Skip to main content

User Management

This guide covers how administrators manage users and control access to the CGIAR Risk Intelligence Tool. All user management features require Admin role privileges.
Admin Access Required: Only users with administrator privileges can access user management features. Regular users can only manage their own profile.

Overview

The platform uses AWS Cognito for user authentication and access control. Administrators can:
  • Create new user accounts
  • Assign roles and permissions
  • Enable or disable accounts
  • Reset user passwords
  • View user activity
  • Delete accounts

Accessing User Management

2
  • Click your profile menu in the top-right corner
  • Select “Admin Panel” from the dropdown
  • Click “User Management” in the admin navigation
    • 3
    User Management Dashboard
    4
    The main view displays all platform users in a paginated table with:
    5
    Columns:
    6
  • User: Avatar, name, and last login date
  • Email: User’s email address (also username)
  • Role: Admin or User badge (color-coded)
  • Status: Active (green) or Inactive (gray) badge
  • Actions: Edit and delete buttons
    • 7
    Table Features:
    8
  • Search by name or email
  • Filter by role (All, Admin, User)
  • Filter by status (All, Active, Inactive)
  • Pagination (60 users per page)

    • Creating New Users

    1
    Open Create User Modal
    2
    Click “Add User” button in the top-right corner of the User Management page.
    3
    Enter User Details
    4
    Provide the following information:
    5
    Required Fields:
    6
  • Email: User’s email address (becomes their username)
  • Temporary Password: Initial password (minimum 8 characters)
    • 7
    Optional Settings:
    8
  • Send Welcome Email: Toggle to automatically email login instructions
  • Assign Admin Role: Check to grant administrator privileges
    • 9
    Password Requirements:
    10
  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character (!@#$%^&*)
    • 11
    Assign Role
    12
    Choose the appropriate access level:
    13
    RolePermissionsUse ForUser (default)Create assessments, view own reports, add commentsRisk analysts, project managers, standard usersAdminAll User permissions + user management + prompt managementPlatform administrators, technical leads
    14
    Admin Privileges: Admin users can access User Management, Prompt Manager, and all system configuration areas. Grant this role carefully.
    15
    Create Account
    16
  • Review all entered information
  • Click “Create User”
  • System creates the account in Cognito
  • If “Send Welcome Email” was enabled, user receives login instructions
  • New user appears in the table immediately

    • Welcome Email

    When enabled, new users receive an automated email with:
    • Platform welcome message
    • Login URL: https://[your-domain]/login
    • Their username (email address)
    • Temporary password
    • Instructions to change password on first login
    Password Change Required: All new users must change their temporary password on first login. This is a Cognito security requirement.

    Editing User Details

    1
    Open Edit User Modal
    2
    Click the pencil icon (✏️) next to any user in the table.
    3
    Update User Attributes
    4
    You can modify:
    5
    Editable Attributes:
    6
  • Email: Change user’s email address
  • Name: Update display name
  • Role: Add or remove admin privileges
  • Custom attributes: Any additional Cognito attributes
    • 7
    Read-Only Information:
    8
  • Username (cannot be changed)
  • Account creation date
  • Last login timestamp
  • Cognito user ID
    • 9
    Manage Groups
    10
    Assign or remove user from groups:
    11
    Available Groups:
    12
  • admin: Grants full administrative access
  • Additional groups can be created via Cognito console
    • 13
    To add admin privileges:
    14
  • In the Edit modal, locate “Groups” section
  • Click “Add to admin group”
  • User immediately gains admin permissions
    • 15
    To remove admin privileges:
    16
  • Click the × next to “admin” tag
  • Confirm removal
  • User reverts to standard user permissions
    • 17
    Save Changes
    18
    Click “Save Changes” to apply updates. Changes take effect immediately.

    Resetting User Passwords

    Administrators can set new temporary passwords for users:
    1
    Access Password Reset
    2
  • Click Edit (✏️) on the user
  • In the Edit User modal, click “Reset Password” button
    • 3
    Set Temporary Password
    4
  • Enter a new temporary password meeting requirements
  • Click “Reset Password”
  • System updates the password in Cognito
    • 5
    Notify the User
    6
    After resetting:
    7
  • Share the temporary password securely (not via email)
  • Inform user they’ll need to change it on next login
  • User will see “NEW_PASSWORD_REQUIRED” challenge when logging in
    • 8
    Forced Password Change: Users with reset passwords cannot access the platform until they set a new permanent password through the login flow.

    Enabling and Disabling Users

    Disable a User Account

    To temporarily revoke access without deleting:
    1. Click Edit (✏️) on the user
    2. Click “Disable User” button
    3. Confirm the action
    4. User status changes to Inactive (gray badge)
    Effects of disabling:
    • User cannot log in
    • Active sessions are terminated
    • All data and assessments are preserved
    • Account can be re-enabled at any time

    Re-enable a User Account

    1. Click Edit (✏️) on the disabled user
    2. Click “Enable User” button
    3. Confirm the action
    4. User status changes to Active (green badge)
    5. User can immediately log in again
    Use Cases for Disabling:
    • Employee on extended leave
    • Suspected security issues requiring investigation
    • Temporary suspension pending review
    • Account cleanup before final deletion

    Deleting Users

    Permanent Action: Deleting a user is irreversible. The user account and all authentication data are permanently removed from Cognito. Their assessments and data remain in the database.
    1
    Initiate Deletion
    2
    From the user table:
    3
  • Click the trash icon (🗑️) next to the user, or
  • Click Edit“Delete User” button in the modal
    • 4
    Confirm Deletion
    5
    A confirmation dialog appears:
    6
    Delete User

Are you sure you want to delete [email]?
This action cannot be undone.

[Cancel] [Delete]
    7
    Click “Delete” to proceed.
    8
    What Gets Deleted
    9
    Removed:
    10
  • Cognito user account
  • Login credentials
  • User attributes and groups
  • MFA settings
    • 11
    Preserved:
    12
  • Assessments created by the user (ownership transferred to system)
  • Comments and activity logs (attributed to deleted user ID)
  • Historical audit trails

    • Searching and Filtering

    Search Users

    Use the search bar at the top of the table:
    1. Type user name or email (partial matches work)
    2. Results filter in real-time
    3. Search is case-insensitive
    4. Clear search to see all users

    Filter by Role

    Use the Role dropdown:
    • All Roles: Show everyone (default)
    • Admin: Show only administrators
    • User: Show only regular users
    Filtering resets to page 1.

    Filter by Status

    Use the Status dropdown:
    • All Statuses: Show everyone (default)
    • Active: Show only enabled users
    • Inactive: Show only disabled users
    Combine with role filter for precise queries (e.g., “Show inactive admins”).

    Combined Filtering

    All filters work together:
    • Search: “smith”
    • Role: “Admin”
    • Status: “Active”
    Result: Active administrators with “smith” in name or email.

    Pagination

    The user table supports cursor-based pagination: Navigation:
    • Previous button (◀): Go back one page
    • Page indicator: Shows current page number
    • Next button (▶): Advance to next page
    Limits:
    • Maximum 60 users per page (Cognito limit)
    • Default: 60 users per page
    • Filters reset pagination to page 1
    Large User Bases: For organizations with 500+ users, use filters and search to narrow results instead of browsing all pages.

    User Activity Tracking

    Each user row displays activity information: Last Login: Timestamp of most recent successful login
    • Shown below user name in the table
    • Format: “Last login: Mar 4, 2026”
    • Updates after each successful authentication
    Account Created: Available in the Edit User modal
    • Shows original account creation date
    • Useful for auditing user tenure

    Best Practices

    Creating Secure Temporary Passwords:
    • Use random, complex passwords
    • Don’t use patterns (e.g., “Welcome123!”)
    • Never reuse passwords across users
    • Share passwords securely (encrypted channels)
    • Document that user must change on first login
    Password Reset Policy:
    • Only reset when user forgets password
    • Verify user identity before resetting
    • Log all password reset actions
    • Consider MFA for sensitive accounts
    Admin Role Guidelines:
    • Limit admin access to essential personnel only
    • Review admin list quarterly
    • Remove admin privileges when no longer needed
    • Use separate admin accounts for automation
    When to Grant Admin:
    • Platform administrators
    • Technical leads managing prompts
    • User onboarding coordinators
    • Senior analysts needing system oversight
    When NOT to Grant Admin:
    • Standard risk analysts
    • Temporary contractors
    • External consultants
    • Users who only create assessments
    New User Onboarding:
    1. Create account with role appropriate to duties
    2. Send welcome email with instructions
    3. Verify first login within 48 hours
    4. Provide platform training
    5. Assign initial test assessment
    Offboarding Users:
    1. Disable account immediately upon departure
    2. Review and reassign their assessments
    3. Export any user-specific reports needed
    4. Delete account after 30-day retention period
    5. Document deletion in admin log
    Monthly Tasks:
    • Review inactive users (no login in 90+ days)
    • Disable or delete unused accounts
    • Audit admin user list
    • Check for anomalous login patterns
    Quarterly Tasks:
    • Export full user list for records
    • Review role assignments
    • Update user onboarding documentation
    • Verify contact information is current

    Troubleshooting

    Check account status:
    • Is account Active or Inactive? (Enable if needed)
    • Was password recently reset? (User must change it)
    • Is email address correct?
    Verify credentials:
    • Username is their email address
    • Password is case-sensitive
    • No extra spaces in email or password
    Try reset:
    • Admin reset password
    • User tries “Forgot Password” flow
    • Check spam folder for reset emails
    Verify admin role:
    • Check Groups section in Edit User modal
    • Should show “admin” tag
    • If missing, click “Add to admin group”
    Session refresh needed:
    • User must log out and back in
    • Admin permissions require new session
    • Wait 1-2 minutes for Cognito sync
    Browser issues:
    • Clear browser cache and cookies
    • Try incognito/private window
    • Check for JavaScript errors in console
    Permission errors:
    • Verify you have admin role
    • Check Cognito console for service errors
    • Ensure Cognito user pool is healthy
    Validation failures:
    • Email must be valid format
    • Password must meet all requirements
    • No duplicate emails allowed
    Network issues:
    • Check internet connection
    • Verify API Gateway is reachable
    • Look for CORS errors in browser console
    Cognito connectivity:
    • Check AWS service health dashboard
    • Verify API Lambda has Cognito permissions
    • Review CloudWatch logs for errors
    Large result sets:
    • If 1000+ users, Cognito may be slow
    • Use filters to narrow query
    • Wait up to 30 seconds for initial load
    Session timeout:
    • Refresh the page
    • Log out and back in
    • Check auth token expiration

    Security Considerations

    Admin Account Security:
    • Use strong, unique passwords for admin accounts
    • Enable MFA for all administrators
    • Never share admin credentials
    • Log all admin actions for audit trail
    • Review admin activity logs monthly
    Access Control Best Practices:
    • Follow principle of least privilege
    • Regularly review and remove unnecessary permissions
    • Disable accounts immediately when users leave
    • Monitor for suspicious login patterns
    • Enforce password expiration policies
    Compliance and Auditing:
    • Export user lists quarterly for compliance
    • Maintain logs of all user management actions
    • Document role assignment rationale
    • Review access controls during security audits

    Next Steps

    Build docs developers (and LLMs) love

    Get started for freeTalk to us