User Management
Manage users, roles, permissions, and invitations in Kener
Use Manage → Users to invite teammates and manage account status. Use Manage → Roles to control access with fine-grained permissions.
Roles and permissions
Kener uses a role-based access control (RBAC) system. Each user can be assigned one or more roles, and each role has a set of permissions that determine what actions the user can perform.
Built-in roles
Three readonly roles are seeded automatically:
| Role | Permissions | Notes |
|---|---|---|
admin |
All permissions | Full access including api_keys.delete |
editor |
All except api_keys.delete |
Day-to-day operations |
member |
All .read permissions only |
View-only access |
Built-in roles cannot be edited or deleted.
Custom roles
From Manage → Roles, users with the roles.write permission can create custom roles:
- Click Create Role.
- Enter a role ID (lowercase, numbers, underscores, hyphens) and display name.
- Optionally clone permissions from an existing role.
- After creation, assign permissions in the Permissions panel.
Custom roles can be edited, deactivated, or deleted. When deleting a custom role, you can either remove user assignments or migrate them to another role.
Permission domains
Permissions follow a domain.action format:
| Domain | Actions |
|---|---|
monitors |
read, write |
incidents |
read, write |
maintenances |
read, write |
pages |
read, write |
triggers |
read, write |
alerts |
read, write |
api_keys |
read, write, delete |
users |
read, write |
settings |
read, write |
subscribers |
read, write |
email_templates |
read, write |
images |
write |
roles |
read, write, assign_permissions, assign_users |
Permissions are enforced at both the route level (page access) and the action level (API operations).
Managing role permissions
From the roles table, click Permissions on any role to view or edit its permissions. Permissions are grouped by domain and can be toggled individually. Readonly (built-in) roles show permissions in read-only mode.
Managing role users
Click Users on any role to see assigned users. Users with roles.assign_users permission can add or remove users from roles.
User management
Users with the users.write permission can:
- invite new users
- resend invitation emails
- update user roles
- activate/deactivate users
- send verification emails
Owner-specific restrictions:
- the owner must always retain the
adminrole - the owner account cannot be deactivated
Invite flow
Important
Email must be configured before invitation flow can be used.
From Manage → Users:
- Click Add User.
- Enter name, email, and select one or more roles.
- Invitation email is sent with a secure token link.
Current behavior:
- invited user is created with inactive account and empty password
- invitation token expires after 7 days
- all selected roles must be active
How users accept invitation
When user opens invitation link:
- Token is validated (view + token + expiry).
- User sets password on invitation page.
- On success, account is activated and marked verified.
- User signs in normally.
If link is invalid, expired, or already used, invitation page shows an error and user cannot activate from that link.
Verification emails
- Users with
users.writepermission can send verification emails to other users. - Any user can trigger verification for their own account (if unverified).
Common tasks
- Change user roles: open user settings sheet, toggle roles, and click Update Roles. Users can be assigned multiple roles simultaneously.
- Deactivate user: toggle account inactive in user settings sheet. Existing sessions are invalidated.
- Re-invite user: resend invitation if user has not set password yet.
UI behavior notes
- The current signed-in user is highlighted in the users table.
- Users table can be filtered by active/inactive status.
- Role badges show the user's assigned role IDs.
Requirements and dependencies
- Email setup is required for:
- inviting users
- resending invitation emails
- verification emails
See Email Setup.