User Management

Manage user accounts, assign roles, and control access to DFIRe.

Overview

User management in DFIRe is accessed via Settings > User Accounts. The interface has two tabs:

  • Users: Create, edit, and manage user accounts
  • Role Editor: Configure permissions for each role

For detailed information about the Role Editor and permission configuration, see Application Security.

Access Control

DFIRe uses a two-tier access control system:

1. Role-Based Permissions

Each user is assigned a role that determines their system-wide capabilities:

  • Can the user create new cases?
  • Can the user access system settings?
  • Can the user view all cases regardless of assignment?

2. Case-Level Access

For each case, access is determined by team assignment:

  • Lead Investigator: Full control of the case
  • Investigator: Read/write access to case content
  • Viewer: Read-only access

A user must have both the role permission to perform an action and be assigned to the case (unless they have "View/Edit All Cases" permission).

Creating Users

  1. Navigate to Settings > User Accounts

    You need the edit_tenant permission to manage users. This permission is included in the default DFIRe Admin role, but can be assigned to any custom role via the Role Editor.

  2. Click "Add User"
  3. Fill in User Details
    • First Name / Last Name: Display name
    • Username: Unique identifier for login
    • Email: Used for notifications
    • Role: Select the user's role
    • Password: Set the initial password
  4. Configure Account Status

    The "Account Active" toggle determines whether the user can log in.

  5. Optional: Link Slack Account

    Enter the user's Slack User ID if you use Slack integration. Find this in Slack by clicking the user's profile > More > Copy member ID.

  6. Click "Save User"

SSO Users: When SSO is configured, users are created automatically on first login. You may need to adjust their role after their first login. If an existing local account matches the SSO user's email address, the account is converted to a passwordless SSO account and password-based login is disabled for that user.

Preconfigured Roles

DFIRe includes these default roles:

Role Description
View Only Read-only access to cases they're assigned to
Standard user Create and manage cases they're assigned to, add evidence and notes
Team Lead Standard user permissions plus view/edit all cases and manage teams
DFIRe Admin Full system access including user management, settings, and audit logs

These are default template roles included with DFIRe. The superuser is free to modify them, create new roles, or reorganize permissions entirely using the Role Editor. DFIRe never checks group membership directly — it only checks individual atomic permissions as assigned through the Role Editor. See Application Security for details.

IOC-Related Permissions

The following permissions control access to IOC features and can be assigned via the Role Editor:

Permission Effect
core.manage_indicators Create, edit, classify, publish, and revoke indicators
core.export_indicators Export indicators in CSV, STIX, or plaintext format
core.import_indicators Bulk import indicators from CSV or STIX files
core.manage_taxii Configure TAXII 2.1 server settings, collections, and API keys

Editing Users

Click the edit button next to any user to modify their account:

  • Update profile information: Name, email, username
  • Change role: Select a different role from the dropdown
  • Reset password: Enter a new password (leave blank to keep current)
  • Enable/disable account: Toggle the "Account Active" switch
  • Update Slack ID: Link or unlink Slack integration

SSO Users

Users who authenticate via SSO are indicated with an SSO badge showing their identity provider. For SSO users:

  • Password fields are hidden (authentication is managed by the identity provider)
  • Profile information may be synced from the identity provider
  • You can still change their role and account status

Disabling Users

When a user should no longer have access:

  1. Go to Settings > User Accounts
  2. Click the edit button for the user
  3. Turn off "Account Active"
  4. Click "Save User"

Disabling a user:

  • Prevents them from logging in
  • Preserves their audit trail and case history
  • Shows a "Disabled" badge on the user list
  • Does not delete any data

Note: User accounts cannot be deleted — only disabled. This prevents user ID reuse and preserves the integrity of the audit trail and case history. Disabled accounts remain in the system but cannot be used to log in.

Force Logout

Administrators can immediately terminate all of a user's active sessions:

  1. Go to Settings > User Accounts
  2. Click the edit button for the user
  3. Click "Force Logout"
  4. Confirm the action

This is useful when:

  • A user's credentials may have been compromised
  • An employee is leaving and you need immediate access revocation
  • You've changed a user's role and want it to take effect immediately

The user will need to log in again on all devices.

User List

The user list displays:

  • Profile picture: From SSO provider or initials placeholder
  • Name and username: With email address
  • Status badges:
    • SSO badge - Shows the identity provider (Google, Microsoft, etc.)
    • Disabled badge - Account is deactivated
    • ROOT badge - Superuser with full system access
  • Role: The user's assigned role
  • Slack status: Whether their Slack account is linked

Authentication Methods

DFIRe supports two authentication methods:

  • SSO (recommended for production): Passwordless authentication via your organization's OIDC identity provider (Google Workspace, Microsoft Entra ID, Okta, etc.). SSO is the primary method for production use as it leverages your organization's MFA and security policies.
  • Local password login: Username and password authentication. Provided as a convenience for initial setup and to support air-gapped environments without access to an identity provider. Password-based login does not support MFA.

Security: When a local account user logs in via SSO, the account is converted to passwordless and password-based login is permanently disabled for that account. This ensures all production users authenticate through the organization's identity provider.

Password Policy

For local accounts, DFIRe enforces password requirements via Django's built-in validation:

  • Minimum 12 characters
  • Cannot be too similar to personal information
  • Cannot be a commonly used password
  • Cannot be entirely numeric

Password Reset

Users with local accounts (non-SSO) can reset their own password:

  1. Click on profile menu in the top navigation
  2. Select "Change Password"
  3. Enter current password and new password
  4. Click "Change Password" to save

Administrators can also reset passwords for users via the User Accounts settings.

Superusers

Superusers (shown with a "ROOT" badge) have unrestricted access to the entire system, bypassing all permission checks. Superuser status:

  • Is set during initial installation or via command line
  • Cannot be granted or revoked through the web interface
  • Should be limited to system administrators only

Non-superuser administrators cannot edit superuser accounts.