Admin Users
Admin users are the operators and managers of the SecureLink platform. They access the management UI to configure network infrastructure, manage devices, and oversee VPN services.
Navigate to Administration > Users to manage all user accounts.
User Types
SecureLink has three user types:
- SuperAdmin — Full platform access. Can manage all tenants, users, and system settings. SuperAdmins operate across the entire deployment and have unrestricted access to every feature.
- TenantAdmin — Manages a specific tenant's edges, connectors, VPN users, and network configuration. TenantAdmins are scoped to their assigned tenant and cannot access other tenants or system-wide settings.
- App User (VPN User) — End users who connect via the SecureLink VPN client. App Users do not have access to the management UI.
Tabs
The Users page is organized into tabs. The available tabs depend on your role and tenant context:
SuperAdmin View (No Tenant Selected)
| Tab | Description |
|---|---|
| Super Admins | All SuperAdmin accounts across the platform |
| Tenant Admins | All TenantAdmin accounts across all tenants |
| VPN Users | VPN/App user accounts |
| Invitations | Pending user invitations awaiting registration |
SuperAdmin View (Tenant Selected)
| Tab | Description |
|---|---|
| Tenant Admins | TenantAdmin accounts for the selected tenant |
| VPN Users | VPN/App user accounts for the selected tenant |
| Invitations | Pending invitations for the selected tenant |
TenantAdmin View
| Tab | Description |
|---|---|
| Admins | Admin accounts for your tenant |
| App Users | VPN/App user accounts for your tenant |
| Invitations | Pending invitations for your tenant |
User List
Each user tab displays a table with:
| Column | Description |
|---|---|
| Name | The user's display name |
| The email address used for login (Keycloak identity) | |
| Type | SuperAdmin, TenantAdmin, or App User |
| Tenant | The assigned tenant (visible in SuperAdmin view) |
| Status | Active or Disabled |
| Last Login | Timestamp of the most recent login |
First SuperAdmin Protection
The first SuperAdmin account (determined by creation time) is the platform bootstrap admin. This account has special protection:
- Other administrators cannot edit or delete this account
- The bootstrap admin can view all other accounts
- The bootstrap admin can edit their own profile and settings
This prevents accidental lockout of the primary platform administrator.
Creating an Admin User
- Click the Invite User button.
- Fill in the invitation form:
- Email — The email address of the new user.
- User Type — Select SuperAdmin or TenantAdmin.
- Tenant — Required for TenantAdmin. Select the tenant this user will manage.
- Role — Assign a role that determines the user's permissions.
- Click Send Invitation.
- An invitation email is sent to the user with a unique registration link.
- The user clicks the link and creates their Keycloak account (setting their own password).
- Once registered, the user can log in to SecureLink.
All passwords are managed through Keycloak. Admins cannot set or reset passwords directly from the SecureLink management UI. To reset a password, direct the user to the Keycloak account portal or use the Keycloak admin console.
User Detail Page
Click on a user row to open the User Detail page. The page is organized into tabs:
Profile Information
Displays account details in two columns:
- Account Information — Username, full name, email, phone
- Access & Status — User type, status (active/disabled), tenant ID
- Timestamps — Creation date, last update, created by
Activity Log
A chronological log of actions performed by this user:
| Column | Description |
|---|---|
| Timestamp | When the action occurred |
| Action | Action type with color-coded badge (Login, Update, Create, Delete, etc.) |
| Resource Type | What kind of resource was affected |
| Resource | The specific resource |
| IP | Originating IP address |
| Status | Success or failure |
Click Export CSV to download the activity log.
Permissions
Shows the user's role assignment and effective permissions:
- Role Assignment — Current role name, type, and a summary of capabilities
- Permission Details — Create, Read, Update, and Delete permission indicators
To change a user's role, use the Edit Info button in the page header.
SuperAdmin users always have full permissions. The Permissions tab shows a simplified "full access" explanation for SuperAdmin accounts.
Sessions
All active sessions for this user:
| Column | Description |
|---|---|
| IP Address | Session IP address |
| Device | Browser and operating system |
| Created | Session creation time |
| Last Activity | Most recent API call |
| Expires | Session expiration time |
| Status | Active or expired |
Actions:
- Export CSV — Download the sessions list
- Revoke All Active — Revokes all active sessions for this user. The user will receive a 401 response on their next API call and must re-authenticate.
When an admin revokes another user's sessions, the user is not immediately logged out. Instead, their next API call will fail with a 401 error, and the UI will redirect them to the login page. The revoked session token cannot fall back to Keycloak authentication — it is definitively invalidated.
Editing a User
Click Edit Info in the user detail header to open the edit modal. You can:
- Change user type — Promote a TenantAdmin to SuperAdmin, or scope a SuperAdmin down to TenantAdmin.
- Change tenant assignment — Reassign a TenantAdmin to a different tenant.
- Change role — Assign a different role with different permissions.
Changes take effect on the user's next login or token refresh.
Deactivating a User
Click Deactivate in the user detail header (with confirmation) to disable the account:
- The user can no longer log in to the management UI.
- The user's account and configuration history are preserved.
- The user can be re-activated at any time by clicking Activate.
Disabling a SuperAdmin removes their access to all tenants immediately. Any active sessions will be terminated on the next token validation.