Local user management

Administrators manage local user accounts in Corelight Investigator to grant users direct access with an email and password. This function serves two key purposes: day-to-day user administration and the critical task of maintaining a local administrator account for emergency access when using single sign-on (SSO).

Before you begin

Review the following permissions, roles, and account statuses before you start managing local users.

Required permissions

Only users with the Admin role can create, modify, or delete other local user accounts.

User roles

The following roles are available for local users:

  • Admin: Can configure system settings and manage all users.

  • Analyst: Can investigate detections and manage cases.

  • Viewer: Has read-only access to detections.

User status

Every local user account has a status that determines their access level:

  • Invited: An invitation email was sent, but the user hasn’t completed their account registration. The temporary credentials in the invitation expire in 7 days.

  • Active: The user accepted the invitation and completed their account registration. An administrator can change a user’s status from Active to Inactive at any time.

  • Inactive: The user account is suspended and they cannot log in. Their account settings and data are preserved. An administrator can change a user’s status from Inactive to Active at any time.

User management tasks

This section provides step-by-step instructions for the most common user management procedures.

Add a new user

  1. From System Settings in the left navigation, select Users & Access.

  2. Click the + Add User button.

  3. Provide the following user details:

    • Alias: A nickname for the account (30-character limit). The user can change their own alias later, but an admin cannot edit it after creation.

    • Email: The user’s login name and the address for the invitation email. This field is permanent and cannot be changed after the user is created. To update an email, you must delete and re-create the user’s account.

    • Role: Assign the user’s role (Admin, Analyst, or Viewer).

  4. (Optional) To create the account without providing immediate access, select Create User As Inactive. The user will be created in an inactive state, and the system will only send their welcome email at the moment you later change their status to Active.

  5. Click Create.

Important

The registration link in the invitation email expires after 7 days. If the user doesn’t register in time, you must delete their Invited account and create it again to send a new invitation.

After you click create, the system sends an invitation email to the user. The user must click the link in the email to complete their registration.

Edit a user’s role or status

  1. From the Users & Access page, click the edit icon in the Actions column for the desired user.

  2. In the Edit User dialog, change the user’s Role or Status as needed.

  3. Click Save.

Important

An admin cannot change a user’s Alias or Email. While the email address is obscured on the main user list for privacy, it is fully visible when creating or editing a user. To update an email address, you must delete and re-create the user’s account.

After saving, the user receives an email notification. If a user’s role is changed, they will be automatically logged out and must sign in again for the new permissions to take effect.

Change the status of multiple users

  1. From the Users & Access page, select the checkboxes next to the users you want to modify.

  2. Click the Activate or Deactivate buttons that appear at the top of the list.

Delete a user

  1. From the Users & Access page, select the checkbox next to one or more users that you want to delete.

  2. Click the Delete button that appears at the top of the list.

  3. Confirm the action in the prompt. This permanently removes the user account(s).

Local accounts in a single sign-on environment

When SAML SSO is the active authentication method for your tenant, the behavior of local user management changes significantly.

Important

With SSO active, the Users tab becomes read-only. The user management tasks (invite, edit, delete) are disabled to ensure your Identity Provider (IdP) remains the single source of truth.

Creating a local administrator for backup access

Creating and managing a local administrator account for emergency access during an SSO outage involves a specific, multi-step procedure. This includes rules for choosing an email domain, securing the account with MFA, and a more complex workflow if SSO is already enabled.

For the complete guide on how to create, secure, and manage this backup account, see SAML SSO user management.