Skip to content

Mideye Users – Manage Authentication User Accounts

The Mideye Users page is the primary user management interface for all authentication accounts in MideyeServer. It supports two user types: Database Users (managed locally with stored passwords) and Directory Users (sourced from LDAP or Entra ID directories). Each user is configured with an authentication type, role, phone number, and optionally assigned hardware or software tokens for multi-factor authentication.

The page includes server-side pagination, filtering by username/phone/token, and role-based editing restrictions that enforce a strict hierarchy — administrators can only manage users with roles below their own level.

Required Role: ROOT, SUPER_ADMIN, or ADMIN (to create, edit, delete, or change passwords)

Navigation: Home → Users & Tokens → Mideye Users

| Role | Level | Can Manage | |------|-------|------------| | ROOT | 100 | All users; can lock root user | | SUPER_ADMIN | 90 | ADMIN, OPERATOR, USER, PROVIDED | | ADMIN | 80 | OPERATOR, USER, PROVIDED | | OPERATOR | 70 | Cannot manage other users | | USER | 60 | Cannot manage other users | | PROVIDED | 50 | Directory-user default; cannot manage other users |

Users can always edit their own account if they are SUPER_ADMIN or ADMIN.

Server-side pagination with sort. Default sort: username ascending. Page sizes: 10, 15, 20, 50, 100.

| Column | Description | Hidden by Default | |--------|-------------|-------------------| | Username | Login name (always visible, not hideable) | No | | User Type | DATABASE_USER or DIRECTORY_USER | Yes | | Role | Assigned role (translated label) | Yes | | Phone Number | MSISDN for OTP delivery | No | | Token Number | Hardware token serial number | Yes | | Auth Type | Authentication method | Yes | | Last Login | Most recent authentication timestamp | Yes | | Locked | Lock status icon (Lock/LockOpen) | No | | Tokens | Software token icon + hardware token badge count | No | | Action | Edit, Delete, Change Password (conditional) | No |

A popover filter with three search modes:

| Filter | Icon | Description | |--------|------|-------------| | Username | Account | Filter users by username (default) | | Phone Number | Phone | Filter by MSISDN | | Token Number | Security | Filter by hardware token serial |

| Action | Visibility | Description | |--------|------------|-------------| | Edit | When current user can manage target | Open the multi-tab edit form | | Delete | When target is not ROOT | Delete the user account | | Change Password | Database users only | Open the password change dialog | | Lock Root User | ROOT users only, by ROOT only | Lock the root user account |

Use the Actions Menu (top-right) which offers:

  • Add New Database User — locally managed with password
  • Add New LDAP User — directory-sourced user

The form is organized into tabs. The Tokens and RADIUS Attributes tabs are only visible when editing an existing user.

| Field | Type | Required | Validation | Default | Description | |-------|------|----------|------------|---------|-------------| | Username | Text | Yes | Unique (async check) | — | Login name | | Role | Select | Yes | Cannot exceed current user's role | ROLE_USER | Access level | | Auth Type | Select | Yes | — | TOUCH_MOBILE | Authentication method | | Password | Password | Yes (create only) | Validated against password policy | — | Only shown on create | | Password Confirmation | Password | Yes (create only) | Must match password | — | Only shown on create | | Phone Number | Text | Conditional | Format: + followed by 3–14 digits | — | Required when auth type needs MSISDN | | Token Number | Text | Conditional | — | — | Required for TOKEN auth type | | Message Type | Select | No | — | INBOX_SMS | OTP delivery: FLASH_SMS or INBOX_SMS | | Expiration Date | Date | No | — | None | Account expiration date | | Locked | Checkbox | No | — | Off | Manually lock the account | | Don't Write Successful Logins | Checkbox | No | — | Off | Exclude successful auths from auth log | | Password Reset | Checkbox | No | — | On (new) | Force password reset on next login | | Ignore Inactivity Timeout | Checkbox | No | — | Off | Exempt from inactivity auto-lock | | RADIUS Clients | Multi-select | No | — | All | Restrict user to specific RADIUS clients | | Shared Account Numbers | Multi-tag | When SHARED_ACCOUNT | Min: 1 entry | — | Phone/token numbers for shared accounts |

Same fields as Database User with these differences:

| Difference | Detail | |-----------|--------| | Username | Disabled when editing | | Password fields | Not shown | | Password Reset | Not shown | | Default Role | ROLE_PROVIDED | | Default Auth Type | DIRECTORY_DEFINED |

| Auth Type | Description | Requires Phone | Requires Token | |-----------|-------------|---------------|----------------| | PASSWORD | Password only (single factor) | No | No | | MOBILE | SMS OTP to mobile phone | Yes | Optional | | TOKEN | Hardware token OTP | No | Yes | | CONCAT | Password + OTP concatenated | No | Optional | | PLUS | Mideye Plus app signing | Yes | Optional | | TOUCH | Mobile app approval | Yes | Optional | | TOUCH_PLUS | Touch with Plus fallback | Yes | Optional | | TOUCH_MOBILE | Touch with SMS fallback | Yes | Optional | | ASSISTED_LOGIN | Approver-based authentication | No | No | | SHARED_ACCOUNT | Multiple phone/token numbers | No | No | | ON_PREM | On-premises OATH token | No | No | | MAGIC_LINK | Email magic link | Yes | Optional | | PASSWORD_RESET | Password reset flow | Yes | Optional | | DIRECTORY_DEFINED | Auth type from directory (directory users only) | Yes | Optional |

Available roles in the dropdown depend on the current user's role level:

| Your Role | Available Roles to Assign | |-----------|--------------------------| | ROOT | SUPER_ADMIN, ADMIN, OPERATOR, USER | | SUPER_ADMIN | ADMIN, OPERATOR, USER | | ADMIN | OPERATOR, USER |

For directory users, PROVIDED is always appended.

Manage software and hardware tokens assigned to the user.

Each user can have one registered authenticator app.

| State | Available Actions | |-------|------------------| | No authenticator registered | Register Authenticator — displays QR code for scanning, requires OTP verification | | Authenticator registered | Verify OTP — test the token; Unregister — remove the authenticator |

A data grid lists all hardware tokens assigned to the user.

| Column | Description | |--------|-------------| | Serial Number | Token hardware identifier | | State | VALID, REVOKED_TOKEN_LOST, REVOKED_TOKEN_BROKEN, or REVOKED_TOKEN_OTHER | | Token Type | TOTP or HOTP | | Software Token | Whether it's a software token (hidden by default) | | Manufacturer | Token manufacturer (hidden by default) | | Action | Operations menu: Verify OTP, Change Status, Unassign |

Assign Hardware Token: Click the Assign button to search and select from unassigned tokens via autocomplete.

Configure per-user Vendor-Specific Attributes returned in RADIUS Access-Accept responses.

| Column | Description | |--------|-------------| | RADIUS Attribute | Attribute name from the vendor dictionary | | Value | The attribute value | | Action | Edit and Delete buttons |

Add/Edit Dialog Fields:

| Field | Type | Required | Description | |-------|------|----------|-------------| | RADIUS Vendor | Select | No | Standard (RFC 2865) or vendor-specific | | RADIUS Attribute | Select | Yes | Filtered by vendor, only configurable attributes | | Value | Text | Yes | Attribute value |


Available for database users from the list page action column.

| Field | Type | Required | Validation | Description | |-------|------|----------|------------|-------------| | New Password | Password | Yes | Validated against password policy | — | | Confirm Password | Password | Yes | Must match | — | | Password Reset | Checkbox | No | Default: On | Force password reset on next login |

Available only when the current user is ROOT and the target is the root user.

Displays a warning about the consequences of locking the root account and how to revert it.

  1. Click ActionsAdd New Database User.
  2. Enter a unique username.
  3. Select the appropriate role and authentication type.
  4. Set the password (must meet the configured password policy).
  5. Enter the phone number if the auth type requires it.
  6. Click Save.
  1. Click ActionsAdd New LDAP User.
  2. Enter the exact username as it appears in the directory.
  3. Change the role from PROVIDED to the desired level (e.g., OPERATOR).
  4. Adjust the auth type if needed (defaults to DIRECTORY_DEFINED).
  5. Click Save.
  1. Edit the user.
  2. Go to the Tokens tab.
  3. Click Assign in the Hardware Tokens section.
  4. Search for the token by serial number.
  5. Select the token and confirm.
  1. Edit the user.
  2. Go to the RADIUS Attributes tab.
  3. Click Add New.
  4. Select the vendor and attribute.
  5. Enter the attribute value.
  6. Save.

| Issue | Possible Cause | Resolution | |-------|---------------|------------| | Cannot create user — username taken | Username already exists | Choose a different username | | Password rejected | Does not meet password policy | Check requirements on User Settings | | Cannot assign higher role | Role hierarchy restriction | You can only assign roles below your own level | | Cannot delete root user | ROOT users cannot be deleted | Lock the root user instead | | Auth type dropdown limited | Air-gapped mode active | Only PASSWORD and ON_PREM available without internet | | Token tab not visible | User not yet saved | Save the user first; Tokens tab appears in edit mode |