User Management
User management allows you to create and manage accounts that access the Zuora Workflow Manager admin panel.
Overview
User Types
Zuora Workflow Manager supports two authentication types:
| Type | Description | When to use |
|---|
| Classic authentication | Email + local password | Internal users, developers, administrators |
| OAuth (Google) | Access via Google Account | External clients, enterprise users |
Standard Roles
The application uses Filament Shield for access control:
| Role | Description | Permissions |
|---|
| super_admin | Full administrator | All permissions including Customers and Settings |
| workflow_user | Workflow user | View access to Workflows and Tasks |
| panel_user | Base user | Limited panel access |
Creating a User (Admin)
Prerequisites
- Account with
super_admin role
- Access to Users section
Step 1: Navigate to Users
- Login to the admin panel
- Click Users in the sidebar
Step 2: Create New User
- Click the New User button in the top right
- Fill out the form:
| Field | Description | Required | Validation |
|---|
| Name | User’s first name | Yes | Max 255 characters |
| Surname | User’s last name | Yes | Max 255 characters |
| Email | Unique email | Yes | Valid email, unique |
| Password | Account password | Yes | Minimum 8 characters |
| Roles | Roles to assign | No | Multi-select |
Step 3: Assign Roles
In the Roles field:
-
Select one or more roles:
super_admin → Full accessworkflow_user → View workflows and taskspanel_user → Base access
-
You can assign multiple roles to the same user (accumulates permissions)
Role assignment determines access to various sections of the admin panel.
Step 4: Save User
Click Create to create the account.
If you don’t specify a password, the user can set it on first login or use OAuth if enabled.
Editing a User
Step 1: Select User
- Navigate to the Users list
- Click on the user to edit
Step 2: Edit Data
You can modify:
- Name/Surname: First and last name
- Email: Email address
- Password: Password (can leave blank to not modify)
- Roles: Add or remove roles
Step 3: Save Changes
Click Save to apply the changes.
Modifying email requires the new email to be unique in the system.
Viewing Users
Users List
The Users table shows:
| Column | Description |
|---|
| Name | User’s full name |
| Email | User’s email |
| Roles | Assigned roles (badges) |
| Created At | Creation date |
| Updated At | Last update date |
| Actions | Available actions |
User Details
Click on a user to see:
- Personal information: Name, surname, email
- Avatar: Profile image (from OAuth if present)
- Roles: Complete list of assigned roles
- Permissions: List of permissions derived from roles
- Dates: Creation and last update
Assigning Roles
Edit Existing Roles
- Click on the user
- In the Roles section, select/deselect the roles
- Click Save
Multi-Role
A user can have multiple roles:
// Example: user with multiple roles
$roles = ['super_admin', 'workflow_user'];
// Permissions are combined
// super_admin → All permissions
// workflow_user → View workflows and tasks
// Result: All permissions (super_admin takes precedence)
Role Impact on Permissions
| Role | Access to… |
|---|
super_admin | All sections: Customers, Workflows, Tasks, Users, Roles, Settings, Jobs |
workflow_user | Workflows, Tasks (read only) |
panel_user | Limited dashboard, no access to resources |
OAuth Authentication (Google)
OAuth Configuration
Before enabling OAuth:
- Navigate to Settings → General Settings
- Select OAuth Configuration
- Configure:
- OAuth Enabled:
true
- Google Client ID: Your Google OAuth Client ID
- Google Client Secret: Your Google OAuth Client Secret
- Allowed Domains: Allowed email domains (e.g.,
example.com)
- Click Save
OAuth Access
Users can access with:
- Google Login: Click “Sign in with Google” on the login page
- Domain Validation: The email domain must be in “Allowed Domains”
- Automatic Creation: If user doesn’t exist, it’s automatically created
- Role Assignment: New OAuth users receive the
workflow_user role
OAuth Avatar
When a user accesses via OAuth:
- Avatar is automatically downloaded from Google
- Saved in the
avatar_url field of the User model
- Displayed in the admin panel
Policies and Permissions
UserPolicy
The UserPolicy defines who can do what:
| Action | Who can execute |
|---|
viewAny | Users with super_admin role |
view | Users with super_admin role |
create | Users with super_admin role |
update | Users with super_admin role |
delete | Users with super_admin role |
Granular Permissions
Beyond roles, Filament Shield provides granular permissions:
// Permission examples
'ViewAny:User'
'View:User'
'Create:User'
'Update:User'
'Delete:User'
Deleting a User
Warning
Deleting a user:
- Removes access to the system
- Doesn’t delete data created by the user (audit log remains)
- Is irreversible
Procedure
- Click on the user to delete
- Click Delete in the top right corner
- Confirm deletion in the modal
You can only delete users that are not yourself. To delete your own account, use another super_admin account.
Password Reset
Reset from Admin
- Click on the user
- Modify the Password field
- Enter the new password (minimum 8 characters)
- Click Save
Reset with CLI
# Reset password via tinker
lando artisan tinker
>>> $user = User::where('email', 'user@example.com')->first()
>>> $user->password = Hash::make('new_password')
>>> $user->save()
Reset via Artisan
# Create new admin user if you've lost access
lando artisan make:filament-user
# Follow the instructions for:
# - Email
# - Password
# - Full name
Best Practices
Role Management
Principle of least privilege:
✅ Good practices:
- Assign only necessary roles
- Use
workflow_user for users who only need to view
- Limit
super_admin access to a few trusted users
- Revoke roles when no longer necessary
❌ Avoid:
- Giving
super_admin to all users
- Assigning roles without specific reason
- Leaving obsolete roles active
Password Policy
Requirements:
- Minimum 8 characters
- Mix of letters and numbers recommended
- Special characters optional but recommended
Best practices:
- Change password regularly (every 90 days)
- Don’t reuse passwords
- Use strong and unique passwords
- Consider OAuth authentication for security
Security
-
Anomalous access:
- Monitor unusual logins
- Check authentication logs
- Revoke access if suspicious
-
Forgotten passwords:
- Use admin reset
- Don’t share passwords via email
- Use secure channels to communicate new credentials
-
Multi-role:
- Document why a user has multiple roles
- Revoke temporary roles when they expire
- Review roles periodically
Onboarding
Procedures for new users:
-
Account creation:
- Create user with appropriate role
- If needed, send welcome email
- Communicate login (email and initial password)
-
Training:
- Provide link to documentation
- Explain accessible sections
- Show how to navigate in the panel
-
Monitoring:
- Check first login
- Verify user can access correct resources
- Answer initial questions
Offboarding
Procedures for users leaving:
-
Revoke access:
- Delete or disable account
- Remove roles (if prefer to keep account)
- Reset password if deleting account
-
Audit:
- Check data created by user
- Verify no operations in progress
- Reassign responsibilities if needed
-
Documentation:
- Record revocation date
- Update internal registers
- Notify team of the change
Troubleshooting
User Cannot Login
Diagnosis:
# Verify user exists
lando artisan tinker
>>> User::where('email', 'user@example.com')->first()
# Verify password
>>> $user = User::where('email', 'user@example.com')->first()
>>> Hash::check('password', $user->password) // true/false
# Verify roles
>>> $user->getRoleNames()
- Non-existent account: Create new user
- Incorrect password: Reset password
- Missing role: Assign appropriate roles
- Disabled account: Check if user is active
Insufficient Permissions
Symptom: User sees “Unauthorized” errors or doesn’t see sections
Solutions:
-
Verify roles:
- Edit user
- Check assigned Roles
- Add missing roles
-
Reload permissions:
lando artisan cache:clear
lando artisan permission:cache-reset
-
Check Policy:
- Check that Policy doesn’t restrict access
- Verify if there are specific restrictions
OAuth Not Working
Symptoms:
- Error “Domain not allowed”
- Error “Invalid credentials”
- User not created after OAuth login
Solutions:
-
Verify domain:
- Settings → General Settings → Allowed Domains
- Add user email domain
-
Verify Google credentials:
- Google Cloud Console → Credentials
- Verify Client ID and Secret
- Verify Redirect URI
-
Check logs:
lando logs -f | grep -i "oauth"
API Reference
User Model
// Query user
$user = User::where('email', 'user@example.com')->first();
// Verify roles
$user->hasRole('super_admin'); // true/false
$user->hasAnyRole(['super_admin', 'workflow_user']); // true/false
$user->hasAllRoles(['super_admin', 'workflow_user']); // true/false
// Verify permissions
$user->hasPermissionTo('ViewAny:Customer'); // true/false
$user->can('delete', $user); // Policy check
// Get roles
$user->getRoleNames(); // Collection of strings
$user->roles; // Collection of Role models
// Get all permissions
$user->getAllPermissions(); // Collection of Permission models
Avatar URL
// Get avatar URL
$user->avatar_url; // null or string with image URL
// Filament implementation
$user->getFilamentAvatarUrl(); // HasAvatar interface method
Next Steps
After configuring users:
