Skip to main content

Overview

Knowlix user management controls who can access the system and what actions they can perform. Administrators add and configure users, assign access rights per module, manage passwords, and set up multi-company access. Three user types serve different purposes: internal users, portal users, and public visitors.

Adding Users

Navigate to Settings > Users section > Manage Users and click New. Fill in the user’s details including name and email address. In the Access Rights tab, configure permissions for each installed module. Save the record. An invitation email is sent automatically to the address provided. The user must click the link in that email to accept the invitation and create their login credentials.

User Types

Internal Users - Staff members with direct system access. Access levels are configured per module based on their role. Portal Users - External contacts such as customers or vendors with view-only access to relevant documents (quotes, invoices, project tasks, tickets, etc.). Portal users cannot edit records in the system. Public Users - Unauthenticated website visitors who interact with public-facing content only.
Note: Portal user access rights are pre-configured and cannot be customized by administrators.

User Devices

Each time a user logs in, the session is recorded including the IP address and device identifier. Reviewing this list periodically helps identify unauthorized access. To review login devices:
  1. Click the user icon in the top-right corner.
  2. Select My Profile.
  3. Go to the Devices tab.
Each device card displays:
  • User name
  • Device name
  • Last IP address and linked IP address
  • First and last activity timestamps
Active sessions show a green indicator on the device card. Removing a device: Click the card and select Delete to remove a legitimate but unused device without revoking access. Revoking access: Click Revoke on any suspicious device. Enter your password to confirm. The device is removed and can no longer authenticate with your Knowlix workspace.

Deactivating Users

Navigate to Settings > Users > Manage Users. Select the checkbox next to users to deactivate. Click the Actions menu and select Archive. Confirm the action.
Warning: Never deactivate the primary administrator account. Removing admin access can result in a locked state where no user in the system can modify access rights. If this happens, contact your Knowlix administrator immediately.

Password Management

Minimum Password Length

Go to Settings > Permissions section and set the Minimum Password Length field. The default is 8 characters.

Enabling Self-Service Password Reset

Navigate to Settings > Permissions and activate Password Reset. When enabled, users see a Reset Password link on the login page and can request a reset token by email.

Sending Reset Instructions

Go to Settings > Users & Companies > Users, open the user record, and click Send Password Reset Instructions. The system sends an email with reset instructions and a secure link.
Note: This button only appears after the user has confirmed their invitation email. Before that, a Re-send Invitation Email button appears instead.

Changing a User’s Password Directly

From the user record, click the Actions icon and select Change Password. Enter the new password in the dialog and confirm. The change takes effect immediately.

Multi-Company Access

A user can be granted access to multiple companies in the Access Rights tab of their user form. Allowed Companies - List of companies the user can access and operate within. Default Company - The company loaded automatically when the user logs in. Only one company can be set as default.
Important: Multi-company access configurations should only be changed by experienced administrators. Incorrect settings can cause inconsistent data visibility across entities.

Access Rights and Groups

Per-User Access Levels

For each installed module, set the user’s access tier. Common levels include:
  • No access (blank)
  • User: Own Documents
  • User: All Documents
  • Administrator
The Administration field in the Access Rights tab controls whether the user can access Settings (Settings) or modify other users’ access rights (Access Rights).

Creating and Modifying Groups

Access groups define shared permission sets that apply to multiple users at once. To manage groups, enable developer mode and navigate to Settings > Users & Companies > Groups. Each group form contains: Users tab - Lists current group members. Administrators appear in black, standard users in blue. Inherited tab - Groups whose permissions are automatically granted to members of this group. For example, a Sales Administrator group might inherit the Website Editor group, giving sales admins website editing rights automatically. Menus tab - Controls which navigation menu items this group can access. Views tab - Lists which interface views this group can see. Access Rights tab - Defines model-level permissions. For each data model, configure:
  • Read - users can view existing records
  • Write - users can edit existing records
  • Create - users can add new records
  • Delete - users can remove records
Record Rules tab - Adds a second layer of filtering that refines the group’s access based on record conditions. Record rules use domain expressions to filter which records the group can interact with.
Caution: Record rules require knowledge of domain expressions. Consult a technical specialist before creating or modifying record rules in a production environment.

Superuser Mode

Superuser mode bypasses all record rules and access rights. To activate it, enable developer mode and click the debug icon in the top navigation, then select Become Superuser. Only users with Administration > Access Rights permissions can activate superuser mode. Exercise extreme caution, as changes made in this mode can inadvertently lock other administrators out of the system. To exit superuser mode, log out from the top-right user menu.

Portal Access

Granting Portal Access

Open the Contacts module, find the contact, and click the Actions dropdown. Select Grant portal access. In the dialog:
  1. Verify or enter the contact’s email address (used as login).
  2. Check the In Portal checkbox.
  3. Optionally add a personal message to the invitation email.
  4. Click Apply.
The contact receives an email invitation with their portal login link. Bulk portal access: Open a company contact, click Actions > Grant portal access, and the dialog shows all related contacts. Enable the portal checkbox for each person and apply at once. Revoking portal access: Follow the same steps and uncheck the In Portal checkbox.

Changing a Portal Username

Navigate to Settings > Users, filter by Portal Users, open the user record, and edit the Email Address field. The email address serves as the portal login.
Note: Changing the email here only changes the login username, not the contact’s email in the Contacts module.

Portal User Self-Service

Portal users can update their own information after logging in to the portal:
  • Contact info - Edit name, phone, and address from the Details section.
  • Password - Change password by entering the current password and a new one in Account Security settings.
  • Two-factor authentication - Enable 2FA from Account Security settings using any authenticator app.
  • Payment methods - Add or manage stored payment cards under payment settings.

Two-Factor Authentication

Two-factor authentication (2FA) adds a second verification step at login, requiring both a password and a time-based code from an authenticator app. This prevents unauthorized access even if a password is compromised. Compatible authenticator apps: Google Authenticator, Microsoft Authenticator, Authy, 1Password, Bitwarden, and most TOTP-compatible apps.

Setting Up 2FA for Your Account

  1. Click your profile icon in the top-right and select My Profile.
  2. Go to the Account Security tab.
  3. Toggle Two-Factor Authentication to active.
  4. Enter your password to confirm.
  5. Scan the QR code with your authenticator app (or manually enter the secret if on the same device).
  6. Enter the 6-digit code displayed in the app.
  7. Click Activate.
Log out and back in to confirm 2FA is working.

Enforcing 2FA System-Wide

Install the 2FA by mail module from the Knowlix module catalog. After installation, go to Settings > Permissions and enable Enforce two-factor authentication. Choose whether to apply the requirement to Employees only or All users (including portal users).
Note: If a user loses access to their authenticator, an administrator must deactivate their 2FA from the user record before they can log in again.

OAuth Single Sign-On

Knowlix supports OAuth-based single sign-on using external identity providers, allowing users to log in with corporate credentials instead of a separate Knowlix password. Supported providers:
  • Microsoft Azure (Azure Active Directory / Microsoft Entra ID)
  • Google Workspace
  • Facebook (for portal access)
  • LDAP directory services

Microsoft Azure SSO Setup

  1. In Knowlix, activate developer mode and go to Settings > Technical > System Parameters.
  2. Create a parameter with key auth_oauth.authorization_header and value 1.
  3. In the Azure portal, register a new application under App registrations.
  4. Set the redirect URI to https://<your-knowlix-domain>/auth_oauth/signin.
  5. Configure the app to issue access tokens and ID tokens.
  6. Copy the Application (client) ID and OAuth 2.0 authorization endpoint (v2) URL.
  7. In Knowlix, go to Settings > Integrations > OAuth Authentication and enable it.
  8. Click OAuth Providers and create a new provider named “Azure”.
  9. Fill in the Client ID, Authorization URL, and UserInfo URL.
  10. Set scope to openid profile email and enable the provider.
New users must use the password reset flow to link their Azure account on first login.

Google Workspace SSO Setup

  1. In the Google API Console, create a project and enable the Google OAuth2 API.
  2. Configure the OAuth consent screen with your organization details.
  3. Create OAuth credentials for a web application, adding your Knowlix domain with /auth_oauth/signin as the authorized redirect URI.
  4. Copy the Client ID.
  5. In Knowlix, go to Settings > Integrations, enable OAuth Authentication, then enable Google Authentication and paste the Client ID.
Users can click Log in with Google on the login page to authenticate.

LDAP Authentication

For directory-based authentication:
  1. Go to Settings > Integrations and enable LDAP Authentication.
  2. Click LDAP Server and add a new configuration.
  3. Enter the LDAP server IP, port, TLS settings, and bind credentials.
  4. Set the base DN and filter (typically uid=%s).
  5. Configure user creation settings for first-time LDAP logins.

Language Settings

Adding Languages

Go to Settings > Languages section and click Add Languages. Select languages from the dropdown. Installed languages are available for all users and also enable website translation.

Changing Your Language

Click the profile icon in the top-right corner, open My Profile, and select a language from the Language dropdown.

Changing Another User’s Language

  1. Go to Settings > Manage Users.
  2. Open the user record.
  3. Go to the Preferences tab and select a language.
Outgoing emails and documents for this user will use the selected language.

Best Practices

Review user device logs regularly to detect unauthorized access. Always deactivate departed employees promptly rather than deleting users, as deletion may affect historical records. Use group-based permissions rather than individual user permissions for easier maintenance. Enable 2FA for administrator accounts at minimum. Test access right changes in a staging environment before applying to production. Your Knowlix: “List all users with administrator access” or “Show me users who haven’t logged in for 30 days” or “Create a new portal user for this contact” or “Which users have access to the Finance module?”