Skip to Content
AdministrationUser Management

User Management

Invite users, manage their access, and handle the lifecycle of employees as they join, change roles, or leave.

Overview

FSManager has two related records for each person in your business:

  • Employee — the HR record. Everyone you employ has one (or has had one in the past). Employees can sign in and out at the time-recording kiosk using a PIN.
  • ApplicationUser — the system login. Only employees who need to use FSManager from a browser have one. ApplicationUser is linked back to Employee 1-to-1.

This split means:

  • A factory hand who only clocks in and out at the kiosk needs an Employee record but not a system login.
  • An estimator who works in FSManager all day needs both — an Employee record and an ApplicationUser linked to it.
  • Someone like an external bookkeeper might have a login but no Employee record (rare, but supported).

Key features

The invitation flow

You don’t create a password for a new user — they set their own. The workflow:

  1. Admin creates the user with their email address.
  2. The system generates a one-time set-password link and emails it to the user.
  3. The user clicks the link, sets a password, and logs in for the first time.

If the link expires before the user uses it, Resend Invitation generates a fresh one.

Employee → ApplicationUser linking

When you give an existing Employee a system login, FSManager links the new ApplicationUser to the Employee record. After that:

  • Time-recording sign-ins (kiosk PIN) attach to the Employee.
  • Browser actions (creating a quote, approving a job) attach to the ApplicationUser.
  • Reports that need both sides (e.g. “who created this opportunity?”) follow the link.

If an employee leaves and rejoins later under a new email, create a new ApplicationUser rather than re-using the old one — keeps the audit trail clean.

Deactivation

When someone leaves the business:

  1. Open their Employee record.
  2. Tick Is Finished and set an End Date.
  3. The linked ApplicationUser is automatically deactivated (IsActive = false) — they can no longer log in.
  4. Their historical data stays — quotes they wrote, jobs they ran, time they recorded.

To reactivate, untick Is Finished.

PINs for the kiosk

Each Employee has a PIN used at the time-recording kiosk. PINs are:

  • Hashed and not displayed — even admins can’t see the current PIN, only reset it.
  • Defaulted on creation — typically to the current year, so the employee can sign in once and is prompted to change it immediately.
  • Reset via a Set PIN action on the Employee record.

PIN reset doesn’t require the employee to be present — useful when someone forgets theirs.

Password reset for ApplicationUsers

Two paths:

  • Self-service — the user clicks Forgot your password? on the login page. The system emails them a reset link.
  • Admin-initiated — open the ApplicationUser and click Send Password Reset. Same email, same flow, but you trigger it.

Lockout

After a number of failed login attempts, accounts auto-lock temporarily. Admins can clear lockout state from the ApplicationUser record if needed.

How to: add a new user

For someone who’ll use FSManager in the browser:

  1. Make sure they have an Employee record (under Employees in the main menu). If not, create one with their name, department, position, and email.
  2. Open the Employee record.
  3. Click Create Login.
  4. The popup pre-fills the User Name from the employee email. Pick a Role (see Roles & Permissions for what each role allows).
  5. Confirm. The system creates an ApplicationUser, links it to the Employee, and emails the invitation.
  6. The new user clicks the link, sets their password, and logs in.

How to: add a kiosk-only user (no browser login)

For factory or install staff who only clock in/out:

  1. Create the Employee record with their name, department, and position. No need for an email.
  2. Save. The Employee gets a default PIN (typically the current year).
  3. Tell them: “Sign in at the kiosk; you’ll be prompted to set your own PIN.”

No ApplicationUser is created. They appear on the kiosk list but can’t log into the browser app.

How to: change someone’s role

  1. Open their ApplicationUser record.
  2. Find the Roles tab/section.
  3. Use Link to add a role; Unlink to remove one.
  4. Save.

Changes take effect on the user’s next login (or after they refresh — XAF refreshes permissions on session restart).

How to: reset a forgotten password

If a user can’t log in:

  1. Confirm their account is Active (Employee not marked Finished, ApplicationUser not locked).
  2. Open the ApplicationUser.
  3. Click Send Password Reset.
  4. They receive a fresh password-reset email. Tell them to use the link within the time window.

If they never set the original password (first-time invitation expired), use Resend Invitation instead.

How to: reset a kiosk PIN

  1. Open the Employee record.
  2. Click Set PIN (or Reset PIN).
  3. Confirm. The PIN reverts to the default (current year).
  4. The next time the employee signs in at the kiosk, they’re prompted to set their own PIN.

How to: deactivate a leaver

  1. Open the Employee.
  2. Tick Is Finished and set their End Date.
  3. Save.

The linked ApplicationUser is auto-deactivated — they can’t log in from the moment you save. Their historical contributions remain intact.

Tips & gotchas

  • Email is the user name. ApplicationUser.UserName equals the user’s email. If their email changes, update both (one workflow, not two).
  • Don’t create duplicate Employees. If someone leaves and comes back, reactivate the existing record (untick Is Finished, clear End Date) rather than creating a fresh one.
  • The first administrator is special. The user who runs the Setup Wizard implicitly becomes a system admin. Make sure that’s a person you trust to configure the tenant.
  • PINs default to the current year. This is intentional and well-known among staff — make sure the user changes it on first kiosk sign-in.
  • License limits employee count. Your tier sets a maximum number of active employees; reaching the limit blocks new Employee creation until someone is marked Finished or you upgrade.
  • Inviting an existing email retries. If you try to Create Login for an Employee whose email is already an ApplicationUser, you’ll get an error — link the existing user instead.
Last updated on
OverviewRoles & Permissions