Users, Roles, and Organisations

Understand Open-AudIT's role-based access control system including users, roles, organisations, LDAP integration, and permission inheritance.

IntermediateUpdated Apr 10, 2026
On this page

Users, Roles, and Organisations

Open-AudIT uses a role-based access control (RBAC) system to determine what a user can do and which devices they can see. It's flexible enough to model almost any organisational structure.

The Three Parts

Users — People with accounts in Open-AudIT. Each user has a list of Roles and Organisations assigned to them.

Roles — Define what a user can do (create, read, update, delete on different collections).

Organisations (Orgs) — Define which devices and data a user can act on.

How It Works

When a user performs any operation, Open-AudIT checks two things:

  1. Role check — Does this user's role allow this action (e.g., creating a query)?
  2. Org check — Does this collection item belong to an org the user has access to?

Both must pass. A user might have the right role but still not see a device if it belongs to an org they don't have access to.

Built-in Roles

Open-AudIT ships with three default roles:

RoleDescription
adminFull access to global application settings — configuration, database, logs, roles, LDAP, etc.
org_adminCan create, read, update, and delete items in any collection that has an org_id column. The right role for team leads managing devices, queries, groups, and users within their org.
userRead-only access to most items within their permitted orgs.

A user can have multiple roles. Permissions are applied at the most permissive level — if a user has both user and org_admin, the org_admin permissions apply.

Organisations

Think of your org structure like a company org chart. Orgs can have parent–child relationships. If a user has access to a parent org, they automatically have access to all child (descendant) orgs too.

For some collections — dashboards, groups, queries, reports, summaries, widgets — users with access to a child org can also see items from parent orgs. This makes it easy to share global reporting templates while keeping device data separate.

Example

Imagine this structure:

Default Org
└── Company A
    ├── Finance
    └── Engineering

A user with access to "Finance" can see Finance devices only. A user with access to "Company A" can see all of Company A, Finance, and Engineering devices. An admin with access to "Default Org" can see everything.

Creating Users

  1. Go to Menu → Admin → Users → Create Users
  2. Set a username, name, email, and password
  3. Assign one or more roles
  4. Assign one or more organisations
  5. Save

Active Directory and LDAP

Open-AudIT integrates with Active Directory and OpenLDAP for authentication and authorisation. When configured, users don't need separate Open-AudIT accounts — they authenticate with their AD/LDAP credentials.

Open-AudIT maps AD/LDAP groups to Open-AudIT roles and orgs. A user must be a direct member of the relevant group for the mapping to take effect.

If LDAP is configured and a user isn't in LDAP (e.g., the local admin account), Open-AudIT falls back to local authentication automatically.

With LDAP fully configured for both authentication and authorisation, Open-AudIT will auto-create user accounts on first login — no pre-provisioning needed.

For setup instructions, see How to Enable LDAP Authentication.

Previous · DocumentationConfigurationDocumentation · NextBackup & Restore

Was this page helpful?