Managing Users - SASCOP BME SubTec

Overview

This guide is for administrators responsible for creating and managing user accounts, permissions, and access control in SASCOP BME SubTec.

This section requires administrator privileges. Standard users cannot access these features.

User Management Basics

SASCOP uses Django’s built-in User model:

django.contrib.auth.models.User

class User:
    username: str          # Unique login identifier
    email: str            # User email (also usable for login)
    first_name: str       # User's first name
    last_name: str        # User's last name
    password: str         # Hashed password
    is_active: bool       # Can user log in?
    is_staff: bool        # Access to admin interface?
    is_superuser: bool    # Full system access?
    date_joined: datetime # Account creation date
    last_login: datetime  # Last successful login

Accessing User Management

Open Django Admin

Navigate to /admin/ URL

Use your admin credentials

Navigate to Users

Click Authentication and Authorization > Users

Creating New Users

Click 'Add User'

Button in top-right of Users list

Enter Basic Information

Required fields:

Username (unique)
Password (confirm twice)

Click 'Save and Continue'

Creates the user account

Complete Profile

Fill in additional information:

First name
Last name
Email address

Permissions:

Active (allows login)
Staff status (admin access)
Superuser status (full access)

Assign Groups

Add user to role-based groups:

Project Managers
Field Supervisors
Accounting
Read-Only Users

Set Specific Permissions

Grant individual permissions as needed

Save User

Click Save to finalize

User Status Management

Active Status

is_active Flag

True: User can log in and access the systemFalse: User account is disabled

Cannot log in
Sessions are terminated
Used for temporary suspension or departed employees

operaciones/views/registro_actividad.py

usuarios = User.objects.filter(is_active=True).values(
    'id', 'username', 'first_name', 'last_name', 'email'
)

To Deactivate User

Open user in admin
Uncheck “Active” checkbox
Save

To Reactivate User

Open user in admin
Check “Active” checkbox
Save

Staff Status

is_staff Flag

True: User can access Django admin interface at /admin/False: No admin access (standard user)

Staff status does NOT automatically grant all permissions - you must still assign specific permissions.

Superuser Status

is_superuser Flag

True: User has ALL permissions automatically

Can modify any data
Can create/delete users
Can access all modules
Bypasses all permission checks

False: User has only assigned permissions

Use superuser status sparingly. Most administrators should use staff status with specific permissions.

Password Management

Setting Initial Password

When creating a user:

Enter password twice in creation form
Password is automatically hashed
Never store passwords in plain text

Password Requirements

bme_subtec/settings.py

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

Passwords must:

Not be similar to user information
Meet minimum length
Not be commonly used passwords
Not be entirely numeric

Resetting User Password

Open User in Admin

Find user in Users list

Click Password Link

“this form” link next to password field

Enter New Password

Type new password twice

Save

Password is immediately changed

Notify User

Securely communicate new password to user

Users cannot reset their own passwords. Contact your system administrator if you need to implement self-service password reset.

Email-Based Authentication

SASCOP allows users to log in with either username OR email:

operaciones/views/login.py

@ensure_csrf_cookie 
def custom_login(request):
    username_or_email = request.POST.get('username')
    password = request.POST.get('password')
    
    # Try username first
    user = authenticate(request, username=username_or_email, password=password)
    
    # If that fails, try email
    if user is None:
        try:
            user_by_email = User.objects.get(email__iexact=username_or_email)
            user = authenticate(request, username=user_by_email.username, password=password)
        except User.DoesNotExist:
            user = None

Email Requirements

For email login to work:

Email field must be filled in
Email should be unique (not enforced by Django, but recommended)
Email is case-insensitive

Permission Assignment

Using Groups (Recommended)

Create Groups

Django Admin > Groups > Add GroupExample groups:

Project Managers
Field Supervisors
Accounting Staff
Read-Only Users

Assign Permissions to Group

Select appropriate permissions:

View permissions (view_*)
Add permissions (add_*)
Change permissions (change_*)
Delete permissions (delete_*)
Custom permissions (view_centro_consulta, etc.)

Add Users to Groups

In user admin:

Select groups in “Groups” field
User inherits all group permissions

Direct Permission Assignment

For special cases, assign permissions directly:

Open User in Admin

Navigate to user details

Scroll to Permissions

Find “User permissions” section

Select Permissions

Use filter and double-click to move permissions:

From “Available permissions”
To “Chosen permissions”

Save User

Permissions take effect immediately

Viewing User Activity

Track what users are doing:

operaciones/views/registro_actividad.py

@login_required
def datatable_registro_actividad(request):
    usuario_id = request.GET.get('usuario_id')
    
    registros = RegistroActividad.objects.select_related('usuario_id').all()
    
    if usuario_id:
        registros = registros.filter(usuario_id_id=usuario_id)

Access Activity Logs

Navigate to Configuración > Registro de Actividad

Filter by User

Select user from dropdown filter

Review Actions

See all CREATE, UPDATE, DELETE actions

User Listing API

For integration or custom interfaces:

operaciones/views/registro_actividad.py

@login_required(login_url='/accounts/login/')
def obtener_usuarios(request):
    usuarios = User.objects.filter(is_active=True).values(
        'id', 'username', 'first_name', 'last_name', 'email'
    )
    
    usuarios_list = []
    for usuario in usuarios:
        usuarios_list.append({
            'id': usuario['id'],
            'username': usuario['username'],
            'descripcion': f"{usuario['first_name']} {usuario['last_name']} ({usuario['username']})"
        })
    
    return JsonResponse(usuarios_list, safe=False)

Best Practices

Use Groups

Assign permissions via groups for easier management

Least Privilege

Grant only minimum necessary permissions

Regular Audits

Review user accounts quarterly

Deactivate Promptly

Disable accounts immediately when users leave

Strong Passwords

Enforce password complexity requirements

Document Changes

Keep records of permission changes and reasons

Common Scenarios

New Field Supervisor

Create Account

Username: supervisor.lastname Email: [email protected]

Set Status

Active: True
Staff: False
Superuser: False

Assign Group

Add to “Field Supervisors” group

Verify Permissions

Should have:

View PTEs and OTs
Add/Change Production
View Reports

Temporary Contractor

Create Limited Account

Set appropriate username and email

Grant Read-Only Access

Add to “Read-Only Users” group

Document Expiration

Note in user comments when access should end

Deactivate on Schedule

Set calendar reminder to disable account

Promoted Employee

Review Current Access

Check existing groups and permissions

Add New Groups

Assign additional groups for new role

Remove Old Groups (if applicable)

Remove groups no longer needed

Verify Access

Test login and verify new permissions work

Troubleshooting

User Cannot Log In

Checklist:

Is is_active checked?
Is password correct?
Is account locked out?
Check session timeout settings

User Cannot Access Feature

Checklist:

Does user have required permission?
Is user in correct group?
Is feature restricted by custom logic?
Check activity log for denial reasons

Email Login Not Working

User Permissions

User guide to understanding permissions

Activity Logs

Monitoring user activity

Getting Started

Common Tasks

Administration

​Overview

​User Management Basics

​Accessing User Management

​Creating New Users

​User Status Management

​Active Status

is_active Flag

​Staff Status

is_staff Flag

​Superuser Status

is_superuser Flag

​Password Management

​Setting Initial Password

​Password Requirements

​Resetting User Password

​Email-Based Authentication

Email Requirements

​Permission Assignment

​Using Groups (Recommended)

​Direct Permission Assignment

​Viewing User Activity

​User Listing API

​Best Practices

Use Groups

Least Privilege

Regular Audits

Deactivate Promptly

Strong Passwords

Document Changes

​Common Scenarios

​New Field Supervisor

​Temporary Contractor

​Promoted Employee

​Troubleshooting

​Related Topics

User Permissions

Activity Logs

Build docs developers (and LLMs) love

Overview

User Management Basics

Accessing User Management

Creating New Users

User Status Management

Active Status

Staff Status

Superuser Status

Password Management

Setting Initial Password

Password Requirements

Resetting User Password

Email-Based Authentication

Permission Assignment

Using Groups (Recommended)

Direct Permission Assignment

Viewing User Activity

User Listing API

Best Practices

Common Scenarios

New Field Supervisor

Temporary Contractor

Promoted Employee

Troubleshooting

Related Topics