Users
The Users page manages platform accounts and role-based access control.
CBOM has two user roles:
| Role | Permissions |
|---|---|
| Admin | Full access — manage users, sensors, settings, run scans, create attestations, modify lifecycle states |
| Viewer | Read-only — view dashboard, inventory, relationships, compliance results, exports |
The first user created on a fresh installation is automatically assigned the admin role.
User Management
Section titled “User Management”Creating a User
Section titled “Creating a User”- Navigate to Users → Add User
- Enter email and name
- Set initial password
- Assign role (admin or viewer)
- Save
Editing a User
Section titled “Editing a User”Admins can:
- Change a user’s role
- Reset a user’s password
- Disable/enable accounts
Deleting a User
Section titled “Deleting a User”Remove a user’s access. This does not affect any data they created (attestations, saved searches, etc.).
Authentication
Section titled “Authentication”CBOM uses JWT-based authentication:
- Users sign in with email and password
- The API returns a JWT token (valid for 24 hours by default)
- The token is sent with every subsequent request
- Token expiration is configurable via
CBOM_JWT_EXPIRATION_HOURS
Sign In
Section titled “Sign In”Navigate to /signin or you’ll be redirected there automatically if not authenticated.
Access Control
Section titled “Access Control”Role checks are enforced at the API level:
| Action | Admin | Viewer |
|---|---|---|
| View dashboard, inventory, relationships | ✓ | ✓ |
| Export CycloneDX | ✓ | ✓ |
| Import external CBOMs | ✓ | ✓ |
| Run scans | ✓ | ✗ |
| Manage sensors | ✓ | ✗ |
| Create/edit alert rules | ✓ | ✗ |
| Create attestations | ✓ | ✗ |
| Change lifecycle states | ✓ | ✗ |
| Manage users | ✓ | ✗ |
| Modify settings | ✓ | ✗ |
Related
Section titled “Related”- Compliance — Attestations require admin role
- API Deployment — JWT configuration