RBAC & User Management
Configure users, roles, and permissions for your Bloqd installation.
User Roles
Bloqd has three built-in roles with predefined permissions:
| Role | Description | Use Case |
|---|---|---|
| Viewer | Read-only access | Monitoring, reporting |
| Operator | Manage bans and servers | Day-to-day operations |
| Admin | Full access | System administration |
Permission Matrix
| Permission | Viewer | Operator | Admin |
|---|---|---|---|
| View dashboard | ✓ | ✓ | ✓ |
| View servers | ✓ | ✓ | ✓ |
| View bans | ✓ | ✓ | ✓ |
| View whitelist | ✓ | ✓ | ✓ |
| View templates | ✓ | ✓ | ✓ |
| Ban/unban IPs | ✓ | ✓ | |
| Edit whitelist | ✓ | ✓ | |
| Deploy templates | ✓ | ✓ | |
| Add/remove servers | ✓ | ||
| Manage users | ✓ | ||
| System settings | ✓ | ||
| API key management | ✓ | ||
| Terminal access | ✓ |
Managing Users
Create User
- Go to Settings → Users
- Click Add User
- Fill in details:
- Username
- Password
- Role
- Click Create
Edit User
- Go to Settings → Users
- Find user in list
- Click Edit
- Modify details
- Click Save
Delete User
- Go to Settings → Users
- Find user in list
- Click Delete
- Confirm deletion
warning
You cannot delete your own account or the last admin user.
Reset Password
- Go to Settings → Users
- Find user
- Click Reset Password
- New password is generated/emailed
Multi-Factor Authentication
Enable MFA for User
- Go to Profile (as user)
- Click Security
- Click Enable MFA
- Scan QR code with authenticator app
- Enter verification code
- Save backup codes
Require MFA for All Users
- Go to Settings → Security
- Enable Require MFA
- Set grace period for existing users
- Save
MFA Recovery
If user loses MFA device:
- Admin goes to Settings → Users
- Find user
- Click Reset MFA
- User can set up MFA again
API Keys
Create API Key
- Go to Settings → API Keys
- Click Create Key
- Configure:
- Name
- Permissions (role-based or custom)
- Expiration (optional)
- Copy key (shown only once)
API Key Permissions
API keys can have:
- Role-based permissions (Viewer, Operator, Admin)
- Custom scoped permissions
| Scope | Description |
|---|---|
servers:read | View servers |
servers:write | Manage servers |
bans:read | View bans |
bans:write | Ban/unban IPs |
whitelist:read | View whitelist |
whitelist:write | Edit whitelist |
templates:read | View templates |
templates:write | Manage templates |
users:read | View users |
users:write | Manage users |
settings:read | View settings |
settings:write | Modify settings |
Revoke API Key
- Go to Settings → API Keys
- Find key
- Click Revoke
- Confirm
Server-Level Permissions
Pro Feature
Server-level RBAC requires a Pro license.
Restrict users to specific servers:
Assign Servers to User
- Go to Settings → Users
- Edit user
- Under Server Access:
- Select All Servers or
- Choose specific servers
- Save
Per-Server Roles
Assign different roles per server:
{
"userId": "user-uuid",
"serverPermissions": {
"server1-uuid": "admin",
"server2-uuid": "operator",
"server3-uuid": "viewer"
}
}
Session Management
View Active Sessions
- Go to Settings → Security
- Click Active Sessions
- See all logged-in sessions
Terminate Session
- Find session in list
- Click Terminate
- User is logged out immediately
Session Settings
| Setting | Description | Default |
|---|---|---|
| Session Timeout | Idle timeout | 24 hours |
| Max Sessions | Per user | 5 |
| Remember Me | Extended session | 30 days |
Audit Log
All user actions are logged:
View Audit Log
- Go to Settings → Audit Log
- Filter by:
- User
- Action type
- Date range
- Resource
Logged Actions
| Category | Actions Logged |
|---|---|
| Authentication | Login, logout, MFA events |
| Users | Create, edit, delete users |
| Servers | Add, remove, configure servers |
| Bans | Ban, unban actions |
| Whitelist | Add, remove entries |
| Settings | Configuration changes |
| API Keys | Create, revoke keys |
Export Audit Log
curl "https://bloqd.example.com/api/v1/audit/export?from=2024-01-01&to=2024-01-31" \
-H "Authorization: Bearer YOUR_API_KEY" \
-o audit-log.csv
OAuth Users
When using OAuth (GitHub/Google):
Role Assignment
New OAuth users get default role:
OAUTH_DEFAULT_ROLE=Viewer
Promote OAuth User
- Go to Settings → Users
- Find OAuth user
- Change role
- Save
Link Local Account
Users can link OAuth to existing account:
- Log in with local account
- Go to Profile → Linked Accounts
- Click Link GitHub or Link Google
API Usage
List Users
curl "https://bloqd.example.com/api/v1/users" \
-H "Authorization: Bearer YOUR_API_KEY"
Create User
curl -X POST "https://bloqd.example.com/api/v1/users" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"username": "newuser",
"email": "user@example.com",
"password": "SecurePassword123!",
"role": "Operator"
}'
Update User Role
curl -X PATCH "https://bloqd.example.com/api/v1/users/{userId}" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"role": "Admin"
}'
Delete User
curl -X DELETE "https://bloqd.example.com/api/v1/users/{userId}" \
-H "Authorization: Bearer YOUR_API_KEY"
Security Best Practices
- Principle of least privilege - Give minimum required permissions
- Use MFA - Require for all users, especially admins
- Rotate API keys - Set expiration and rotate regularly
- Review audit logs - Check for suspicious activity
- Limit admin accounts - Few admins, more operators/viewers
- Use OAuth - Leverage existing identity providers
- Session management - Short timeouts, terminate unused sessions
- Server-level RBAC - Restrict access to relevant servers only
Troubleshooting
User Can't Log In
- Verify username/email
- Check password is correct
- Verify account isn't locked
- Check MFA if enabled
Permission Denied
- Check user's role
- Verify server-level permissions
- Check API key scopes
- Review audit log for details
MFA Not Working
- Verify time sync on device
- Check authenticator app
- Try backup codes
- Admin can reset MFA