This guide covers how administrators manage users in SecureAI -- inviting new users, assigning roles, deactivating accounts, resetting passwords, and understanding how user data is handled throughout the lifecycle.
Prerequisites
Before you begin, ensure you have:
- Admin access to your SecureAI instance.
- The email addresses of the users you want to add.
- A plan for role assignment -- decide who needs admin access versus standard user access before you start adding people.
Understanding Roles
SecureAI has two roles. Every user is assigned exactly one.
| Role | What They Can Do |
|---|---|
| User | Start conversations, upload documents, search the knowledge base, use assigned tools and assistants, manage their own profile and settings |
| Admin | Everything a User can do, plus: manage users (invite, deactivate, change roles), view analytics and usage reports, configure models and providers, manage tools and assistants, adjust system settings (SSO, data retention, content filtering) |
When to Assign the Admin Role
Assign the admin role only to people who need to manage the SecureAI instance. In most organizations, this means IT administrators or team leads responsible for the platform. A typical deployment has 2-5 admins and the rest as standard users.
Admins can see usage analytics and conversation metadata (which users are active, token consumption, model usage) but cannot read the content of other users' conversations.
Inviting a Single User
- Navigate to Admin Panel > Users.
- Click Add User.
- Fill in the user details:
- Email: The user's work email address. Must be unique across the instance.
- Name: Display name shown in the interface.
- Role: Select
UserorAdmin.
- Click Send Invitation.
The user receives an email with a link to set their password and activate their account. Invitation links expire after 72 hours. If the link expires before the user activates, you can re-send the invitation from the user list.
SSO Users
If your organization uses SAML or OIDC SSO, invited users do not need to set a password. They authenticate through your identity provider on first login. The invitation email still goes out to notify them that access is ready, but they sign in using their existing corporate credentials.
See Configuring SAML SSO or Configure OIDC SSO for setup instructions.
Inviting Multiple Users
For onboarding more than a handful of users, use the bulk import feature instead of adding users one by one.
- Prepare a CSV file with
email,name,role, and (optionally)departmentcolumns. - Navigate to Admin Panel > Users.
- Click Import Users and upload the CSV.
SecureAI validates the file, shows a preview, and imports valid rows. Rows with errors are skipped and reported.
See How to Bulk Import Users for the full CSV format, validation rules, error handling, and API-based import.
Viewing and Searching Users
The Admin Panel > Users page shows all users in your instance. From this page you can:
- Search by name or email using the search bar at the top.
- Filter by role (User, Admin) or status (Active, Deactivated).
- Sort by name, email, role, last active date, or date added.
- Export the user list as a CSV for reporting or auditing.
Click any user's name to open their profile and see their details, activity summary, and management options.
Changing a User's Role
- Navigate to Admin Panel > Users.
- Click the user's name to open their profile.
- Under Role, select the new role (
UserorAdmin). - Click Save.
The change takes effect immediately. If you promote a user to Admin, they will see the Admin Panel on their next page load. If you demote an Admin to User, they lose access to the Admin Panel immediately.
Protecting Against Lockout
SecureAI prevents you from removing the admin role from the last remaining admin account. There must always be at least one admin in the system. If you need to transfer admin responsibility, promote the new admin first, then demote yourself.
Deactivating a User
Deactivation prevents a user from logging in while preserving their data.
- Navigate to Admin Panel > Users.
- Click the user's name.
- Toggle Active to off.
- Click Save.
What Happens When a User Is Deactivated
| Area | Behavior |
|---|---|
| Login | Blocked. Active sessions are terminated. |
| Conversation history | Preserved. Admins can view metadata in analytics. |
| Uploaded documents | Preserved in the knowledge base. |
| Seat count | Deactivated users do not count toward your seat limit. |
| SSO | If the user tries to log in through SSO, they are blocked at the SecureAI level even if their IdP session is active. |
Reactivating a User
- Navigate to Admin Panel > Users.
- Use the status filter to find deactivated users.
- Click the user's name.
- Toggle Active to on.
- Click Save.
The user can log in again immediately. Their conversation history and documents are intact.
Deactivation vs. Deletion
SecureAI does not offer a user deletion feature in the admin panel. Deactivation is the standard way to revoke access. This is intentional:
- Compliance: Many organizations must retain user activity records for audit purposes (SOC 2, GDPR). Deletion would destroy audit trails.
- Data integrity: Conversations and documents linked to a user remain consistent. Deleting a user would orphan that data.
- Reversibility: Deactivation is reversible. If someone returns to the organization or was deactivated by mistake, reactivation restores full access instantly.
If you need to permanently remove a user's data for GDPR data subject deletion requests, contact SecureAI support. Data deletion requests are processed manually to ensure compliance with your data retention policies.
Resetting a User's Password
- Navigate to Admin Panel > Users.
- Click the user's name.
- Click Reset Password.
- Confirm the action.
The user receives an email with a password reset link. The link expires after 72 hours. The user's current password continues to work until they complete the reset.
SSO Environments
If your organization uses SSO, password resets are handled by your identity provider, not SecureAI. The Reset Password button is hidden for SSO-authenticated users. Direct users to your organization's standard password reset process (e.g., Okta self-service, Azure AD SSPR).
Managing User Sessions
Admins can terminate a user's active sessions if needed -- for example, if a user's account may be compromised or if a deactivated user has a session that has not yet expired.
- Navigate to Admin Panel > Users.
- Click the user's name.
- Click Terminate Sessions.
- Confirm the action.
All active sessions for that user are invalidated immediately. The user must log in again.
Monitoring User Activity
The Admin Panel > Analytics section provides an overview of user activity:
- Active users: How many users have logged in over a given time period.
- Token usage: Per-user and per-model token consumption.
- Conversation volume: Number of conversations started per user.
- Last active: When each user last interacted with the system.
For detailed audit logging and compliance reporting, see How to Audit User Activity.
Common User Management Scenarios
Onboarding a New Employee
- Add the user with the appropriate role.
- If using SSO, no further action -- they can log in with their corporate credentials.
- If not using SSO, confirm they received the invitation email and activated their account.
Offboarding an Employee
- Deactivate the user to block login immediately.
- Their seat is freed for a new user.
- Their conversation history and documents are preserved for compliance.
Transferring Admin Responsibilities
- Promote the new admin by changing their role to Admin.
- Demote the outgoing admin to User (or deactivate if they are leaving the organization).
User Reports They Cannot Log In
- Check if the user's account is active in the user list.
- If active, try resetting their password.
- If using SSO, verify the user exists in your identity provider and is assigned to the SecureAI application.
- For persistent login issues, see the I Can't Log In FAQ.
Troubleshooting
| Problem | Solution |
|---|---|
| Invitation email not received | Check spam/junk folders. Verify the email address is correct in the user list. Check email delivery settings in Admin Panel > Settings > Email. |
| User sees "account deactivated" after SSO login | The user's SecureAI account is deactivated. Reactivate it in the admin panel. SSO authentication alone does not override deactivation. |
| Cannot remove admin role from a user | You may be the last admin. Promote another user to admin first, then demote yourself. |
| Seat limit reached | Deactivate users who no longer need access. Deactivated users do not count toward the seat limit. See What Happens If I Exceed My Seat Limit. |
| Bulk import errors | See How to Bulk Import Users for CSV format requirements and error handling. |
Next Steps
- How to Bulk Import Users -- onboard many users at once via CSV.
- Configuring SAML SSO or Configure OIDC SSO -- let users sign in with corporate credentials.
- How to Audit User Activity -- review usage logs and generate compliance reports.
- Content Filtering and Safety Settings -- control what models can generate for your users.