User Security Audit¶
The User Security Audit Tool enables administrators to perform comprehensive security analysis of individual users. It checks roles, permissions, credentials, and calculates a security score.
Overview¶
- 2 API endpoints for programmatic access
- Security Score (0–100) with automatic risk assessment
- Permission matrix across 37 platform modules
- Access: Admin area → User list → Shield icon
API Endpoints¶
Both endpoints require the users.read permission and respect multi-tenant scoping.
Retrieve Security Audit¶
Returns a complete security report:
| Section | Content |
|---|---|
| User | Profile data, 2FA status, last login |
| Customer | Assigned customer with status |
| Tenants | Tenants, plan, modules, quotas |
| Roles | Assigned roles + all permissions per role |
| Permissions | Deduplicated list of all permissions |
| API Keys | All API keys with prefix, scopes, last used |
| App Passwords | All app passwords with scopes |
| OAuth | Connected OAuth providers |
| Sessions | Active sessions (non-expired refresh tokens) |
| Subscriptions | Customer subscriptions |
| Projects | Projects + booked addons |
| Security Score | Score, level, issues, positive findings |
Example Response
{
"user": {
"uuid": "abc-123",
"email": "user@example.com",
"totp_enabled": false,
"telegram_2fa": false,
"last_login_at": "2026-03-10T14:30:00+00:00"
},
"customer": {
"name": "Example GmbH",
"status": "active"
},
"roles": [
{
"name": "user",
"display_name": "User",
"permissions": ["customers.read", "tickets.read", "tickets.create"]
}
],
"security_score": {
"score": 40,
"level": "critical",
"issues": ["No TOTP/2FA enabled (-15)"],
"good": ["Login within 30 days (+5)"]
}
}
Permission Check (Access Matrix)¶
Checks all 37 platform modules for read and write access:
Example Response
{
"user_uuid": "abc-123",
"user_email": "user@example.com",
"is_super_admin": false,
"total_modules": 37,
"allowed_read": 5,
"allowed_write": 3,
"denied_read": 32,
"denied_write": 33,
"modules": [
{
"module": "calendar",
"label": "Calendar",
"category": "crm",
"read": {
"permission": "customers.read",
"allowed": true,
"level": "success"
},
"write": {
"permission": "customers.update",
"allowed": false,
"level": "denied"
}
}
]
}
Security Score¶
The score is automatically calculated based on several factors:
| Criterion | Impact |
|---|---|
| TOTP (2FA) enabled | +20 points |
| No TOTP | -15 points |
| Telegram 2FA | +5 points |
| Email verified | +5 points |
| Email not verified | -5 points |
| Login within 30 days | +5 points |
| Login 30–90 days ago | ±0 points |
| Login > 90 days ago | -10 points |
| Never logged in | -15 points |
| More than 5 API keys | -5 points |
| More than 5 app passwords | -5 points |
| Super admin role | -5 points |
Rating:
- >= 80 → Good
- >= 50 → Medium
- < 50 → Critical
Module Categories¶
The 37 checked modules are organized into the following categories:
| Category | Modules |
|---|---|
| Core | Dashboard, API Keys, Self-Service |
| Admin | Users, Customers, Tenants, Domains, Packages, Projects, Billing, Subscriptions, Settings, Audit Log, Security, Workflows, Secret Store, Impersonation |
| Support | Tickets |
| System | Monitoring, Backups, Infrastructure, System |
| Services | Email, Hosting, DNS, SSL, Telephony, CMS, OCR |
| CRM | Contacts, Calendar, Deals, Invoices, Quotes |
| Infra | AI Assistant, Chat, Documentation |
Frontend Usage¶
- Open Users in the admin area
- Click the Shield icon in the user list
- The audit modal shows 5 tabs:
| Tab | Content |
|---|---|
| Overview | Score circle, user info, customer information |
| Access Matrix | Module grid with filter (All / Denied / Allowed) |
| Roles & Permissions | Assigned roles with all permissions |
| Credentials | API keys, app passwords, OAuth connections, active sessions |
| Resources | Tenants, subscriptions, projects with addons |
Permissions¶
| Permission | Description |
|---|---|
users.read |
Access both audit endpoints |
Multi-Tenant Scoping
Administrators can only see users within their visible customer scope. Super admins have access to all users.