User Management
Ops Atlas includes a built-in role-based access control system. Every user is assigned a role that determines what they can see and do across the platform.
Roles
| Role | Description |
|---|---|
| ADMIN | Full access to all features, including user management, settings, and deployments |
| OPERATOR | Can perform deployments and container operations, but cannot manage users or system settings |
| VIEWER | Read-only access to the dashboard — the default role for new users |
Role Permissions Matrix
| Capability | ADMIN | OPERATOR | VIEWER |
|---|---|---|---|
| View dashboard & containers | Yes | Yes | Yes |
| Start / stop / restart containers | Yes | Yes | No |
| Deploy services | Yes | Yes | No |
| Manage environment variables | Yes | Yes | No |
| Manage users | Yes | No | No |
| Change system settings | Yes | No | No |
| View audit log | Yes | No | No |
User Entity
Each user record contains the following fields:
| Field | Details |
|---|---|
username | Unique identifier for login |
email | Unique, validated email address |
password | Stored as a BCrypt hash — never in plain text |
fullName | Display name |
role | One of ADMIN, OPERATOR, or VIEWER |
enabled | Boolean flag — disabled users cannot log in |
lastLogin | Timestamp of the most recent successful login |
Managing Users
User CRUD operations are handled through the UserManagementController API and the Settings UI. Only users with the ADMIN role can create, update, or delete other users.
Create a User
POST /api/users
Content-Type: application/json
{
"username": "jane.doe",
"email": "jane@example.com",
"password": "securePassword123",
"fullName": "Jane Doe",
"role": "OPERATOR"
}List Users
GET /api/usersUpdate a User
PUT /api/users/{id}Delete a User
DELETE /api/users/{id}WARNING
Deleting a user is permanent. Consider disabling the account instead by setting enabled to false.
Authentication
Ops Atlas uses JWT-based authentication with a two-token strategy.
Login
POST /api/auth/login
Content-Type: application/json
{
"username": "admin",
"password": "password"
}A successful login returns:
| Token | Lifetime | Purpose |
|---|---|---|
| Access token | 1 hour | Sent as a Bearer token on every API request |
| Refresh token | 7 days | Used to obtain a new access token without re-entering credentials |
Refreshing Tokens
POST /api/auth/refreshSend the refresh token to receive a new access/refresh token pair.
Change Password
POST /api/auth/change-password
Content-Type: application/json
{
"currentPassword": "oldPassword",
"newPassword": "newSecurePassword"
}TIP
All users can change their own password. Admins can reset any user's password through the user management API.
Get Current User
GET /api/auth/userReturns the profile and role of the currently authenticated user.
Logout
POST /api/auth/logoutInvalidates the current token pair.