Managing local users

Administrators manage local user accounts in Investigator to grant users direct access using an email and password.

Local authentication is primarily used for two key purposes:

  • Standard administration: Local user accounts are the primary method for daily user access and administration when no centralized Identity Provider (IdP) is used.

  • Emergency access: Maintaining a dedicated local administrator to ensure system access if Single Sign-On (SSO) becomes unavailable.

Note

When SSO is enabled, the dedicated local administrator operates independently of your IdP. It is strictly reserved for emergency access to ensure you can always log in to the system.

User roles and permissions

Only users with the Admin role can create, modify, or delete user accounts. When creating a user, you must assign one of the following roles:

  • Admin: Full access to configure system settings and manage all users.

  • Analyst: Operational access to investigate detections and manage cases.

  • Viewer: Read-only access to view detections.

User status definitions

Every local user account has a status that determines their access level:

  • Invited: An invitation email was sent, but the user has not yet completed their account registration. The temporary credentials in the invitation expire in 3 days.

  • Active: The user accepted the invitation and completed their account registration. An Admin can change a user’s status from Active to Inactive at any time.

  • Inactive: The user account is suspended and they cannot log in. Their account settings and data are preserved. An Admin can change a user’s status from Inactive to Active at any time.

User management tasks

This section provides step-by-step instructions for the most common user management procedures.

Add a new user

To create a new local user account:

  1. From System Settings in the left navigation, select Users & Access.

  2. Click the + Add User button.

  3. Enter the user details:

    • Alias: A display nickname for the account (30-character limit). The user can change their own alias later, but an Admin cannot edit it after creation.

    • Email: The user’s login name and the address for the invitation email. This field is permanent and cannot be changed after the user is created. To update an email, you must delete and re-create the user’s account.

    • Role: Assign the user’s role (Admin, Analyst, or Viewer).

  4. (Optional) To create the account without providing immediate access, select Create User As Inactive. The user will be created in an inactive state, and the system will only send their welcome email at the moment you later change their status to Active.

  5. Click Create.

Important

  • Account details: The Admin cannot change the Alias or Email address after the account is created. To correct an email, the Admin must delete the user account and create a new one.

  • User registration and Invitation Expiration: The system sends an invitation email immediately upon creation. The user must click the registration link within 3 days to complete their registration. If the link expires, you must delete the pending Invited account and create it again to send a new invitation.

Edit a user’s role or status

To modify an existing user’s permissions or account status:

  1. From the Users & Access page, click the edit icon in the Actions column for the desired user.

  2. In the Edit User dialog, change the user’s Role or Status as needed.

  3. Click Save.

Important

  • Edit restrictions: An Admin cannot change a user’s Alias or Email in this dialog. While the email address is obscured on the main user list for privacy, it is fully visible when creating or editing a user. To update an email address, the Admin must delete and re-create the user’s account.

  • Consequences of change: After saving, the user receives an email notification. If a user’s role is changed, they will be automatically logged out and must sign in again for the new permissions to take effect.

Change the status of multiple users

  1. From the Users & Access page, select the checkboxes next to the users you want to modify.

  2. Click the Activate or Deactivate buttons that appear at the top of the list.

Delete a user

  1. From the Users & Access page, select the checkbox next to one or more users that you want to delete.

  2. Click the Delete button that appears at the top of the list.

  3. Confirm the action in the prompt. This permanently removes the user account(s) and cannot be undone.

Local accounts in a single sign-on environment

If you have enabled SSO, the behavior of the Users & Access page changes to ensure your Identity Provider (IdP) remains the source of truth for all SSO users.

  • Read-only mode: The Users tab becomes read-only for standard management tasks. You cannot invite, edit, or delete users who authenticate via SSO.

  • Daily system administration: Routine configuration and system management tasks are typically handled by an SSO user whose identity is provided by the IdP and who has been mapped to the Admin role.

  • Emergency local login: The only local user required to log in directly is the local administrator (created before enabling SSO). This account uses the standard email/password fields on the login page, effectively bypassing the SSO redirect for disaster recovery.

Creating the local administrator

Creating the local administrator for emergency backup involves a specific set of requirements, including the use of a non-SSO email domain (for example, @gmail.com) to prevent the account from linking to the IdP.

For the complete guide on how to create and secure this specific local administrator account, see Configuring SAML Single Sign-on.