Administration

The Administration section is accessible to users with the Administrator role. It covers user management, audit logging, API keys, system settings, authentication, and licence management.

User Management

Navigate to Administration > Users to manage user accounts.

User Roles

Role	Description
Administrator	Full system access. Can manage users, settings, API keys, licence, and authentication configuration.
IAM Governance Manager	Can manage systems, credentials, scan policies, identities, privilege overrides, and PAM inventory. Cannot access administration settings.
IAM Governance Analyst	Read-only access. Can view dashboards, reports, accounts, KRIs, and scan history. Cannot modify data.
Inherit from OIDC Claim	Role is determined by the SSO provider's role claim on each login. Only available when OIDC is configured.

Creating a User

1. Click Add User
2. Fill in:

Field	Required	Description
Username	Yes	Login username (must be unique)
Full Name	Yes	Display name
Email	Yes	Email address
Role	Yes	One of the roles above
Initial Password	Yes	Temporary password (user should change on first login)

3. Click Save

User creation is subject to the licence limit on maximum users.

Managing Users

• Deactivate - disables a user account (they cannot log in, but their audit history is preserved)
• Activate - re-enables a deactivated account
• Reset Password - sets a new temporary password for the user

Password Policy

Navigate to the Password Policy tab on the Users page to configure password requirements. See Configuration Reference for all available settings.

Audit Logs

Navigate to Administration > Audit Logs to view a complete record of all actions performed in OrbisID.

Each log entry contains:

Field	Description
Timestamp	When the action occurred
User	Who performed the action
Action Type	Category of action (e.g., USER_LOGIN, SYSTEM_CREATED, SCAN_EXECUTED)
Target	What was affected (e.g., system name, account ID)
Details	JSON payload with additional context

Filtering Audit Logs

Use the filters to narrow results:

• Action Type - select from a dropdown of all action types
• Date Range - start and end dates
• User - filter by the user who performed the action

Click on any log entry to view its full JSON details in a dialog.

Action Types

Common action types include:

Category	Actions
Authentication	USER_LOGIN, USER_LOGOUT, USER_LOCKED, OIDC_LOGIN_SUCCESS
Systems	SYSTEM_CREATED, SYSTEM_UPDATED, SYSTEM_OFFBOARDED
Credentials	CREDENTIAL_CREATED, CREDENTIAL_UPDATED, CREDENTIAL_PAM_SCRIPT_UPLOADED
Scanning	SCAN_EXECUTED, SCAN_COMPLETED
Accounts	ACCOUNT_LINKED, IDENTITY_CREATED
Administration	LICENSE_ACTIVATED, CONFIG_CHANGED, API_KEY_CREATED

Scan Agents

Navigate to Administration > Scan Agents to manage remote scan agents.

See Scan Agent for full documentation on deploying and configuring agents.

The administration page lets you:

• View registered agents and their status (online/offline, last heartbeat)
• Create agent groups to organise agents by network segment
• Assign systems to agent groups (systems in a group are scanned by agents in that group)
• Regenerate agent API keys
• Enable/disable agents
• Drain agent queues (finish current jobs, accept no new ones)
• Download agent installation packages (Docker image or JAR)

API Keys

Requires Enterprise edition.

Navigate to Administration > API Keys to manage API keys for programmatic access.

Creating an API Key

1. Click Create Key
2. Enter a name/description for the key
3. Click Create
4. Copy the key immediately - it is only displayed once

danger

The API key value is shown only at creation time. If you lose it, you must create a new key.

Managing API Keys

Action	Description
Enable	Activates a disabled key
Disable	Temporarily disables a key (can be re-enabled)
Delete	Permanently removes the key

All API key operations are recorded in the audit log.

System Settings

Navigate to Administration > Settings to configure application-wide settings.

Setting	Default	Description
Date Format	yyyy-MM-dd	How dates are displayed in the UI
DateTime Format	yyyy-MM-dd HH:mm:ss	How timestamps are displayed
Connection Timeout	60 seconds	Default timeout for testing system connections

Changes take effect immediately.

Authentication (OIDC/SSO)

Requires Enterprise edition.

Navigate to Administration > Authentication to configure OIDC single sign-on.

Configuration

Field	Description
Issuer URL	Your identity provider's OIDC issuer URL
Client ID	OAuth 2.0 client ID
Client Secret	OAuth 2.0 client secret (encrypted at rest)
Redirect URI	The callback URL (https://your-orbisid-host/oidc-callback)
Role Claim	JWT claim name containing the user's role

How It Works

Role Mapping

If a user has the role INHERIT_FROM_OIDC_CLAIM, their effective role is determined by the value of the configured role claim in the ID token. The claim value must match one of:

• ADMINISTRATOR
• IAM_GOVERNANCE_MANAGER
• IAM_GOVERNANCE_ANALYST

Users with a specific OrbisID role assigned always use that role, regardless of the SSO claim.

Testing

After saving the configuration, click Test to verify the OIDC flow works. If the test succeeds, the SSO button will appear on the login page.

To remove OIDC, click Delete Configuration.

Licence Management

Navigate to Administration > Licence to view and manage your OrbisID licence.

Viewing Licence Status

The licence page shows:

Field	Description
Edition	Community, Pro, or Enterprise
Status	Active, Expired, or Community
Valid Until	Expiry date (if applicable)
Max Systems	Maximum number of active systems
Max Users	Maximum number of user accounts
Max Schedules	Maximum number of scheduled scan policies

Activating a Licence

1. Paste your licence key into the text field
2. Click Preview to verify the key details before activating
3. Click Activate

Deactivating a Licence

Click Deactivate to revert to the Community edition. Your data is preserved, but features beyond Community limits will become locked.

Edition Comparison

See Licensing for a full comparison of features by edition.