Users, roles & 2FA
Managing who can sign in to the dashboard, what they can do, and securing those accounts.
Roles
| Role | Scope | Can do |
|---|---|---|
| member | one tenant | view the workspace |
| tenant_admin | one tenant | manage that tenant's policy, collectors, approvals, users |
| kilasec_staff | all tenants | everything above across every tenant, plus Fleet health and impersonation |
Roles are set on the server, not self-selected. Customers get member / tenant_admin; Kilasec operators are kilasec_staff.
Inviting people
Access is invite-based — there's no open signup.
- A customer admin is onboarded via an invite link (staff mint it on the Invites page). The link is single-use, time-bounded (default 72h), and revocable. Redeeming it creates their account and signs them in.
- Additional teammates are added by an existing admin from Users & Roles (see Add a teammate).
Two-factor authentication (2FA)
Kilasec supports authenticator-app 2FA (TOTP) with one-time recovery codes.
Enrolling — in Settings → Two-factor authentication, choose Set up 2FA, scan the QR with any authenticator app (Google Authenticator, 1Password, Authy) or enter the key manually, then confirm with a code. You're shown recovery codes once — save them; each works one time if you lose your authenticator.
Signing in with 2FA — after your password, you're prompted for the 6-digit code (or a recovery code). The password step alone does not create a session on a 2FA account.
Turning it off — requires re-entering your password, so a hijacked session can't silently strip the second factor.
Policy: staff should enroll
2FA is required for Kilasec staff accounts (they hold cross-tenant power) and optional for tenant users. Staff who haven't enrolled see a persistent nudge; it's a strong prompt rather than a hard lock so a misconfiguration can't lock the sole administrator out. Turn it on for staff before onboarding real customers.
Lost authenticator (lockout recovery)
If someone loses their authenticator and burns through their recovery codes, a Kilasec staff admin can reset their 2FA (Users, per-user action) — the user then signs in with just their password and re-enrolls. This is the only way back in, so keep at least one staff account recoverable.
Changing a login email
Login email can be changed without disturbing the password or 2FA (they're keyed to the account, not the address). Staff use the admin CLI on the cloud host:
python -m cloud.admin_cli users set-email old@example.com new@example.comThe account then signs in under the new address with the same password and authenticator.