Mideye Users – Manage Authentication User Accounts
Overview
Section titled “Overview”The Mideye Users page is the primary user management interface for all authentication accounts in MideyeServer. It supports two user types: Database Users (managed locally with stored passwords) and Directory Users (sourced from LDAP or Entra ID directories). Each user is configured with an authentication type, role, phone number, and optionally assigned hardware or software tokens for multi-factor authentication.
The page includes server-side pagination, filtering by username/phone/token, and role-based editing restrictions that enforce a strict hierarchy — administrators can only manage users with roles below their own level.
Access & Permissions
Section titled “Access & Permissions”Required Role: ROOT, SUPER_ADMIN, or ADMIN (to create, edit, delete, or change passwords)
Navigation: Home → Users & Tokens → Mideye Users
Role Hierarchy
Section titled “Role Hierarchy”| Role | Level | Can Manage |
|---|---|---|
| ROOT | 100 | All users; can lock root user |
| SUPER_ADMIN | 90 | ADMIN, OPERATOR, USER, PROVIDED |
| ADMIN | 80 | OPERATOR, USER, PROVIDED |
| OPERATOR | 70 | Cannot manage other users |
| USER | 60 | Cannot manage other users |
| PROVIDED | 50 | Directory-user default; cannot manage other users |
Users can always edit their own account if they are SUPER_ADMIN or ADMIN.
Features & Configuration
Section titled “Features & Configuration”Data Grid Columns
Section titled “Data Grid Columns”Server-side pagination with sort. Default sort: username ascending. Page sizes: 10, 15, 20, 50, 100.
| Column | Description | Hidden by Default |
|---|---|---|
| Username | Login name (always visible, not hideable) | No |
| User Type | DATABASE_USER or DIRECTORY_USER | Yes |
| Role | Assigned role (translated label) | Yes |
| Phone Number | MSISDN for OTP delivery | No |
| Token Number | Hardware token serial number | Yes |
| Auth Type | Authentication method | Yes |
| Last Login | Most recent authentication timestamp | Yes |
| Locked | Lock status icon (Lock/LockOpen) | No |
| Tokens | Software token icon + hardware token badge count | No |
| Action | Edit, Delete, Change Password (conditional) | No |
Filter Toolbar
Section titled “Filter Toolbar”A popover filter with three search modes:
| Filter | Icon | Description |
|---|---|---|
| Username | Account | Filter users by username (default) |
| Phone Number | Phone | Filter by MSISDN |
| Token Number | Security | Filter by hardware token serial |
Action Buttons
Section titled “Action Buttons”| Action | Visibility | Description |
|---|---|---|
| Edit | When current user can manage target | Open the multi-tab edit form |
| Delete | When target is not ROOT | Delete the user account |
| Change Password | Database users only | Open the password change dialog |
| Lock Root User | ROOT users only, by ROOT only | Lock the root user account |
Creating Users
Section titled “Creating Users”Use the Actions Menu (top-right) which offers:
- Add New Database User — locally managed with password
- Add New LDAP User — directory-sourced user
Create / Edit Form
Section titled “Create / Edit Form”The form is organized into tabs. The Tokens and RADIUS Attributes tabs are only visible when editing an existing user.
Tab 1: General — Database User
Section titled “Tab 1: General — Database User”| Field | Type | Required | Validation | Default | Description |
|---|---|---|---|---|---|
| Username | Text | Yes | Unique (async check) | — | Login name |
| Role | Select | Yes | Cannot exceed current user’s role | ROLE_USER | Access level |
| Auth Type | Select | Yes | — | TOUCH_MOBILE | Authentication method |
| Password | Password | Yes (create only) | Validated against password policy | — | Only shown on create |
| Password Confirmation | Password | Yes (create only) | Must match password | — | Only shown on create |
| Phone Number | Text | Conditional | Format: + followed by 3–14 digits | — | Required when auth type needs MSISDN |
| Token Number | Text | Conditional | — | — | Required for TOKEN auth type |
| Message Type | Select | No | — | INBOX_SMS | OTP delivery: FLASH_SMS or INBOX_SMS |
| Expiration Date | Date | No | — | None | Account expiration date |
| Locked | Checkbox | No | — | Off | Manually lock the account |
| Don’t Write Successful Logins | Checkbox | No | — | Off | Exclude successful auths from auth log |
| Password Reset | Checkbox | No | — | On (new) | Force password reset on next login |
| Ignore Inactivity Timeout | Checkbox | No | — | Off | Exempt from inactivity auto-lock |
| RADIUS Clients | Multi-select | No | — | All | Restrict user to specific RADIUS clients |
| Shared Account Numbers | Multi-tag | When SHARED_ACCOUNT | Min: 1 entry | — | Phone/token numbers for shared accounts |
Tab 1: General — Directory User
Section titled “Tab 1: General — Directory User”Same fields as Database User with these differences:
| Difference | Detail |
|---|---|
| Username | Disabled when editing |
| Password fields | Not shown |
| Password Reset | Not shown |
| Default Role | ROLE_PROVIDED |
| Default Auth Type | DIRECTORY_DEFINED |
Authentication Types
Section titled “Authentication Types”| Auth Type | Description | Requires Phone | Requires Token |
|---|---|---|---|
| PASSWORD | Password only (single factor) | No | No |
| MOBILE | SMS OTP to mobile phone | Yes | Optional |
| TOKEN | Hardware token OTP | No | Yes |
| CONCAT | Password + OTP concatenated | No | Optional |
| PLUS | Mideye Plus app signing | Yes | Optional |
| TOUCH | Mobile app approval | Yes | Optional |
| TOUCH_PLUS | Touch with Plus fallback | Yes | Optional |
| TOUCH_MOBILE | Touch with SMS fallback | Yes | Optional |
| ASSISTED_LOGIN | Approver-based authentication | No | No |
| SHARED_ACCOUNT | Multiple phone/token numbers | No | No |
| ON_PREM | On-premises OATH token | No | No |
| MAGIC_LINK | Email magic link | Yes | Optional |
| PASSWORD_RESET | Password reset flow | Yes | Optional |
| DIRECTORY_DEFINED | Auth type from directory (directory users only) | Yes | Optional |
Role Assignment
Section titled “Role Assignment”Available roles in the dropdown depend on the current user’s role level:
| Your Role | Available Roles to Assign |
|---|---|
| ROOT | SUPER_ADMIN, ADMIN, OPERATOR, USER |
| SUPER_ADMIN | ADMIN, OPERATOR, USER |
| ADMIN | OPERATOR, USER |
For directory users, PROVIDED is always appended.
Tab 2: Tokens
Section titled “Tab 2: Tokens”Manage software and hardware tokens assigned to the user.
Software Tokens
Section titled “Software Tokens”Each user can have one registered authenticator app.
| State | Available Actions |
|---|---|
| No authenticator registered | Register Authenticator — displays QR code for scanning, requires OTP verification |
| Authenticator registered | Verify OTP — test the token; Unregister — remove the authenticator |
Hardware Tokens
Section titled “Hardware Tokens”A data grid lists all hardware tokens assigned to the user.
| Column | Description |
|---|---|
| Serial Number | Token hardware identifier |
| State | VALID, REVOKED_TOKEN_LOST, REVOKED_TOKEN_BROKEN, or REVOKED_TOKEN_OTHER |
| Token Type | TOTP or HOTP |
| Software Token | Whether it’s a software token (hidden by default) |
| Manufacturer | Token manufacturer (hidden by default) |
| Action | Operations menu: Verify OTP, Change Status, Unassign |
Assign Hardware Token: Click the Assign button to search and select from unassigned tokens via autocomplete.
Tab 3: RADIUS Attributes
Section titled “Tab 3: RADIUS Attributes”Configure per-user Vendor-Specific Attributes returned in RADIUS Access-Accept responses.
| Column | Description |
|---|---|
| RADIUS Attribute | Attribute name from the vendor dictionary |
| Value | The attribute value |
| Action | Edit and Delete buttons |
Add/Edit Dialog Fields:
| Field | Type | Required | Description |
|---|---|---|---|
| RADIUS Vendor | Select | No | Standard (RFC 2865) or vendor-specific |
| RADIUS Attribute | Select | Yes | Filtered by vendor, only configurable attributes |
| Value | Text | Yes | Attribute value |
Change Password Dialog
Section titled “Change Password Dialog”Available for database users from the list page action column.
| Field | Type | Required | Validation | Description |
|---|---|---|---|---|
| New Password | Password | Yes | Validated against password policy | — |
| Confirm Password | Password | Yes | Must match | — |
| Password Reset | Checkbox | No | Default: On | Force password reset on next login |
Lock Root User Dialog
Section titled “Lock Root User Dialog”Available only when the current user is ROOT and the target is the root user.
Displays a warning about the consequences of locking the root account and how to revert it.
Common Use Cases
Section titled “Common Use Cases”Creating a New Database User
Section titled “Creating a New Database User”- Click Actions → Add New Database User.
- Enter a unique username.
- Select the appropriate role and authentication type.
- Set the password (must meet the configured password policy).
- Enter the phone number if the auth type requires it.
- Click Save.
Adding a Directory User with Custom Role
Section titled “Adding a Directory User with Custom Role”- Click Actions → Add New LDAP User.
- Enter the exact username as it appears in the directory.
- Change the role from PROVIDED to the desired level (e.g., OPERATOR).
- Adjust the auth type if needed (defaults to DIRECTORY_DEFINED).
- Click Save.
Assigning a Hardware Token
Section titled “Assigning a Hardware Token”- Edit the user.
- Go to the Tokens tab.
- Click Assign in the Hardware Tokens section.
- Search for the token by serial number.
- Select the token and confirm.
Setting Up Per-User RADIUS Attributes
Section titled “Setting Up Per-User RADIUS Attributes”- Edit the user.
- Go to the RADIUS Attributes tab.
- Click Add New.
- Select the vendor and attribute.
- Enter the attribute value.
- Save.
Troubleshooting
Section titled “Troubleshooting”| Issue | Possible Cause | Resolution |
|---|---|---|
| Cannot create user — username taken | Username already exists | Choose a different username |
| Password rejected | Does not meet password policy | Check requirements on User Settings |
| Cannot assign higher role | Role hierarchy restriction | You can only assign roles below your own level |
| Cannot delete root user | ROOT users cannot be deleted | Lock the root user instead |
| Auth type dropdown limited | Air-gapped mode active | Only PASSWORD and ON_PREM available without internet |
| Token tab not visible | User not yet saved | Save the user first; Tokens tab appears in edit mode |
Related Pages
Section titled “Related Pages”- Mideye User Settings — Configure password policies and inactivity timeouts
- Hardware Tokens — Import and manage hardware OATH tokens
- RADIUS Clients — Associate users with specific RADIUS clients
- Vendor-Specific Attributes — Define custom RADIUS attributes for user assignment
- Authentication Logs — Review authentication events for specific users