Admin Password Reset
Reset user passwords, revoke active sessions, and understand security considerations for password management.
Admin Password Reset
Administrators can reset passwords for any user in their tenant. This is a sensitive operation that requires proper authorization and triggers security measures to protect the user's account.
Permission Required
Only users with the admin:manage_users permission can perform admin-initiated password resets. This is typically limited to:
- System Administrators
- Branch Managers (for their branch's users only)
- Regional Managers (for their region's users only)
Admin password resets should only be performed when the user cannot self-service reset (e.g., locked out, email inaccessible, or security incident). Always verify the user's identity before resetting.
Reset Flow
Step-by-Step: Admin Password Reset
Open the user record — Navigate to Admin → Users and find the user.
Click "Reset Password" — The password reset dialog opens.
Verify identity — Confirm the user's identity (verbally, via ID, or through internal verification process).
Choose delivery method — Select how to deliver the temporary password:
- Display on screen (one-time view)
- Send via email to the user's registered email
- Send via SMS to the user's registered phone
Confirm the reset — The system generates a temporary password and delivers it.
All active sessions are revoked — The user is logged out from all devices immediately.
User must change password on next login — The temporary password is valid for one login only.
What Happens During a Password Reset
| Action | Timing | Description |
|---|---|---|
| Temporary password generated | Immediate | A cryptographically random password is created |
| Old password invalidated | Immediate | The user can no longer log in with the old password |
| All sessions revoked | Immediate | The user is logged out from all active sessions (web, mobile, API) |
| Temporary password expires | 24 hours | If not used within 24 hours, it expires and a new reset is needed |
| Password change enforced | On next login | The user must set a new permanent password |
Session Revocation
When a password is reset, all active sessions for that user are automatically revoked. This prevents unauthorized access even if the old password was compromised.
What Session Revocation Does
| Device/Session | Effect |
|---|---|
| Web browser sessions | User is logged out; next page load redirects to login |
| Mobile app sessions | Token is rejected; app prompts for re-login |
| API sessions | Bearer token is rejected; API calls return 401 |
| Remember-me tokens | Invalidated; user must re-authenticate |
Manual Session Revocation
Admins can also manually revoke sessions without resetting the password:
Open the user detail page — Navigate to the user record.
Click the "Sessions" tab — View all active sessions.
Review session details — Each session shows device type, IP address, browser, last activity, and created time.
Revoke specific sessions or all sessions — Click the revoke button for individual sessions, or "Revoke All" for a complete logout.
Security Considerations
| Consideration | Detail |
|---|---|
| Verify identity first | Always verify the user's identity before resetting their password. A phone call, in-person request, or verified email request is acceptable. |
| Use secure delivery | If emailing the temporary password, ensure the email is sent to the registered address. Never send passwords via unencrypted channels. |
| Audit logging | Every password reset is logged with the admin's user ID, timestamp, IP address, and the affected user. This audit trail is immutable. |
| Notification to user | The user receives an email notification that their password was reset by an administrator. This alerts them if the reset was not authorized. |
| Temporary password policy | Temporary passwords must meet the tenant's password policy. They are single-use and expire after 24 hours. |
| Brute force protection | After 5 failed login attempts with the temporary password, the account is locked for 15 minutes. |
| Password history | The system prevents reuse of the last 5 passwords. Users cannot set a password they have used recently. |
If you suspect an account has been compromised, perform a password reset immediately and revoke all sessions. Then review the user's activity log for any unauthorized actions.
Self-Service Password Reset
Users can also reset their own password without admin intervention, provided they have access to their registered email.
Self-Service Flow
| Step | Action |
|---|---|
| 1 | User clicks "Forgot Password" on the login screen |
| 2 | User enters their email address |
| 3 | System sends a password reset link to the registered email |
| 4 | User clicks the link (valid for 1 hour) |
| 5 | User sets a new password meeting the policy requirements |
| 6 | Old password is invalidated; user can log in with the new password |
Self-Service vs. Admin Reset
| Feature | Self-Service | Admin Reset |
|---|---|---|
| Requires email access | Yes | No (admin can display or SMS) |
| Requires admin permission | No | Yes (admin:manage_users) |
| Session revocation | Only the requesting session | All sessions |
| Audit trail | Logged as self-reset | Logged as admin reset with admin ID |
| Temporary password | No (user sets their own) | Yes (single-use, expires in 24h) |
Common Scenarios
| Scenario | Recommended Action |
|---|---|
| User forgot password | Direct user to self-service reset |
| User locked out (too many failed attempts) | Admin reset after identity verification |
| User's email is inaccessible | Admin reset with on-screen temporary password |
| Suspected account compromise | Admin reset + revoke all sessions + review activity log |
| Employee termination | Deactivate account (preferred) or reset password + revoke sessions |
| Shared account detected | Reset password, enforce individual accounts, revoke all sessions |
Required Permissions
| Action | Permission |
|---|---|
| Reset user password | admin:manage_users |
| View user sessions | admin:manage_users |
| Revoke user sessions | admin:manage_users |
| Configure password policy | admin:manage_tenants |
Related Pages
- User Management — Full user management guide
- Roles & Permissions — Permission system
- Tenants & Branches — Tenant-level password policy configuration
Workflow Configuration
Configure workflow definitions, versions, stages, transitions, assignment rules, approval rules, SLA rules, and notification rules.
Reports & Dashboards
Access 9 report families, monitor dashboard KPIs, apply filters, and export reports across executive, operations, fleet, finance, and more.