User Management

User Management

This guide covers user administration, including inviting users, managing roles and permissions, and monitoring user activity.

Accessing User Management

User management is available at:

https://app.yourcompany.com/settings/people

Requirements:

• Admin access (users with @querri.com email or is_admin=true flag)
• Organization membership

User Roles

Querri supports the following user roles:

Guest

• Access Level: Read-only
• Permissions:
  • View projects they’re invited to
  • View dashboards shared with them
  • Cannot create or edit resources
• Use Case: External stakeholders, clients, auditors

Member (Editor)

• Access Level: Read and write
• Permissions:
  • Create projects and dashboards
  • Edit their own resources
  • Share resources with others
  • Upload files
  • Use integrations
• Use Case: Standard team members, analysts

Admin

• Access Level: Full control
• Permissions:
  • All member permissions
  • Access integration marketplace (/settings/integrations)
  • Manage organization users
  • Configure organization settings
  • View usage metrics
  • Deploy org-wide integrations
• Use Case: IT administrators, team leads

Inviting Users

Via Settings Interface

1. Navigate to Settings > People
2. Click Invite Users button
3. Enter email addresses (comma-separated for multiple)
4. Select role (Guest or Member)
5. Click Send Invitations

Example:

john.doe@company.com, jane.smith@company.com
Role: Member

Invitation Process

1. System sends invitation email to specified addresses
2. Users receive email with sign-up link
3. Users authenticate via WorkOS SSO
4. Users are automatically added to organization with assigned role

Bulk Invitations

For bulk user imports, use comma-separated email lists:

user1@company.com, user2@company.com, user3@company.com

Limitations:

• Maximum 100 users per invitation batch
• All users in batch receive same role

Managing Existing Users

Viewing User List

The People page displays:

• User name and email
• Current role
• Last login time
• Account status (Active, Pending, Suspended)

Filtering Users

Use the search bar to filter users:

• Search by name: John Doe
• Search by email: john@company.com
• Search partial matches: john

Editing User Roles

1. Locate user in People list
2. Click three-dot menu (⋮) next to user
3. Select Edit User
4. Change role in dialog
5. Click Save Changes

Note: Role changes take effect immediately.

Updating User Information

To update user name or email:

1. Click three-dot menu (⋮) next to user
2. Select Edit User
3. Update First Name or Last Name
4. Click Save Changes

Note: Email changes require re-verification through WorkOS.

Removing Users

Soft Delete (Recommended)

1. Navigate to Settings > People
2. Locate user to remove
3. Click three-dot menu (⋮)
4. Select Remove User
5. Confirm deletion in dialog

Effects:

• User loses access immediately
• User’s projects remain accessible to organization
• User’s data preserved for audit purposes
• Can be restored if needed

Hard Delete (Admin via Database)

For complete user removal including data:

# Connect to MongoDB
docker compose exec mongo mongosh -u querri -p

# Switch to database
use querri

# Find user by email
db.users.findOne({user_email: "user@company.com"})

# Delete user (WARNING: Irreversible)
db.users.deleteOne({user_email: "user@company.com"})

# Remove user from organizations
db.organizations.updateMany(
  {},
  { $pull: { members: { email: "user@company.com" } } }
)

Warning: Hard delete is irreversible and removes all user data.

Admin User Designation

Methods for Admin Access

Users gain admin access through one of two methods:

1. Email Domain (@querri.com)

Users with @querri.com email addresses automatically have admin privileges:

admin@querri.com → Admin
support@querri.com → Admin

Note: This is primarily for Querri platform administrators.

2. is_admin Flag

For organization administrators, set the is_admin flag in the database:

# Connect to MongoDB
docker compose exec mongo mongosh -u querri -p

# Switch to database
use querri

# Set admin flag
db.users.updateOne(
  {user_email: "admin@yourcompany.com"},
  {$set: {is_admin: true}}
)

Granting Admin Access

To grant admin access to a user:

1. Identify user’s email address
2. Connect to MongoDB:

   docker compose exec mongo mongosh -u querri -p

3. Execute admin update:

   use querri
   db.users.updateOne(
     {user_email: "user@company.com"},
     {$set: {is_admin: true}}
   )

4. Verify update:

   db.users.findOne({user_email: "user@company.com"}, {is_admin: 1})

Revoking Admin Access

# Connect to MongoDB
docker compose exec mongo mongosh -u querri -p

# Remove admin flag
use querri
db.users.updateOne(
  {user_email: "user@company.com"},
  {$set: {is_admin: false}}
)

Organization Membership

Adding Users to Organization

Users are automatically added to the organization when:

• Invited via Settings > People
• Signing up with organization invite link
• Assigned to organization via WorkOS

Viewing Organization Members

# Connect to MongoDB
docker compose exec mongo mongosh -u querri -p

# List organization members
use querri
db.organizations.findOne(
  {name: "Your Organization"},
  {members: 1}
)

Removing Users from Organization

1. Via UI: Use Remove User in Settings > People
2. Via database:

   db.organizations.updateOne(
     {name: "Your Organization"},
     {$pull: {members: {email: "user@company.com"}}}
   )

User Activity Monitoring

Last Login Information

The People page displays last login time for each user:

John Doe - Last login: 2 hours ago
Jane Smith - Last login: 3 days ago

Viewing User Activity Logs

Query MongoDB for detailed user activity:

# Connect to MongoDB
docker compose exec mongo mongosh -u querri -p

use querri

# Find user's recent projects
db.projects.find(
  {created_by: "user@company.com"},
  {title: 1, created_at: 1}
).sort({created_at: -1}).limit(10)

# Find user's recent steps
db.steps.find(
  {created_by: "user@company.com"},
  {title: 1, created_at: 1}
).sort({created_at: -1}).limit(10)

Active Users Report

Generate active users report:

// Users active in last 30 days
db.users.find(
  {
    last_login: {
      $gte: new Date(Date.now() - 30*24*60*60*1000)
    }
  },
  {user_email: 1, user_name: 1, last_login: 1}
).sort({last_login: -1})

User Permissions

Permission Levels

Querri uses Fine-Grained Authorization (FGA) with these permission levels:

Owner

• Full control over resource
• Can delete resource
• Can manage permissions
• Can transfer ownership

Editor

• Can view and edit resource
• Can create child resources (steps in project)
• Cannot delete resource
• Cannot change permissions

Viewer

• Read-only access
• Can view resource and results
• Can export data
• Cannot modify resource

Checking User Permissions

View a user’s permissions on a resource:

// Connect to MongoDB
db.permissions.find({
  user_email: "user@company.com",
  resource_id: "project_uuid_here"
})

Permission Inheritance

• Projects: Direct permissions or organization membership
• Steps: Inherit from parent project
• Dashboards: Direct permissions or shared links
• Files: Inherit from associated project

User Account Status

Account States

Users can have the following states:

Active

• User has completed signup
• Can access the system
• Normal permissions apply

Pending

• Invitation sent, not yet accepted
• Shows as “Pending” in user list
• No system access until signup complete

Suspended

• Admin-disabled account
• Cannot log in
• Data preserved

Suspending User Accounts

To temporarily disable a user:

// Connect to MongoDB
db.users.updateOne(
  {user_email: "user@company.com"},
  {$set: {is_suspended: true}}
)

Reactivating Suspended Accounts

// Connect to MongoDB
db.users.updateOne(
  {user_email: "user@company.com"},
  {$set: {is_suspended: false}}
)

User Data Management

Viewing User Data

List all resources owned by a user:

// Projects
db.projects.find({created_by: "user@company.com"}).count()

// Files
db.files.find({uploaded_by: "user@company.com"}).count()

// Dashboards
db.dashboards.find({created_by: "user@company.com"}).count()

Transferring User Resources

When a user leaves, transfer their resources:

// Transfer all projects
db.projects.updateMany(
  {created_by: "old-user@company.com"},
  {$set: {created_by: "new-user@company.com"}}
)

// Transfer all dashboards
db.dashboards.updateMany(
  {created_by: "old-user@company.com"},
  {$set: {created_by: "new-user@company.com"}}
)

// Update permissions
db.permissions.updateMany(
  {user_email: "old-user@company.com", permission: "owner"},
  {$set: {user_email: "new-user@company.com"}}
)

Authentication Integration

WorkOS SSO

Querri uses WorkOS for authentication:

1. Users click “Sign In”
2. Redirected to WorkOS authentication
3. Authenticate via configured SSO provider (Google, Microsoft, etc.)
4. Redirected back to Querri with JWT token
5. Token validated and session created

Supported SSO Providers

WorkOS supports:

• Google Workspace
• Microsoft Azure AD
• Okta
• OneLogin
• Custom SAML providers

Configure SSO providers in WorkOS Dashboard.

Troubleshooting User Issues

User Can’t Log In

1. Check user exists in database:

   db.users.findOne({user_email: "user@company.com"})

2. Verify user is not suspended:

   db.users.findOne(
     {user_email: "user@company.com"},
     {is_suspended: 1}
   )

3. Check WorkOS configuration:

   • Verify redirect URI matches configured value
   • Check WorkOS organization membership
   • Review WorkOS logs

User Missing Permissions

1. Check user role:

   db.users.findOne(
     {user_email: "user@company.com"},
     {role: 1, is_admin: 1}
   )

2. Verify organization membership:

   db.organizations.findOne(
     {members: {$elemMatch: {email: "user@company.com"}}}
   )

3. Check resource permissions:

   db.permissions.find({
     user_email: "user@company.com",
     resource_id: "resource_uuid"
   })

User Not Receiving Invitation

1. Check email sent successfully (SendGrid logs if configured)
2. Verify email address is correct
3. Check spam/junk folders
4. Resend invitation via UI

Best Practices

User Onboarding

1. Send invitations in batches - Group users by role/department
2. Provide onboarding materials - Include link to user guide
3. Set appropriate roles - Start with Member, upgrade to Admin as needed
4. Monitor first login - Follow up with users who haven’t logged in within 7 days

Security

1. Review admin users quarterly - Ensure admins still need elevated access
2. Audit user activity - Review user activity logs for suspicious behavior
3. Remove inactive users - Disable accounts inactive for 90+ days
4. Use SSO - Leverage WorkOS SSO for centralized authentication

Maintenance

1. Regular user audits - Monthly review of user list
2. Clean up test accounts - Remove testing/demo accounts
3. Update user information - Keep names and emails current
4. Document role changes - Track why users were granted admin access

API Integration

For automated user management, use the Querri API:

List Users

curl -X GET "https://app.yourcompany.com/api/users" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

Invite User

curl -X POST "https://app.yourcompany.com/api/users/invite" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "newuser@company.com",
    "role": "member"
  }'

Update User Role

curl -X PATCH "https://app.yourcompany.com/api/users/{user_id}" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "role": "admin"
  }'

Next Steps

• Organization Settings - Configure organization-wide settings
• Security & Permissions - Understand the permission model
• Monitoring & Usage - Track user usage and activity