Users and Roles

LIVCK provides a comprehensive member management system with role-based access control (RBAC). This allows you to efficiently manage team access by creating reusable role groups with specific permission sets.

Member Management

Creating Members

To add new members to your LIVCK instance:

Navigate to Members in the admin panel
Click Create Member
Enter the required information:
- Name: Full name of the member
- Email: Email address for login
- Role Groups: Select one or more role groups
- Permissions: Select individual permissions (optional, in addition to role groups)
Save the new member account

Password Handling:

The system automatically generates a secure password
The password is displayed only once to the user creating the account
Make sure to securely share this password with the new member
The member can change their password after first login

Important: The generated password cannot be retrieved later, so make sure to save or share it immediately.

Member Profiles

Each member can access their profile at /user/profile to manage their account settings and notification preferences.

Update User Form

Members can update their personal information and notification settings:

Name: Full name
Email: Email address for login and notifications
Phone Number: Mobile number for SMS notifications (if configured)
Telegram User ID: Telegram user ID for Telegram notifications
Slack Notification URL: Webhook URL for Slack notifications
Pushover Key: Pushover key for push notifications
Language: Interface language (DE/EN)

Test Notifications:

Test Button: "E-Mail Benachrichtigungen"
Tests all configured notification channels at once
Verifies that email, Telegram, Slack, and Pushover are working correctly

Update Password Form

Members can change their password securely:

Enter Current Password
Enter New Password
Confirm Password
Save changes

The system will verify the current password before allowing the change.

Two-Factor Authentication

Members can enable or disable two-factor authentication (2FA) for enhanced security. See the Security section for detailed 2FA setup instructions.

Browser Sessions

View and manage active browser sessions:

See all devices and locations where the account is logged in
View last activity timestamp for each session
Terminate individual sessions remotely
Useful for security if a device is lost or compromised

Managing Member Access

Administrators with appropriate permissions can:

View all member accounts (user.list)
View member details (user.show)
Create new accounts (user.create)
Modify member information, role groups, and permissions (user.update)
Deactivate or remove accounts (user.delete)
Terminate member sessions (session.delete)

Role-Based Access Control

What are Role Groups?

Role Groups are collections of permissions that represent specific job functions or responsibilities within your organization. Instead of assigning individual permissions to each member, you assign role groups, making access management more efficient and maintainable.

Default Roles

LIVCK includes several default roles:

Super Admin

Full system access
All permissions enabled
Can manage users, roles, and system settings

Team

Create and manage monitors
Manage SSL certificates
View and create alerts
Update alert status during incidents

Member

View-only access to monitors and alerts
Cannot make changes to the system

Creating Custom Roles

To create a custom role group:

Navigate to Roles in the admin panel
Click Create Role
Enter role information:
- Role name (e.g., "Security Team", "Marketing Team")
- Description (optional but recommended)
Select permissions to include in this role
Save the role

Example: Creating a "Monitoring Team" Role

Role Name: Monitoring Team
Description: Team members who manage monitors and respond to incidents

Permissions:
✓ monitor.list
✓ monitor.show
✓ monitor.create
✓ monitor.update
✓ alert.list
✓ alert.show
✓ alert.create
✓ alert.update

Modifying Roles

When you update a role's permissions, the changes automatically apply to all users assigned to that role. This makes it easy to adjust access levels for entire teams at once.

To modify a role:

Navigate to Roles
Select the role to modify
Add or remove permissions as needed
Save changes

All users with this role will immediately receive the updated permissions.

Assigning Role Groups to Members

Members can be assigned multiple role groups simultaneously. They can also receive individual permissions in addition to their role groups. Their effective permissions are the union of all permissions from their assigned role groups plus any individual permissions.

To assign role groups and permissions:

When creating a member: Select role groups and individual permissions
For existing members: Navigate to the member's profile
Select Edit or Manage Roles
Choose one or more role groups to assign
Optionally select additional individual permissions
Save changes

Example: Multiple Role Group Assignment

A member assigned both "Monitor Manager" and "Newsletter Manager" role groups plus individual alert.create permission would have:

All monitoring-related permissions from "Monitor Manager"
All newsletter-related permissions from "Newsletter Manager"
Additional alert.create permission
The ability to perform any action granted by either role group or individual permissions

Permission Inheritance

How Permissions Combine

When a user has multiple roles:

They receive all permissions from all assigned roles
Permissions are additive (more roles = more access)
There are no "deny" rules that override grants

Direct vs. Role-Based Permissions

While LIVCK supports direct permission assignment to individual users, we strongly recommend using role-based access because:

Easier Management: Change a role once instead of updating multiple users
Consistency: Ensures team members with similar responsibilities have identical access
Auditability: Clear understanding of access levels by role
Scalability: Easy to onboard new team members
Documentation: Roles serve as documentation of access patterns

Role Group Strategies

Organize by Function

Create roles based on job functions:

Operations Team: Monitors, alerts, SSL certificates
Marketing Team: Newsletters, announcements
Security Team: SSL certificates, sessions, users
Development Team: Code editor, designer access

Organize by Responsibility Level

Create roles based on access levels:

Super Admin: All permissions
Team Lead: Team-specific resources + user management
Team Member: Basic operational permissions
Member: Read-only access

Hybrid Approach

Combine both strategies:

Create functional roles for specific areas
Create modifier roles for elevated privileges
Assign multiple roles to users as needed

Example:

Base role: "Support Staff" (basic permissions)
Modifier role: "Incident Commander" (alert management)
Assign both to on-call engineers during their on-call week

Best Practices

Naming Conventions

Use clear, descriptive role names:

✅ "Monitoring Team"
✅ "Newsletter Manager"
✅ "Security Administrator"
❌ "Role 1"
❌ "Team A"

Document Roles

Add descriptions to each role explaining:

Who should be assigned this role
What responsibilities it grants
Any prerequisites or requirements

Regular Reviews

Periodically review:

User role assignments (are they still appropriate?)
Role permission sets (do they still match job functions?)
Unused roles (can they be removed?)

Principle of Least Privilege

Start with minimal permissions and add more as needed, rather than starting with full access and removing permissions.

Separate Privileged Roles

Create separate roles for high-privilege actions:

Don't combine code.edit with routine operational permissions
Restrict setting.edit to Super Admin role
Keep permission.* and role.* in Super Admin role only

Session Management

Active Sessions

Users can have multiple active sessions across different devices. Each session includes:

Device/browser information
IP address
Last activity timestamp
Session creation time

Managing Sessions

Users can view their own active sessions and terminate individual sessions if they notice suspicious activity.

Administrators with session.list and session.delete permissions can:

View all active sessions across all users
Terminate suspicious sessions
Force logout for specific users

This is useful for:

Responding to security incidents
Enforcing access changes immediately
Investigating suspicious activity

Security Considerations

Two-Factor Authentication

Encourage or require team members to enable two-factor authentication (2FA), especially for accounts with elevated privileges. 2FA adds an essential security layer for:

Super Admin accounts
Users with code.edit permissions
Users with setting.edit permissions
Any role that can modify alerts or monitors

Password Policies

Enforce strong passwords by:

Requiring minimum password length
Encouraging regular password changes
Prohibiting common passwords
Requiring password changes after suspected compromise

Access Reviews

Conduct regular access reviews:

Quarterly: Review all user accounts and role assignments
After departures: Remove access immediately when team members leave
After role changes: Update permissions when responsibilities change
After incidents: Review and adjust as needed

Troubleshooting

User Can't Access Feature

Check the user's assigned roles
Verify the roles have the necessary permissions
Confirm the specific permission is enabled (e.g., monitor.create)
Check for active session issues
Verify 2FA is properly configured (if enabled)

Permission Changes Not Taking Effect

User may need to log out and log back in
Session cache may need to be cleared
Role changes should apply immediately, but browser cache might show old UI

Role Permission Conflicts

If multiple roles seem to conflict:

Remember permissions are additive (union, not intersection)
There are no "deny" rules
More roles always means more access, never less