User Management
Organization admins manage users within their own org. Superadmins can manage users across all organizations.
User roles
| Capability | user | admin | superadmin |
|---|---|---|---|
| Use agents and chat | Yes | Yes | Yes |
| Manage own profile and API keys | Yes | Yes | Yes |
| Create/update users in own org | — | Yes | Yes |
| Manage groups in own org | — | Yes | Yes |
| Configure agent and data RBAC for own org | — | Yes | Yes |
| Configure SSO for own org | — | Yes | Yes |
| View audit logs for own org | — | Yes | Yes |
| Create users in any org | — | — | Yes |
| Manage platform-level settings | — | — | Yes |
| View system-wide statistics | — | — | Yes |
Creating users
- Org admins create users within their own organization
- Superadmins can create users in any organization
- When the organization has SSO configured with
require_sso=true, the password field is ignored — users authenticate exclusively through the identity provider - Email must be unique across the entire system
- A personal organization is auto-created for each new user if they aren't assigned to one
Updating roles and status
Admins can change a user's role and active status with these guardrails:
| Action | Org admin | Superadmin |
|---|---|---|
| Change user → admin | Yes (own org) | Yes (any org) |
| Change admin → user | Yes (own org) | Yes (any org) |
| Promote to superadmin | — | Yes |
| Change org assignment | — | Yes |
| Demote self | Blocked | Blocked |
| Deactivate user | Yes (own org) | Yes (any org) |
Deactivating a user (is_active=false) immediately prevents login but preserves their data. Reactivation restores full access.
Password reset
Admins can force a password reset for users they manage. This generates a reset token and revokes all existing sessions (refresh tokens and token families).
- Superadmins can reset any user's password
- Org admins can reset non-admin users in their own org
- Password reset is blocked when the organization's SSO config has
require_sso=true— SSO-only users don't have passwords
Account unlocking
After too many failed login attempts, Thallus temporarily locks the account. The lockout is temporary, but admins can unlock it immediately:
The lock auto-expires after the lockout period. An ACCOUNT_LOCKED audit event is logged when the lockout triggers, and ACCOUNT_UNLOCKED when an admin clears it.
Session timeout policy
Admins can enforce automatic session logout after a period of user inactivity. The timeout uses a ceiling model with three levels — each level sets an upper limit that lower levels cannot exceed or disable.
| Level | Who configures | Effect |
|---|---|---|
| Platform | Superadmin | Sets the maximum timeout for all organizations and users. When enabled, no org can disable the timeout. |
| Organization | Admin or superadmin | Sets a maximum for all users in the org. Cannot exceed the platform ceiling if one is set. |
| User | Individual user | Can enable or shorten their own timeout. Cannot exceed the org/platform ceiling or disable when enforced. |
Configuring platform timeout
Superadmins see a Platform Session Timeout section on the General tab in Settings. Enabling it with a value (e.g., 15 minutes) means:
- Every organization must have a timeout ≤ 15 minutes (or inherit the platform value)
- Every user sees the timeout checkbox as checked and disabled
- Users can still set a shorter timeout (e.g., 10 minutes) but cannot disable it
Configuring organization timeout
Admins see an Organization Session Timeout section on the General tab in Settings. If a platform ceiling is in effect, the section shows the maximum allowed value and the checkbox is locked to "enabled."
The org timeout only affects users within that organization. If the org sets 10 minutes and the platform allows 15, users in that org see a 10-minute ceiling.
How enforcement works
When a user's session exceeds the inactivity timeout:
- The browser detects inactivity and redirects to the login page
- The server independently rejects the next token refresh — even if the client-side check is bypassed, the session cannot be renewed
Activity is tracked via user interactions (mouse movement, keyboard input, clicks, scrolling).
Organization structure
Every user belongs to exactly one organization. The organization model:
| Field | Description |
|---|---|
| name | Display name (e.g., "Acme Corp") |
| slug | URL-safe identifier (e.g., "acme-corp"), unique |
| domains | Associated email domains (e.g., ["acme.com"]) |
| is_personal | Auto-created personal orgs for individual users |
| is_active | Deactivated orgs block all member access |
Personal organizations are auto-created when a user registers without an org assignment. These are single-user orgs that can later be migrated to a team org.
Statistics
Superadmins see system-wide stats: - Total users, organizations, active sessions - Top users by audit log activity
Org admins see org-scoped stats: - Users in their org by role and status - Group membership counts
Related pages
- Group Management — Manage groups within organizations
- SSO Configuration — Set up identity provider integration
- Security Settings — User-facing password, session, and inactivity timeout settings
- Audit Logs — Track user management actions