User Management & RBAC

m1nd supports multi-user access with role-based access control (RBAC).

User Types

Config Admin

The initial admin account defined in config.yaml. This account always exists and is separate from database-backed users.

Database Users

Created and managed from Settings > Users. These are the standard user accounts with role-based permissions.

Roles

Role	Access Level
admin	Full access — all features, settings, user management
operator	Use all features + view credentials in plaintext
operator_masked	Use all features, credentials are masked
operator_nocreds	Use all features, no credential access at all
viewer	Read-only access to dashboards and data

Security Features

Account Lockout

5 failed login attempts triggers a 15-minute lockout. This prevents brute-force attacks on user accounts.

Password Recovery

Email-based temporary password recovery via SMTP. Requires SMTP to be configured in Settings.

Session Tracking

Last login timestamp is recorded for every user.

Audit Logging

All security-relevant actions are logged with username and timestamp:

• Login attempts (success and failure)
• Credential access events
• Scan operations
• User management changes

TOTP 2FA

Optional two-factor authentication using TOTP (Time-based One-Time Password). Enable per user in Settings > Security.

API Keys

Scoped API keys provide programmatic access with granular permissions.

Available Scopes

Scope	Access
monitors:read	Read monitor data
monitors:write	Create/update/delete monitors
alerts:read	Read alert history
alerts:write	Manage alert settings
webhooks:read	Read webhook configs
webhooks:write	Manage webhooks
brain:read	Read Bra1n assets
brain:write	Manage Bra1n assets
v1sion:read	Read V1sion sessions
v1sion:write	Manage V1sion sessions
ssh:execute	Execute SSH commands

Manage API keys in Settings > API Keys.

Web Identity

Configure a display name shown in the topbar. Users see their own name, providing a personalised experience in multi-user deployments.