appeared after clicking the key icon

• OTP was shared via a secure out-of-band channel (not email or chat)

• User completed the reset form and saw the success confirmation

• User can log in with the new password

• Previous password no longer grants access

8.9. Workflow 5: Deactivate User

When to Use:

Use this when user access must be stopped (for example offboarding or temporary suspension).

Purpose:

Disable account login access while preserving account records.

Deactivate confirmation dialog before access is revoked.

Steps:

1. Open User Management and locate the target user.

2. Click the person-with-X icon (Deactivate) on the user row.

3. When the confirmation dialog appears, verify the username and click Deactivate.

4. Confirm the user row status changes to inactive.

Expected Outcome:

• Access terminated immediately

• Data preserved

• Reversible action

If this fails:

1. Confirm you are not trying to deactivate the last active admin account.

2. If the person-with-X icon is unavailable, click the pencil icon (Edit) and set Account Status to inactive.

3. Re-open the user row to confirm latest status.

Time: 30 seconds.

Warning

Never deactivate the last active System Admin account.

8.10. Workflow 5 Validation Checklist

• User status is shown as inactive

• User login is blocked

• Deactivation reason and timestamp are recorded

8.11. Workflow Troubleshooting

Workflow Symptom	Likely Cause	Immediate Fix
User created but cannot do any action	No role assigned	Open shield dialog and assign minimum required role
Role saved but UI access unchanged	Session cache still active	Ask user to logout/login and re-test
Password reset key icon not visible	Insufficient permission or feature not enabled	Confirm USER_MANAGE permission and retry
Deactivate blocked	Attempting to disable last critical admin	Assign backup admin first, then retry

9. Role Management

9.1. Step: Review Roles Management Dashboard

When to Use:

Use this page to review role inventory, permission scope, and custom-role governance.

Purpose:

Manage role definitions centrally and ensure role design remains aligned with least-privilege policy.

Roles Management dashboard with summary cards and role list.

Steps:

1. Open Role Management.

2. Review summary cards: Total Roles, Default Roles, and Custom Roles.

3. Review table fields: Role Name, Permissions, Total Permissions, and Actions.

4. Open role details for role-level review.

5. Create or delete custom roles as required by policy.

Expected Outcome:

• Role inventory and scope are visible from one dashboard.

• You can distinguish system roles from custom roles.

• You can run role cleanup and role creation workflows safely.

If this fails:

1. Verify your account has USER_MANAGE.

2. Confirm role-management visibility in your current domain/scope.

3. Escalate to an administrator if dashboard actions are unavailable.

9.2. Summary Cards

Card	Description
Total Roles	Total number of roles in the system (default + custom roles).
Default Roles	Pre-defined system roles (for example: System Admin, Zone Admin, VM Admin).
Custom Roles	User-created roles for organization-specific needs.

Tip

Use default roles first. Create custom roles only when default scope does not satisfy a real job-function requirement.

9.3. Roles Table

Column	Description
Role Name	Role name and technical identifier; Default badge marks system roles.
Permissions	Preview of permission tags; can collapse as +X more.
Total Permissions	Total permission count granted by the role.
Actions	Role management action (delete available for custom roles).

9.4. Role Types

9.4.1. Default/System Roles

Characteristics:

• System-provided baseline roles.

• Not editable.

• Not deletable.

• Designed for common administrative and operational functions.

Available default roles:

Role	Scope	Typical Permissions
System Admin	Full system administration	36
ZONE Admin	Zone-level administration	13
POD Admin	Pod-level administration	11
Cluster Admin	Cluster-level administration	12
VM Admin	Virtual machine management	8
Network Admin	Network configuration management	5
Node Admin	Comprehensive infrastructure management	24
Power Admin	Power and facility management	5
Netbox Admin	Network inventory/IPAM management	5
Storage Admin	Storage configuration and management	5

9.4.2. Custom Roles

Characteristics:

• Created by administrators.

• Editable and deletable.

• Intended for specific organizational job functions.

When to create custom roles:

• Specialized job functions not covered by default roles.

• Restricted vendor/contractor scopes.

• Read-only or compliance-focused access patterns.

• Granular access control requirements.

9.5. Permission Categories

Permissions are grouped by functional categories such as USER, VM, NETWORK, STORAGE, NODE, and SECURITY.

For the full category and permission matrix, use 15. Appendix: Permission Reference.

9.6. Step: Create Custom Role

When to Use:

Use this when an approved job function requires scope not covered by default roles.

Purpose:

Create a role with only required permissions for that function.

Create Custom Role drawer for role creation.

Steps:

1. Click + Create.

2. Enter Role Name.

3. Enter Role Type.

4. Add Description for role purpose and use case.

5. Select required permissions.

6. Click Create Role.

Expected Outcome:

• Role appears in the dashboard as a custom role.

• Role is available for immediate assignment in user-permission workflows.

If this fails:

1. Check for duplicate role name/type.

2. Validate required fields and permission selection.

3. Retry after correcting validation errors.

9.7. Role Operations

View role details:

• Click role name to review complete permissions and role context.

Edit custom roles:

• Open custom role.

• Update metadata or permissions.

• Save changes.

Delete custom roles:

• Use delete action for custom role.

• Confirm deletion.

• Verify no active user dependency before deletion.

Warning

Deleting a custom role removes that permission set from users assigned to that role.

Assign roles to users:

1. Open User Management.

2. Select target user.

3. Click shield icon (Assign Roles).

4. Select role(s) and save.

9.8. Permission Combination Model

• Permissions are cumulative across assigned roles.

• Effective user permission set is the union of all assigned role permissions.

• Combine roles only when required by job function.

9.9. Best Practices

• Keep role names meaningful and standardized.

• Avoid creating many overlapping custom roles.

• Document purpose and ownership for each custom role.

• Review and audit role usage regularly.

• Apply least privilege for both role design and role assignment.

9.10. Troubleshooting

User cannot access expected resource:

1. Verify assigned role(s).

2. Verify role includes required permission tags.

3. Assign missing role/permission scope.

Too many similar custom roles:

1. Audit current custom roles.

2. Consolidate overlapping role definitions.

3. Reassign users to consolidated roles.

4. Delete redundant roles.

10. License

10.1. Step: Review License Overview

When to Use:

Use this when you need to verify current license state and start license upload.

Purpose:

Review the License overview UI and identify the upload entry points.

License overview page showing no license state and upload actions.

Steps:

1. Open User -> License.

2. Keep Overview selected.

3. Review the current state message (for example No license uploaded).

4. Confirm the Upload license action is visible (top-right and center button).

Expected Outcome:

• Current license state is clear.

• You can start license upload from the same screen.

If this fails:

1. Refresh the page and re-open User -> License.

2. If the page still does not load, capture the error and contact your administrator.

10.2. Step: Follow Trial to Paid License Flow

When to Use:

Use this to understand when upgrade is required and what happens after upload.

Purpose:

Understand trial limits, upgrade trigger, and paid-license activation behavior.

Steps:

1. Customer installs the software.

2. Free trial starts automatically.

3. Trial allows up to 2 Sockets for 365 days.

4. If customer needs more than 2 Sockets, upgrade to paid license.

5. If 365 days ends, trial expires and product requires upgrade.

6. Customer contacts sales and receives a license file (valid for 24 hours from send time).

7. Customer uploads the license file in product.

8. If file is valid, product unlocks and paid license is active for all sockets.

9. If file is expired or wrong, upload fails and customer must contact sales for a new file.

Expected Outcome:

• You can decide correctly between trial usage and paid-license activation.

• Socket-based limit is interpreted as 2 Sockets (not hosts) in the trial flow.

If this fails:

1. Re-check the trial-to-paid steps in this section.

2. Escalate policy mismatch to the licensing owner before taking action.

Warning

Free trial threshold is 2 Sockets.

Note

If on-screen text differs from this section, confirm current entitlement policy with licensing administrator/sales before acting.

Warning

License file from sales is valid for 24 hours from the time it is sent.

10.3. Step: Upload License File

When to Use:

Use this when a paid license file is received and ready to be applied.

Purpose:

Upload and activate the received license file.

Upload license modal with file selection and submit actions.

Steps:

1. On the License page, click Upload license.

2. In the modal, click Browse... and select the license file.

3. Click Upload.

4. Wait for activation result.

Expected Outcome:

• Valid file activates automatically.

• License state updates from trial/no-license state to active paid license state.

If this fails:

1. Confirm the file is the latest one sent by sales.

2. Retry upload with the correct file.

3. If error indicates expired/wrong file, request a new license from sales.

10.4. Step: Review Nodes Socket Registrations

When to Use:

Use this when validating socket registration details for the current license context.

Purpose:

Verify node-level socket registration records from the License page.

License Nodes tab with socket registration inventory.

Steps:

1. Open User -> License.

2. Click Nodes tab.

3. Review registration table columns: Name, Vendor, UUID, Sockets, Registered, Status.

4. Compare registered socket counts with expected trial/paid state.

Expected Outcome:

• You can see node registration records and socket counts.

• You can validate whether registered sockets align with current license state.

If this fails:

1. Refresh the page and re-open Nodes.

2. If node registration list is still missing or stale, capture screenshot evidence and escalate to support.

Note

If you have any questions or queries, contact or email support@karios.com and the team will assist you.

11. Security Best Practices

11.1. Account Security Matrix

User Type	Approval Requirement	Review Frequency	Max Roles
System Admin	Recommended	Monthly	1-2
Department Admin	Recommended	Quarterly	2-3
Standard User	Optional	Quarterly	1-2
Service Account	N/A	Monthly	1

11.2. Access Control Principles

• Least privilege

• Assign minimum necessary roles

• Quarterly access reviews

• Immediate deactivation on departure

• Document all changes

11.3. User Creation Checklist

Final validation references:

• 8.2. Workflow 1 Validation Checklist

• 8.6. Workflow 3 Validation Checklist

• 8.10. Workflow 5 Validation Checklist (if deactivation/offboarding is part of the run)

• 12.2. Quick Fixes for immediate remediation paths

Note

Verification means confirming both login success and correct permission boundaries (not just access).

11.4. First-Time Admin Validation Checklist

• Can you create a user without errors?

• Can you assign and update roles?

• Can you validate approval requirements for an admin account?

• Can you deactivate and reactivate a non-critical user?

• Is each change documented with owner and reason?

12. Troubleshooting Guide

12.1. Common Issues Decision Flow

If user cannot log in:

1. Check account status (Inactive -> enable account).

2. Check role assignment (No roles -> assign role).

3. Check credential accuracy and account state updates.

4. If issue persists, review logs and contact support.

Tip

Most login failures are caused by inactive accounts, missing roles, or stale sessions.

Note

Use administrator-driven password reset through User Management. For recovery when no working admin session exists, follow Appendices under Credential Recovery Workflow.

12.2. Quick Fixes

Problem	Solution	Time
Password reset needed	Use admin-driven reset in User Management or the appendix recovery workflow	1-5 min
User cannot log in	Check Active status and enable	30 sec
Insufficient permissions	Assign appropriate role via shield icon	1 min
Role not effective	User logout/login to refresh session	1 min
Cannot deactivate user	Check if last System Admin	2 min
User cannot see expected menu	Verify assigned role includes matching *_VIEW permission	1 min

12.3. Post-Restart Verification Checklist

Run this checklist after a full app restart:

1. Login with an admin account and open User Management.

2. Confirm user counts load (Total, Active, Inactive) without errors.

3. Open Role Management and confirm default/custom role lists render.

4. Open one non-critical test user and save a no-risk edit (for example, toggle a non-production setting and revert).

5. Validate role assignment flow by opening the shield dialog and confirming roles are selectable.

6. Confirm updated permissions are applied only after user logout/login.

Done criteria:

• No UI errors across user and role pages

• Read/write user management actions complete successfully

• Permission boundaries remain intact

12.4. Escalation Data to Collect

When raising an issue to platform administrators or support, collect:

• Username affected and account status (Active/Inactive)

• Role assignments before and after the issue

• Exact failing action and timestamp

• Whether issue persists after logout/login

• Relevant error text from UI

• Whether approval is enabled for the account

13. Quick Reference

13.1. Essential Actions

Task	Navigation	Canonical Procedure
Create User	User Management -> +	8.1. Workflow 1: Create New User
Assign Roles	User Management -> Shield	8.5. Workflow 3: Assign Roles
Reset Password	User Management -> Key icon	8.7. Workflow 4: Reset Password
Deactivate User	User Management -> Person-with-X icon	8.9. Workflow 5: Deactivate User
Create Custom Role	Role Management -> +	9.6. Step: Create Custom Role

13.2. Status Indicators

Symbol	Meaning	Context
Active/Enabled	Operational	Account status
Required	Action pending	Approval needed
Inactive/Disabled	Not operational	Account disabled
Default Role	System-provided role	Role list
Custom Role	User-created role	Role list

13.3. Permission Quick Reference

Permission Pattern	Example	Meaning
RESOURCE_VIEW	VM_VIEW	Read-only access
RESOURCE_MANAGE	VM_MANAGE	Full control
RESOURCE_CLIENT_TYPE	STORAGE_CLIENT_NFS	Specific client access

13.4. Role Assignment Guide

• Infrastructure Admin -> System Admin

• Zone Manager -> ZONE Admin

• VM Operations -> VM Admin

• Network Engineer -> Network Admin

• Storage Engineer -> Storage Admin

• Hardware Tech -> Node Admin

• Security Auditor -> Custom (view permissions)

• Backup Operator -> Custom (storage permissions)

13.5. Common New-User Pitfalls

• Creating users but forgetting role assignment (user can log in but cannot do work)

• Assigning overly broad roles instead of least privilege

• Deactivating accounts without documenting reason and owner

14. Key Points Summary

14.1. User Management Essentials

• Create users with unique credentials and corporate email

• Assign minimum necessary roles (least privilege)

• Deactivate immediately upon employee departure

• Review access quarterly for compliance

14.2. Role Management Essentials

• Use default roles when possible

• Create custom roles only for unique requirements

• Document role purpose clearly

• Test custom roles before production assignment

• Review permissions after system updates

Security Essentials

• Strong passwords (minimum 12 characters with complexity)

• Immediate deactivation for security incidents

• Access reviews every 90 days

• Audit trail for all access changes

15. Appendix: Permission Reference

Category	VIEW	MANAGE	Additional
ACCOUNT	ACCOUNT_VIEW	ACCOUNT_MANAGE
CLUSTER	CLUSTER_VIEW	CLUSTER_MANAGE
CONTROL	CONTROL_CENTER_VIEW	CONTROL_CENTER_MANAGE
COOLING	COOLING_VIEW	COOLING_MANAGE
DOMAIN	DOMAIN_VIEW	DOMAIN_MANAGE
LOGS	LOGS_VIEW	LOGS_MANAGE
MANAGEMENT	MANAGEMENT_SERVER_VIEW
NETBOX	NETBOX_VIEW	NETBOX_MANAGE
NETWORK	NETWORK_VIEW	NETWORK_MANAGE
NODE	NODE_VIEW	NODE_MANAGE	NODE_CONSOLE
POD	POD_VIEW	POD_MANAGE
POWER	POWER_VIEW	POWER_MANAGE
SECURITY	SECURITY_VIEW	SECURITY_MANAGE
STORAGE	STORAGE_VIEW	STORAGE_MANAGE	STORAGE_CLIENT_ISCSI, STORAGE_CLIENT_MFS, STORAGE_CLIENT_NFS, STORAGE_CLIENT_S3, STORAGE_CLIENT_SEAWEEDFS, STORAGE_CLIENT_SMB
USER	USER_VIEW	USER_MANAGE
VM	VM_VIEW	VM_MANAGE
ZONE	ZONE_VIEW	ZONE_MANAGE

Permission totals vary by deployment and enabled modules. Validate live totals in the role details page before audit decisions.

Success Checkpoint

After this section, you should be able to:

• create, edit, and deactivate users safely

• assign roles based on least privilege

• enforce core access controls (approvals and least privilege)

• troubleshoot common user and role problems

---

→ Next: Karios Forge