Wiki home / Administration

Creating users

Status: Draft Audience: Administrator / Support

This page explains how an administrator creates or approves DNA-Nexus user accounts.

Choose the correct user creation flow

DNA-Nexus can create users in different ways depending on which authentication method is enabled. These flows are intentionally separate because the administrator steps are different for each login mode.

Flow 1 QR / DNA Connect The user scans the login QR code with DNA Connect. The account is created automatically as pending, then the administrator enables it and allocates storage. Flow 2 OPAQUE / zero-knowledge password The user signs in with the OPAQUE password flow. The administrator workflow is different because the server does not handle the password like a traditional login secret. Flow 3 Username/password The administrator or login flow creates a conventional account record. Username, role, approval and storage allocation are documented separately for this mode.

Create or receive a user registration

The user account may be created by an administrator or requested by the user from the login page.

  • Review user details

    Check the username, display name, role and intended storage quota.

  • Approve the user

    Approve the user when the account is ready to access the server.

    Screenshot placeholder: Admin approval view.

  • Tell the user to sign in

    After approval, the user can sign in and start using DNA-Nexus apps.

  • Flow 3: Adding users with password authentication

    • Flow 1: Adding users with QR / DNA Connect

    When QR / DNA Connect authentication is enabled, new users are created from the login page. The user scans the QR code with the DNA Connect mobile app, completes the login flow, and then waits for administrator approval.

    In this mode, the administrator does not create the first account record manually. The server receives the user identity from the QR login flow and places the account into a pending state.

    1. User scans the QR code

    The user opens the login page and scans the displayed QR code with DNA Connect. After the scan succeeds, the browser shows a message telling the user to wait for administrator approval.

    Waiting for administrator approval after QR login
    After the QR login, the user waits until an administrator approves the account.
    Note: The user identity now exists on the server, but the user cannot continue into the workspace until an administrator enables the account.

    2. Administrator approves the user

    When a new pending user is waiting, the administrator sees a notification in the sidebar. Open the Approvals section to review the pending account.

    Click Enable to activate the account. After this, the user disappears from the approvals page and becomes available on the User profiles page.

    Enable pending user from approvals
    Click Enable to approve the pending user.

    3. Complete the user profile

    After approval, open the user on the User profiles page. The administrator can edit the user’s display name, email address, role, notes and avatar.

    Enabled user on the user profiles page
    Enabled users are managed from the normal user profiles page.

    4. Allocate storage

    The most important follow-up task is usually storage allocation. A user may be enabled, but still needs a storage quota before normal uploads are possible.

    Click Allocate on the user profile. The allocation dialog lets the administrator choose a storage pool and assign a quota in gigabytes.

    Allocate storage dialog
    Use the storage allocation dialog to select a pool and assign a quota for the user.

    The dialog shows both the requested quota and current pool capacity information. This helps the administrator avoid assigning more storage than the pool should safely reserve.

    • User currently uses shows the user’s current storage usage.
    • Current quota shows the existing quota, if one has already been assigned.
    • Pool total size shows the total size of the selected storage pool.
    • Pool free space shows the current free filesystem space.
    • Reserved for others shows quota already assigned to other users.
    • Remaining reservable shows how much quota can still be assigned safely.
    • Requested quota shows the quota currently being assigned.
    Important: Set a positive quota if the user should be allowed to upload files. Enabling the account and allocating storage are separate administrator actions.

    Flow 2: Adding users with OPAQUE / zero-knowledge password

    When OPAQUE authentication is enabled, administrators create new users from the Approvals section. OPAQUE is a zero-knowledge password authentication flow: the user password is processed in the user’s browser and is not sent to the server as a traditional login secret.

    1. Administrator creates the OPAQUE setup link

    Open Admin → Approvals. In the Create OPAQUE user panel, enter the user’s name and login/email address. These two fields are required. The administrator may also choose the user role and an optional storage quota, but storage allocation is not required at this stage.

    Create OPAQUE user and setup link from the approvals page
    In OPAQUE mode, administrators create a setup link from the Approvals page.

    Click Create user and setup link. DNA-Nexus creates a single-use setup link and shows it in a confirmation card. The administrator can click Copy link to copy the setup URL.

    Important: The setup link is shown in this form only once. Copy it before closing the card, then deliver it to the future user through an appropriate communication channel.

    At this point, the actual user identity has not been fully created yet. The pending setup entry is waiting for the user to open the link and set their password.

    2. User opens the setup link and sets a password

    The user opens the setup link and enters a new password. The OPAQUE registration happens between the browser and the server without sending the plaintext password to the server.

    During this setup step, DNA-Nexus creates the user’s fingerprint and 24 recovery words. The recovery words are shown to the user only once.

    OPAQUE setup page showing recovery words once
    The user must copy the 24 recovery words before closing the setup page.
    Important: The recovery words must be stored safely before the page is closed. They are not shown to the administrator, and they cannot be displayed again from the admin UI.

    3. User appears in User profiles

    After the setup flow is completed, the user appears on the User profiles page. From there, administrators can manage the user in the same way as users created through the QR / DNA Connect flow.

    Typical follow-up tasks include editing the display name or notes, changing the role, checking the account status and allocating storage. If the user needs file uploads, make sure a positive storage quota is assigned.

    4. Password reset and OPAQUE user actions

    If an OPAQUE user forgets their password, go back to the Approvals page. The list may look empty by default because completed users are hidden from the action-focused view. Use the filter field to search by name, email address or another known value.

    When the user is found, the administrator may see several OPAQUE-specific actions:

    • Create reset link creates a new single-use reset link. The user opens the link and sets a new OPAQUE password.
    • Force reset disables the current OPAQUE credential immediately and creates a new reset link. The user cannot sign in again until the reset link has been completed.
    • Revoke / cancel changes the user to a revoked state. Use this when the user should no longer be allowed to sign in, but you want to keep an administrative record of the account.
    • Delete removes the user entry completely. This should normally be reserved for cleanup of test data or entries that were created by mistake.

    If a user is still pending and has not completed the setup link yet, the user does not have a fingerprint or a full identity. In that case the Approvals page can show a Cancel setup link action. This invalidates the single-use setup link and removes the pending row from the onboarding list.

    Flow 3: Adding users with password authentication

    When the traditional username/password login method is installed, new users are created from Admin → Settings. Open the card Security • Create password user.

    Admin Settings page showing the Security Create password user card
    Admin Settings → Security • Create password user

    Fill in the new user's name and login / email. Then choose:

    Note about status: If your build also shows a waiting/pending-style status, treat it as an optional transitional state until its behavior is confirmed. In most cases, use either disabled or enabled.

    When the administrator clicks Create setup link, DNA-Nexus creates a one-time setup link. The administrator copies that link and sends it securely to the new user.

    The new user opens the setup link and completes the account by choosing a password.

    Password setup page where the user chooses their password
    The invited user completes the account by setting their own password

    After successful password setup, DNA-Nexus shows the user’s generated fingerprint and the 24 recovery words.

    Completed password setup page showing fingerprint and 24 recovery words
    The user sees the generated fingerprint and the 24 recovery words
    Important: The 24 recovery words are shown only once and are not stored by the server. The user must copy and store them safely before leaving the page. Anyone with these words can recover that DNA identity.

    After setup, the account appears in the normal user management views. If the account was created in a disabled state, the user still needs administrator approval or enabling before sign-in is allowed.