What this feature does
A user in Epowerhr is the identity that signs in to the application. A user can be linked to a Person (employee) record, and they belong to one or more groups that determine what they are allowed to do. Their effective rights are the union of:
- The direct permissions ticked on the user's Permissions tab.
- The permissions granted by every group they are a member of.
Five tabs make up the day-to-day admin work on a user:
- Detail — the user's identity (name, e-mail, language, time zone, linked person, active flag).
- Authentication — how the user signs in: one or more authentication methods (e.g. AD, Forms-based).
- Groups — which groups the user belongs to.
- Permissions — extra permissions granted directly to the user, on top of their groups.
- Access tokens — an API token that lets external systems call Epowerhr on the user's behalf.
For group-level admin (creating groups, restricting their access to records), see Access: manage groups and Restrict access for groups: populations and hierarchy.
Before you start
You will need:
- The permissions Administration and Users (view) to open any of the user tabs.
- Add user, Update user and Delete user to create, edit or remove users on the Detail tab and the overview list.
- Add authentication method, Update authentication method and Delete authentication method to manage logins on the Authentication tab.
-
Update group (in the Users component — code
UPDATE_USER_GROUP) to change a user's group memberships on the Groups tab. Despite the short name, this right applies to the user page; the group page has its own Add user to group / Delete user from group rights. -
Update permission (code
UPDATE_USER_PERMISSION) to grant direct permissions on the Permissions tab.
Open the users page
Navigate to Admin → Users. The page header is Manage users.
The search box at the top has the following filters:
| Filter | Notes |
|---|---|
| Login | Matches any of the user's authentication logins. |
| Last name | |
| First name | |
| Reference number | The personnel reference number from the linked Person record. |
| Include | Two checkboxes — Active users (ticked by default) and Inactive users (unticked). Tick Inactive users to also see deactivated accounts. |
Click Search to run the search or Clear search to reset the filters. Hide search / Show search collapses the box.
The result grid below shows three sortable columns: Last name, First name and Reference number. The empty-state reads "No results found!".
From the result grid you can:
- Click Edit on a row to open that user's detail page.
- Tick rows and click Delete selected users to remove them — a confirmation dialog appears: "Are you sure you want to delete the selected users?". On success a toast confirms "The selected users were deleted successfully!"; on failure the page reports "Can't delete the selected users because:" with the reason.
- Click Add user to create a new user. The Detail tab opens; the other tabs activate after the first save.
The Detail tab
The Detail tab holds the user's identity. Fields marked * are required.
| Field | Notes |
|---|---|
Last name *
|
Validation message: "Please provide last name". |
First name *
|
Validation message: "Please provide first name". |
Preferred name *
|
The display name shown across the application — useful when the legal first name differs from the name people actually use. |
| Title | Free-list dropdown (Mr., Mrs., Dr., …). Optional. |
E-mail *
|
The address Epowerhr uses to communicate with the user — system mails, password-reset flows, the new-account mail sent when you create a Forms login, and any application-generated notifications all go here. Validation: "Please provide e-mail" (empty) or "E-mail is invalid" (bad format). |
Language *
|
The UI language and locale formatting the user sees. Validation: "Language is a required field". |
Time zone *
|
Determines how dates and times are rendered for this user. Validation: "Time zone is a required field". |
| Person | Optional link to an employee record. Click Pick from list to open the person picker, or Clear to unlink. Only one user can be linked to a given Person — picking someone already linked shows "Person is already used by another user". |
| Active | Ticked by default. Untick to deactivate the user: their existing logins stop working but the record (group memberships, history, audit trails) is kept. |
| Limit access on the owner | When ticked, the user only sees records where they are personally the owner. Use it for a "just my own work" view. |
Click Save to persist the Detail tab. The success toast reads "User {name} added" for new users and "User {name} updated" afterwards. After the first save, the Authentication, Groups, Permissions and Access tokens tabs become available.
The Authentication tab
A user can have more than one authentication method — for example a Forms-based login and a federated SSO login. Each row in the list represents one way the user can sign in.
The list columns are:
- Login — the username for that method.
- Authentication type — the method (Forms, ADFS, Office 365, …).
- Enabled — whether that method is currently usable.
If the user has no methods yet, the empty-state reads "No records".
Authentication types
The Authentication type dropdown contains every method that is configured for the tenant. The available types are:
| Type | When to use | Status |
|---|---|---|
| Forms | The local Epowerhr login — a username and password stored by Epowerhr's identity server. Use this when the user has no corporate identity to federate against, or as a fallback alongside an SSO method. | Active |
| Active directory federation services (ADFS) | Federated sign-in against an on-premise AD FS. | Active |
| Office 365 (Windows login) | Federated sign-in against Microsoft Entra ID / Office 365. | Active |
| Federated sign-in against Google Workspace / consumer Google accounts. | Active | |
| Keycloak | Federated sign-in against a Keycloak realm. | Active |
| Cognito | Federated sign-in against AWS Cognito. | Active |
| Windows | The legacy Integrated Windows Authentication. | Deprecated — do not pick this for new users. |
| SingleSignOn | The legacy generic SSO type that pre-dates the named providers above. | Deprecated — use one of the named SSO types (ADFS, Office 365, Google, Keycloak, Cognito) for new users. |
Tip — picking a type: for a new customer, use one named SSO type that matches the customer's identity provider, plus a Forms method as a break-glass fallback for administrators. Avoid Windows and SingleSignOn — they exist only to support customers who haven't migrated yet.
Login format (Forms and Windows only)
For Forms and Windows methods, the Login field is governed by the tenant-level Login format setting (configured on the customer's CC record). When you add a method, a read-only Login format label tells you which mode is active:
| Mode | Behaviour |
|---|---|
| Login | You type any login you like. It only has to be unique within the tenant — there is no prefix and no template. |
| Prefix + login | A CC-configured prefix is prepended automatically. The prefix appears as a read-only label next to the input; you type only the part after it. The full login (prefix + your input) must be unique. |
| Prefix + number | The login is fully auto-generated (prefix + an incrementing number). The input is hidden and the value will be shown after saving — you cannot choose it. |
The named SSO types (ADFS, Office 365, Google, Keycloak, Cognito) ignore the Login format: their Login field is always a free text box where you enter the identifier the identity provider sends (typically the user's e-mail or UPN).
Add an authentication method
- Click Add authentication method. The detail form replaces the list.
- Pick the Authentication type. The form refreshes — depending on the type, the Login format, Login and Password fields appear.
- Fill in Login (validation: "Please provide login"). If the Login format is Prefix + number the field is hidden and the login will be generated for you.
- For Forms, fill in Password (validation: "Please provide password"). When you save, Epowerhr creates the account in the identity server and automatically sends an e-mail to the address on the Detail tab — subject "Your ePower eSuite password" — containing the user's login and the password you just set. The mail is sent in the user's language (the Language field on the Detail tab). Make sure the e-mail address is correct before you save: there is no separate "resend welcome mail" action.
- Leave Enabled ticked (the default) so the method can be used immediately.
- Click Save. Success toast: "Authentication {login} added".
Edit or disable an authentication method
Click Edit on a row to change its values, then Save. Untick Enabled to keep the method on file but block its use. Success toast: "Authentication {login} updated".
Remove authentication methods
Tick the rows you want to remove and click Delete selected authentication methods. Success toast: "Authentications deleted".
Tip: A user with only one authentication method who loses access to it (e.g. AD account disabled) cannot sign in. If you have any doubt about an upcoming change, add a Forms-based method as a backup before the cut-over and disable it again afterwards.
The Groups tab
The Groups tab is a tree view of every group in the tenant. Each group has a checkbox; tick to add the user, untick to remove.
After ticking the groups you want, click Save. The toast confirms "Groups updated".
Note: rights are additive across groups. If three of the user's groups grant View training, removing one of them does not revoke the right — the other two still grant it. To revoke a right entirely, you must untick it in every group that currently grants it (or move the user out of all those groups).
The Permissions tab
The Permissions tab grants permissions directly to the user, on top of whatever they get through their groups. The layout is identical to the group's Permissions tab:
- Tree view grouped by component (PA, Leave, Training, Talent, …). Leaves are individual rights.
- Per-branch counter showing "X / Y selected" next to each parent.
- Expand all rights / Collapse all rights toggle in the top-right.
- Search box with placeholder "Search right (e.g. 'adjust user')".
Tick the leaves you want to grant directly, then Save. Success toast: "Permissions updated".
When to grant directly versus via a group: prefer groups whenever possible — they are easier to audit and easier to apply to similar users. Use direct permissions for one-off exceptions ("this single backup user needs Adjust salary for two weeks") that don't justify creating a dedicated group.
The Access tokens tab
Access tokens are API credentials a user can hand to an external system so it can call Epowerhr on their behalf. A user has at most one active token at a time.
The tab shows two read-only fields:
- Access token — the token value, with a copy icon next to it.
- Expiration date — when the token stops being accepted.
Create a new token
Click Create new access token. The page reloads with the new token visible and the warning:
"Make sure to copy your access token now. You won't be able to see it again!"
Use the copy icon to put the token on the clipboard, then paste it straight into the external system. After leaving the tab, the token is masked again — there is no way to retrieve it later. Creating a new token replaces any existing token immediately; calls using the old token will fail.
Remove a token
Click Remove access token to clear the token. Any external system still using it will start failing — only do this when you are sure the token is no longer needed (for example, the user has left, or the integration has been decommissioned).
Expiration reminders
Epowerhr automatically reminds the token owner before their token stops working. The User token expiration mail service task runs on the background worker and, for every active token, sends an e-mail at 30 days, 7 days and 1 day before the Expiration date. The mail goes to the address on the Detail tab — subject "Your access token expires in {N} day(s)" — and is sent in the user's Language.
A few things worth knowing:
- The reminder is only sent if the user has a Language filled in on the Detail tab. Without one the service task skips the user and logs a warning.
- The reminders are informational only — Epowerhr does not generate a replacement automatically. When a reminder lands, the user (or an admin acting on their behalf) needs to come back to this tab and click Create new access token to issue a fresh one and forward it to the external system.
- The three reminders are independent. Generating a new token after the 30-day mail does not cancel the 7-day or 1-day mail for the old token — but because the old expiration date moves out with the new token, those follow-up mails simply do not fire for it.
Frequently asked questions
Why don't I see one of the tabs? You need Administration and Users (view) to see the user page at all. Each tab additionally needs the matching update right (Update user, Update authentication method, Update group, Update permission). The Authentication, Groups, Permissions and Access tokens tabs are also disabled until you save the Detail tab for a brand-new user.
I deactivated a user but they can still see things. Active is checked at sign-in. If the user is already signed in, they keep their session until it expires. Force-revoke is not available from this page; ask the user to sign out, or wait for the session to expire.
What's the difference between deactivating a user and removing them from a group? Deactivating (unticking Active) blocks all sign-ins for that user — every authentication method stops working. Removing them from a group only narrows their rights; they can still sign in and use whatever the rest of their groups grant.
I removed a permission from the user but they can still do the action. Why? Two common causes. First, group permissions still apply: the user may be getting that right from a group. Second, some menu items and access checks are computed at sign-in, so the user may need to sign out and back in for the change to fully take effect.
Why does the system say "Person is already used by another user" when I pick someone? A Person record can only be linked to one user. Find the existing user (search the Users page by reference number or last name), and either clear the link there first or use a different Person.
I lost the access token, can I retrieve it? No. The token value is only displayed at creation time. Generate a Create new access token, copy the new value, and update whichever external system was using the old one — it will start failing on its next call.
Can a user have more than one login? Yes. A user can have several authentication methods of different types (for example AD and Forms-based) on the Authentication tab. They can sign in with any enabled method.