User Management

User Roles

StackFlow uses role-based access control (RBAC) with seven built-in roles. Custom roles with granular permission sets can be created in Admin → User Management → Roles. Permissions are evaluated at the API layer using the JWT claims from Cognito, not in the database.

⚙️ Minimum Requirements

DynamoDB: StackFlow_User table with GSI on email and tenantId attributes
Cognito Pool: us-east-1_WKK1AVJ2m -- creating users requires cognito-idp:AdminCreateUser IAM permission
SES: no-reply@stackflow-tech.com verified for welcome email delivery
IAM Role: StackFlowAPIRole must have cognito-idp:AdminCreateUser, AdminUpdateUserAttributes, AdminDisableUser
Aurora: stackflow.users table migrated to latest schema version

Role	Description	Key Permissions
`super_admin`	Full platform access	All modules, system settings, user management
`cloud_admin`	Cloud management module	Cloud accounts, fleet, compliance, FinOps
`itsm_manager`	ITSM module management	All ITSM, SLA config, assignment groups
`itsm_agent`	ITSM work items	Incidents, changes, requests (own and assigned)
`ai_engineer`	AI configuration	AI providers, prompt templates, workflows
`developer`	API and integration access	API keys, scripts, integrations
`viewer`	Read-only access	View all records, no create/modify

Creating Users

New users can be created in the StackFlow admin console at Admin → Users → New User, or provisioned automatically via LDAP/Azure AD sync. Each user must have a unique email address and will receive a welcome email with their temporary credentials.

# Create user via StackFlow REST API
curl -X POST https://your-instance.stackflow-tech.com/prod/api/admin/users   -H "Authorization: Bearer $ADMIN_TOKEN"   -H "Content-Type: application/json"   -d '{
    "email": "newuser@example.com",
    "given_name": "Jane",
    "family_name": "Smith",
    "role": "itsm_agent",
    "department_id": "dept_platform_eng",
    "send_welcome_email": true
  }'

Bulk Import

For initial platform setup or large organizational changes, use the CSV bulk import feature at Admin → Users → Import Users. The import process validates all rows before committing any changes, ensuring partial imports never occur.

# CSV format for bulk user import
email,given_name,family_name,role,department_id,location_id
alice@example.com,Alice,Johnson,itsm_agent,dept_it_ops,loc_hq
bob@example.com,Bob,Chen,itsm_manager,dept_it_management,loc_hq
carol@example.com,Carol,Davis,viewer,dept_hr,loc_remote

Role Assignment

Roles are stored as the custom:role Cognito attribute and updated via the StackFlow admin console. Changes take effect on the user's next token refresh (up to 1 hour). For immediate effect, use the admin console to force a session invalidation after changing a user's role.

Multi-Role Users: Users can be assigned multiple roles separated by commas in the Cognito attribute. Permissions are the union of all assigned roles. For example, a user with both itsm_agent and ai_engineer roles can both work ITSM tickets and configure AI providers.

Deactivating Users

When an employee leaves the organization, immediately deactivate their StackFlow account via Admin → Users → select user → Deactivate. Deactivation disables the Cognito account, invalidates all active sessions, and revokes API keys. Open work items assigned to the user are optionally reassigned to a specified backup user or queue.

# Deactivate via AWS CLI (immediate lockout)
aws cognito-idp admin-disable-user   --user-pool-id us-east-1_WKK1AVJ2m   --username departing@example.com   --region us-east-1

# Revoke all refresh tokens (forces re-login)
aws cognito-idp admin-user-global-sign-out   --user-pool-id us-east-1_WKK1AVJ2m   --username departing@example.com   --region us-east-1

← Previous

Multi-Factor Authentication

MFA setup and enforcement

Departments & Locations

Organizational structure