PaulRentACar Docs
Administration

Admin Password Reset

Reset user passwords, revoke active sessions, and understand security considerations for password management.

Admin Password Reset

Administrators can reset passwords for any user in their tenant. This is a sensitive operation that requires proper authorization and triggers security measures to protect the user's account.


Permission Required

Only users with the admin:manage_users permission can perform admin-initiated password resets. This is typically limited to:

  • System Administrators
  • Branch Managers (for their branch's users only)
  • Regional Managers (for their region's users only)

Admin password resets should only be performed when the user cannot self-service reset (e.g., locked out, email inaccessible, or security incident). Always verify the user's identity before resetting.


Reset Flow

Step-by-Step: Admin Password Reset

Open the user record — Navigate to Admin → Users and find the user.

Click "Reset Password" — The password reset dialog opens.

Verify identity — Confirm the user's identity (verbally, via ID, or through internal verification process).

Choose delivery method — Select how to deliver the temporary password:

  • Display on screen (one-time view)
  • Send via email to the user's registered email
  • Send via SMS to the user's registered phone

Confirm the reset — The system generates a temporary password and delivers it.

All active sessions are revoked — The user is logged out from all devices immediately.

User must change password on next login — The temporary password is valid for one login only.

What Happens During a Password Reset

ActionTimingDescription
Temporary password generatedImmediateA cryptographically random password is created
Old password invalidatedImmediateThe user can no longer log in with the old password
All sessions revokedImmediateThe user is logged out from all active sessions (web, mobile, API)
Temporary password expires24 hoursIf not used within 24 hours, it expires and a new reset is needed
Password change enforcedOn next loginThe user must set a new permanent password

Session Revocation

When a password is reset, all active sessions for that user are automatically revoked. This prevents unauthorized access even if the old password was compromised.

What Session Revocation Does

Device/SessionEffect
Web browser sessionsUser is logged out; next page load redirects to login
Mobile app sessionsToken is rejected; app prompts for re-login
API sessionsBearer token is rejected; API calls return 401
Remember-me tokensInvalidated; user must re-authenticate

Manual Session Revocation

Admins can also manually revoke sessions without resetting the password:

Open the user detail page — Navigate to the user record.

Click the "Sessions" tab — View all active sessions.

Review session details — Each session shows device type, IP address, browser, last activity, and created time.

Revoke specific sessions or all sessions — Click the revoke button for individual sessions, or "Revoke All" for a complete logout.


Security Considerations

ConsiderationDetail
Verify identity firstAlways verify the user's identity before resetting their password. A phone call, in-person request, or verified email request is acceptable.
Use secure deliveryIf emailing the temporary password, ensure the email is sent to the registered address. Never send passwords via unencrypted channels.
Audit loggingEvery password reset is logged with the admin's user ID, timestamp, IP address, and the affected user. This audit trail is immutable.
Notification to userThe user receives an email notification that their password was reset by an administrator. This alerts them if the reset was not authorized.
Temporary password policyTemporary passwords must meet the tenant's password policy. They are single-use and expire after 24 hours.
Brute force protectionAfter 5 failed login attempts with the temporary password, the account is locked for 15 minutes.
Password historyThe system prevents reuse of the last 5 passwords. Users cannot set a password they have used recently.

If you suspect an account has been compromised, perform a password reset immediately and revoke all sessions. Then review the user's activity log for any unauthorized actions.


Self-Service Password Reset

Users can also reset their own password without admin intervention, provided they have access to their registered email.

Self-Service Flow

StepAction
1User clicks "Forgot Password" on the login screen
2User enters their email address
3System sends a password reset link to the registered email
4User clicks the link (valid for 1 hour)
5User sets a new password meeting the policy requirements
6Old password is invalidated; user can log in with the new password

Self-Service vs. Admin Reset

FeatureSelf-ServiceAdmin Reset
Requires email accessYesNo (admin can display or SMS)
Requires admin permissionNoYes (admin:manage_users)
Session revocationOnly the requesting sessionAll sessions
Audit trailLogged as self-resetLogged as admin reset with admin ID
Temporary passwordNo (user sets their own)Yes (single-use, expires in 24h)

Common Scenarios

ScenarioRecommended Action
User forgot passwordDirect user to self-service reset
User locked out (too many failed attempts)Admin reset after identity verification
User's email is inaccessibleAdmin reset with on-screen temporary password
Suspected account compromiseAdmin reset + revoke all sessions + review activity log
Employee terminationDeactivate account (preferred) or reset password + revoke sessions
Shared account detectedReset password, enforce individual accounts, revoke all sessions

Required Permissions

ActionPermission
Reset user passwordadmin:manage_users
View user sessionsadmin:manage_users
Revoke user sessionsadmin:manage_users
Configure password policyadmin:manage_tenants

On this page