User Management

This section details the functionalities for managing user accounts within the system, including their creation, modification, deletion, and the assignment of roles and CA group memberships.

Key Functionalities

User Listing

• Endpoint: /users
• Description: Displays a paginated list of all registered users, including their assigned roles.

User Creation

• Endpoints:
  • GET /users/create: Displays the form for creating a new user account.
  • POST /users: Submits data to create a new user.
• Requirements:
  • name: Required string for the user's name.
  • email: Required, unique email address for the user.
  • password: Required string, minimum 8 characters, and must be confirmed.
  • roles: Optional array of role names to assign to the user.
• Email Verification: Newly created users have their email_verified_at set to null, indicating that their email requires manual verification by an administrator.
• Audit Logging: Records user creation events.

User Details

• Endpoint: /users/{user}
• Description: Displays detailed information for a specific user, including their assigned roles and CA group memberships.

User Updates

• Endpoints:
  • GET /users/{user}/edit: Displays the form for editing an existing user's details.
  • PUT/PATCH /users/{user}: Submits data to update a user's information.
• Updatable Fields:
  • name: User's name.
  • email: User's email address (must remain unique, excluding the current user's email).
  • password: Optional new password (minimum 8 characters, must be confirmed).
  • roles: Array of role names to assign/unassign to the user.
  • ca_groups: Array of CA group IDs to assign/unassign to the user.
• CA Group Assignment Metadata: When users are assigned to CA groups, the system records assigned_by (the administrator performing the assignment) and assigned_at timestamps.
• Audit Logging: Records user update events.

User Deletion

• Endpoint: DELETE /users/{user}
• Description: Deletes a user account from the system.
• Deletion Policy: The system prevents the deletion of the last administrator account to ensure continuous system access and management capabilities.
• Audit Logging: Records user deletion events.

Manual Email Verification (Admin Only)

• Endpoint: POST /users/{user}/verify-email
• Description: Allows an administrator to manually mark a user's email as verified.
• Access Control: This action is restricted to users with the admin role.
• Process: Sets the email_verified_at timestamp for the user.
• Audit Logging: Records manual email verification events by administrators.

Revoke Email Verification (Admin Only)

• Endpoint: POST /users/{user}/revoke-email
• Description: Allows an administrator to revoke a user's email verification status.
• Access Control: This action is restricted to users with the admin role.
• Process: Sets the email_verified_at timestamp for the user back to null.
• Audit Logging: Records email verification revocation events by administrators.

Inferred Specifications

• User Authentication: The system relies on email and password for user authentication.
• Role-Based Access Control (RBAC): User permissions are managed through a role-based system, allowing for flexible assignment of privileges (e.g., admin).
• Layered Access Control with CA Groups: In addition to global roles, users can be assigned to specific CAGroups, which define their access permissions within the context of individual Certificate Authorities, creating a layered access control model.
• Email Verification Workflow: New user accounts require email verification, which can be performed manually by an administrator, ensuring a controlled onboarding process.
• Password Security Standards: Passwords are securely hashed and enforced with a minimum length requirement (8 characters).
• Unique User Identification: Each user is uniquely identified by their email address.
• System Integrity Safeguard: A critical security measure prevents the accidental deletion of the last administrator account, ensuring the system remains manageable.
• Comprehensive Audit Trail: All actions related to user management, including creation, updates, deletions, role/group assignments, and email verification status changes, are meticulously logged for security, compliance, and operational oversight.
• Metadata for Access Assignments: The system tracks who assigned a user to a CA group and when, providing accountability for access control decisions.