User Management
Add users, assign roles, and control access.
Overview
Location: Admin → Users
Actions available:
Invite users (email invitation)
Assign roles (ReadOnly, Train, Configure, Admin)
Add to groups (bulk permission assignment)
Monitor activity (queries, logins, last active)
Deactivate/delete users
Add Users
Invite Individual User
Location: Admin → Users → Invite User button
Click Invite User
Fill form:
Email: [email protected] (required, validated)
Name: Full name (optional)
Role: Dropdown (readonly, train, configure, admin)
Groups: Multi-select (optional)
Click Send Invitation
Expected result:
Invitation sent to email
User appears in list with status "Pending" (gray dot)
Invitation expires after 7 days
Resend link available
Email contains:
Setup link (format: app.twig.so/invite/token_abc123)
Expires timestamp
Inviter name
Bulk Import (CSV)
Location: Admin → Users → Import button
CSV format:
Fields:
email: Required, must be valid formatname: Optionalrole: One of:readonly,train,configure,admingroups: Optional, pipe-separated or semicolon-separated
Steps:
Download template CSV
Fill rows (max 1,000 per import)
Upload CSV
Review preview (shows: add, skip, error counts)
Confirm import
Expected result: Users added with status "Pending", invitations sent
SSO Auto-Provisioning (Enterprise)
Location: Admin → SSO → Auto-Provisioning tab
Enable Just-In-Time (JIT) provisioning:
Toggle Enable JIT → On
Configure:
Default role: Dropdown (default: readonly)
Email attribute: SAML/OIDC attribute name (e.g.,
email,mail)Name attribute: Optional (e.g.,
displayName)Group attribute: Optional (e.g.,
memberOf)
Click Save
Behavior: User created automatically on first SSO login, no invitation needed
Example SAML attribute mapping:
User Roles
See User Permissions & Roles for complete details.
Quick Reference:
Super Admin
✅
✅
✅
✅
Admin
✅
✅
✅
✅
Manager
✅
Own only
Group only
Group only
User
❌
❌
❌
Self only
Managing Users
Viewing Users
User List shows:
Name and email
Role
Groups
Last login
Status (Active/Inactive)
Actions
Filters:
By role
By group
By status
By last login date
Editing Users
Click on user
Modify:
Name
Role
Groups
Status
Save changes
User notified (optional)
Changing Roles
Select user
Click Change Role
Select new role
Confirm impact warning
Save
Effect: Immediate permission changes
Deactivating Users
Temporary deactivation:
Select user
Click Deactivate
Confirm
Effects:
Cannot log in
API keys disabled
Removed from groups temporarily
Data preserved
Reactivation:
Select deactivated user
Click Activate
Restore group memberships
Deleting Users
⚠️ Permanent action
Select user
Click Delete
Choose deletion mode:
Soft Delete: Hide user, keep data
Hard Delete: Remove completely
Confirm with admin password
User removed
Group Assignment
Adding to Groups
Individual:
Open user profile
Go to Groups tab
Click Add to Group
Select group(s)
Save
Bulk:
Select multiple users
Bulk Actions → Add to Group
Select group
Confirm
Removing from Groups
Open user profile
Groups tab
Click X next to group name
Confirm removal
User Activity Monitoring
Activity Dashboard
Activity Logs
Track user actions:
Logins and logouts
Agents used
Queries asked
Resources accessed
Configuration changes
Failed attempts
Anomaly Detection
Auto-alert on:
Login from new location
Unusual query volume
Failed auth attempts (5+)
Access to sensitive resources
Off-hours activity (configurable)
Best Practices
1. Onboarding
✅ Standard onboarding checklist ✅ Role assignment based on job function ✅ Group assignment from day 1 ✅ Security training required ❌ Don't grant broad access initially
2. Offboarding
✅ Deactivate immediately on departure ✅ Remove from all groups ✅ Revoke API keys ✅ Transfer ownership of resources ✅ Export user data if needed ❌ Don't delay deactivation
3. Regular Reviews
✅ Quarterly access review ✅ Remove inactive users (90+ days) ✅ Verify role appropriateness ✅ Update group memberships ❌ Don't let permissions accumulate
4. Principle of Least Privilege
✅ Start with User role ✅ Escalate only when needed ✅ Time-limit elevated access ✅ Document justification ❌ Don't make everyone Manager/Admin
Troubleshooting
User Can't Login
Symptom: "Invalid email or password" or "Account not found"
Diagnostic steps:
Admin → Users → search by email → verify status "Active" (not "Pending" or "Inactive")
Check invitation status: If "Pending", user must click invite link first
If SSO: Admin → SSO → verify enabled and user's email domain in allowed list
Check account lockout: Admin → Users → [User] → Security tab → Failed logins count
Fix:
If "Pending": Resend invitation (Admin → Users → [User] → Resend Invite)
If "Inactive": Click Activate button
If locked out (5+ failed attempts): Click Unlock Account
If SSO misconfigured: Fix SSO settings or have user use password login
User Missing Permissions
Symptom: User reports "You don't have permission to access this" error
Diagnostic steps:
Admin → Users → [User] → verify role (should be train/configure/admin for most features)
Check groups: If permission is group-based, verify user in correct group
Have user log out and log back in (permissions cached for 5 minutes)
Fix: Change role (Admin → Users → [User] → Edit → Role dropdown) or add to group
Bulk Import Failed
Symptom: Import shows errors for some rows
Common errors:
"Invalid email format" → Fix email syntax (must have @)
"Duplicate email" → Email already exists, skip or update role
"Invalid role" → Must be exactly:
readonly,train,configure,admin(lowercase)"Group not found" → Create group first, or remove from CSV
Fix: Download error CSV (shows which rows failed), fix errors, re-import
Next Steps
Group Management - Organize users into teams
User Permissions - Understand role capabilities
Last updated