{% extends "documentation/base.html" %}

{% block doc_content %}
<h1>Users & Roles</h1>

<p class="lead">
  BackupChecks uses a role-based access control system to manage user permissions and access levels.
</p>

<div class="doc-callout doc-callout-info">
  <strong>📝 Coming Soon:</strong><br>
  This page is under construction. Screenshots will be added in a future update.
</div>

<h2>User Roles Overview</h2>

<p>BackupChecks supports four distinct user roles, each with specific permissions and access levels:</p>

<table>
  <thead>
    <tr>
      <th>Role</th>
      <th>Primary Purpose</th>
      <th>Key Permissions</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td><strong>Admin</strong></td>
      <td>Full system administration</td>
      <td>Complete access to all features, settings, user management, and system configuration</td>
    </tr>
    <tr>
      <td><strong>Operator</strong></td>
      <td>Daily backup operations</td>
      <td>Review backups, manage customers/jobs, create tickets, view reports (no system settings)</td>
    </tr>
    <tr>
      <td><strong>Reporter</strong></td>
      <td>Reporting and analytics</td>
      <td>View and generate reports only (no access to operational features)</td>
    </tr>
    <tr>
      <td><strong>Viewer</strong></td>
      <td>Read-only monitoring</td>
      <td>View customers, jobs, and reports (cannot make changes)</td>
    </tr>
  </tbody>
</table>

<h2>Detailed Role Permissions</h2>

<h3>Admin Role</h3>

<p>Administrators have unrestricted access to BackupChecks:</p>

<ul>
  <li>Manage users (create, edit, delete, assign roles)</li>
  <li>Configure system settings (mail import, Autotask integration, UI timezone)</li>
  <li>Manage customers and backup jobs</li>
  <li>Review and approve backup runs</li>
  <li>Create and manage tickets</li>
  <li>Configure overrides and parsers</li>
  <li>View audit logs and system maintenance features</li>
  <li>Create news announcements</li>
  <li>Access all mail (including deleted mails and archived jobs)</li>
  <li>Export and import data</li>
</ul>

<div class="doc-callout doc-callout-warning">
  <strong>⚠️ Security Note:</strong><br>
  Admin access should be limited to trusted personnel only. Admins can modify critical system settings and access all data.
</div>

<h3>Operator Role</h3>

<p>Operators handle day-to-day backup monitoring and validation:</p>

<ul>
  <li>View and manage customers</li>
  <li>Configure backup jobs</li>
  <li>Review backup runs and mark them as reviewed</li>
  <li>Create and manage Autotask tickets for failed backups</li>
  <li>Add remarks to backup runs</li>
  <li>View and create reports</li>
  <li>Manage inbox emails and approve jobs</li>
  <li>Configure overrides for special cases</li>
</ul>

<p><strong>Operators cannot:</strong> Access system settings, manage users, view audit logs, or access deleted mails.</p>

<h3>Reporter Role</h3>

<p>Reporters focus exclusively on reporting and analytics:</p>

<ul>
  <li>View the dashboard</li>
  <li>Create, schedule, and view reports</li>
  <li>Access documentation, changelog, and feedback</li>
</ul>

<p><strong>Reporters cannot:</strong> Access operational features like inbox, customers, jobs, run checks, or tickets. The navigation menu shows only report-related items.</p>

<div class="doc-callout doc-callout-tip">
  <strong>💡 Use Case:</strong><br>
  The Reporter role is ideal for management or stakeholders who need visibility into backup compliance without operational access.
</div>

<h3>Viewer Role</h3>

<p>Viewers have read-only access to monitor backup status:</p>

<ul>
  <li>View customers and their backup jobs</li>
  <li>View backup runs and their status</li>
  <li>View tickets and remarks</li>
  <li>View reports</li>
  <li>Access documentation and changelog</li>
</ul>

<p><strong>Viewers cannot:</strong> Make any changes, create tickets, review backups, or access system settings.</p>

<h2>Multiple Role Assignment</h2>

<p>Users can be assigned multiple roles simultaneously. This provides flexibility for users who need different access levels at different times.</p>

<h3>How Multiple Roles Work</h3>

<ol>
  <li>A user can be assigned any combination of roles using checkboxes</li>
  <li>When logged in, the user selects their <strong>active role</strong> from a dropdown in the navigation bar</li>
  <li>The interface and available features adapt based on the selected active role</li>
  <li>Users can switch between their assigned roles at any time</li>
</ol>

<div class="doc-callout doc-callout-tip">
  <strong>💡 When to Use Multiple Roles:</strong><br>
  Multiple roles are useful when a user occasionally needs different access levels. However, use sparingly - most users should have a single role that matches their primary responsibility.
</div>

<h2>Managing Users</h2>

<p>User management is performed by administrators through the <strong>Settings</strong> page.</p>

<h3>Creating a New User</h3>

<ol>
  <li>Navigate to <strong>Settings</strong> → <strong>User Management</strong> (Admin only)</li>
  <li>Scroll down to the <strong>Create new user</strong> section</li>
  <li>Enter a <strong>Username</strong> in the username field</li>
  <li>Enter a <strong>Password</strong> in the password field</li>
  <li>Select one or more roles by checking the appropriate checkboxes:
    <ul>
      <li>Admin</li>
      <li>Operator</li>
      <li>Reporter</li>
      <li>Viewer</li>
    </ul>
  </li>
  <li>Click the <strong>Create</strong> button</li>
</ol>

<figure>
  <img src="{{ url_for('static', filename='images/documentation/user-management.png') }}"
       alt="User Management Interface" />
  <figcaption>Figure 1: User Management interface showing role checkboxes and user creation</figcaption>
</figure>

<div class="doc-callout doc-callout-info">
  <strong>📝 Future Feature:</strong><br>
  Email address configuration for users is planned for a future update. The database field exists but is not yet available in the user interface.
</div>

<h3>Editing User Roles</h3>

<ol>
  <li>Navigate to <strong>Settings</strong> → <strong>User Management</strong></li>
  <li>Find the user you want to edit in the list</li>
  <li>Check or uncheck the role checkboxes to modify their assigned roles</li>
  <li>The <strong>Current:</strong> line below the checkboxes shows the currently assigned roles</li>
  <li>Click the <strong>Save</strong> button to apply the changes</li>
</ol>

<div class="doc-callout doc-callout-warning">
  <strong>⚠️ Important:</strong><br>
  Role changes take effect immediately. If you remove a user's current active role, they will be switched to their first remaining role automatically.
</div>

<h3>Resetting User Passwords</h3>

<ol>
  <li>Navigate to <strong>Settings</strong> → <strong>User Management</strong></li>
  <li>Find the user whose password you want to reset</li>
  <li>Click the <strong>New password</strong> button</li>
  <li>Enter the new password in the dialog</li>
  <li>Confirm the password change</li>
</ol>

<p>The user can immediately log in with their new password.</p>

<h3>Deleting Users</h3>

<p>Administrators can delete user accounts via Settings → User Management.</p>

<div class="doc-callout doc-callout-warning">
  <strong>⚠️ Admin Account Protection:</strong><br>
  If there is only one admin user in the system, that account is protected and cannot be deleted. BackupChecks requires at least one admin user at all times to prevent being locked out of system administration.
</div>

<h2>Role Switching</h2>

<p>Users with multiple roles can switch between them using the role selector in the navigation bar (top-right corner, next to the username).</p>

<h3>How to Switch Roles</h3>

<ol>
  <li>Locate the role dropdown in the top-right corner of the navigation bar</li>
  <li>Click the dropdown to see your assigned roles</li>
  <li>Select the role you want to activate</li>
  <li>You will be automatically redirected to the <strong>Dashboard</strong> page</li>
  <li>The navigation menu, available features, and permissions update to match your active role</li>
</ol>

<div class="doc-callout doc-callout-info">
  <strong>💡 Why Dashboard Redirect?</strong><br>
  When switching roles, you are automatically redirected to the Dashboard to prevent permission errors. This ensures you don't remain on a page you no longer have access to with your new role, which would require you to manually navigate away or refresh the page.
</div>

<h2>Best Practices</h2>

<ul>
  <li><strong>Principle of Least Privilege:</strong> Assign users the minimum role required for their responsibilities</li>
  <li><strong>Limit Admin Access:</strong> Only assign admin role to personnel responsible for system configuration</li>
  <li><strong>Use Multiple Roles Sparingly:</strong> While flexible, multiple roles can be confusing. Assign them only when necessary</li>
  <li><strong>Regular Audits:</strong> Periodically review user roles and remove access for inactive users</li>
  <li><strong>Document Role Assignments:</strong> Keep an external record of why users have specific roles</li>
</ul>

<h2>Common Role Assignment Scenarios</h2>

<table>
  <thead>
    <tr>
      <th>User Type</th>
      <th>Recommended Role(s)</th>
      <th>Rationale</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>System Administrator</td>
      <td>admin</td>
      <td>Needs full access to configure and maintain the system</td>
    </tr>
    <tr>
      <td>Backup Team Lead</td>
      <td>operator</td>
      <td>Reviews backups daily, manages customers and jobs</td>
    </tr>
    <tr>
      <td>Junior Backup Technician</td>
      <td>operator or viewer</td>
      <td>Assists with reviews or monitors status (depending on trust level)</td>
    </tr>
    <tr>
      <td>Management/Stakeholder</td>
      <td>reporter</td>
      <td>Needs reports and metrics, not operational access</td>
    </tr>
    <tr>
      <td>Auditor/Compliance</td>
      <td>viewer</td>
      <td>Needs to verify backup status without making changes</td>
    </tr>
    <tr>
      <td>Power User</td>
      <td>admin, operator</td>
      <td>Needs both operational access and occasional system configuration (use sparingly)</td>
    </tr>
  </tbody>
</table>

<h2>Next Steps</h2>

<ul>
  <li><a href="{{ url_for('documentation.page', section='users', page='login-authentication') }}">Login & Authentication</a> - Learn how to log in and manage your session</li>
  <li><a href="{{ url_for('documentation.page', section='users', page='profile-settings') }}">Profile Settings</a> - Customize your profile and preferences</li>
  <li><a href="{{ url_for('documentation.page', section='settings', page='user-management') }}">User Management Settings</a> - Admin guide to creating and managing users</li>
</ul>

{% endblock %}