Managing Users
User management happens on the Users tab, which is visible only to admins. The tab lists every account with its username, role, enabled state, assignment counts, and a truncated view of its API key.
Creating a user
Section titled “Creating a user”- Click Add User at the top of the Users tab.
- Enter a username. Usernames are case-insensitive and must be unique. Minimum length is 2 characters.
- Enter a password (minimum 4 characters).
- Choose a role — Admin, Operator, or Viewer. See Roles and permissions.
- Click Create.
The new account is immediately active. Operators and Viewers start with no assignments, which means they see no players or zones until you assign some — see Player and zone assignments.
An API key is not generated automatically. Click Regenerate Key on the row if the user needs one.
Editing a user
Section titled “Editing a user”Click the edit icon on a row to change the user’s role or toggle Enabled. Username is fixed for the lifetime of the account — create a new user and delete the old one if you need to rename.
A few guard rails apply:
- You cannot change your own role. Log in as a different admin to demote yourself.
- You cannot disable or demote the last enabled admin. MZAP blocks the change and surfaces an error so you can’t lock yourself out.
Resetting a password
Section titled “Resetting a password”Click the key icon on a row and enter the new password. The old password is replaced immediately; existing sessions for that user remain valid until the user logs out or the workspace is locked.
Non-admin users can change their own password from the user menu but cannot change anyone else’s.
Disabling vs. deleting
Section titled “Disabling vs. deleting”Disable an account to block login without losing its configuration. The user’s assignments, API key, and password hash stay intact, so you can re-enable the account later and everything resumes. Disabled users also cannot authenticate with their API key.
Delete an account to remove it permanently. Deleting a user:
- Invalidates every active session for that user immediately.
- Revokes the user’s API key.
- Does not remove the user’s entry from any workspace assignment lists — stale entries are simply ignored. Re-creating a user with the same username restores their assignments.
Two guards prevent foot-guns:
- You cannot delete your own account.
- You cannot delete the last enabled admin.
Toggling global authentication
Section titled “Toggling global authentication”The header of the Users tab contains the Enable Authentication / Disable Authentication button.
- Enable is only available when at least one enabled admin user exists.
- Disable prompts for confirmation. Once disabled, the login dialog stops appearing and every request is treated as fully privileged. Existing user accounts are preserved — enabling auth again reactivates them immediately.
API equivalents
Section titled “API equivalents”Everything above is exposed on the API for scripting bulk changes or integrating with an external identity system.
| Operation | Endpoint |
|---|---|
| List users | GET /api/users |
| Create user | POST /api/users |
| Update role or enabled state | PUT /api/users/{id} |
| Change password | PUT /api/users/{id}/password |
| Delete user | DELETE /api/users/{id} |
| Get a user’s API key | GET /api/users/{id}/api-key |
| Regenerate API key | POST /api/users/{id}/regenerate-key |
| Toggle global auth | PUT /api/settings with authEnabled |
All of these require an admin token except change password, which a user may call for their own account. Full request and response schemas are in the API Reference.