Page MenuHomestyx hydra
Files F37925

unlocking.diviner
No OneTemporary
Actions

unlocking.diviner
View Options

@title User Guide: Unlocking Objects
@group userguide
Explains how to access locked or invisible objects and accounts.
Overview
========
Phorge tries to make it difficult for users to lock themselves out of
things, but you can occasionally end up in situations where no one has access
to an object that you need access to.
For example, sometimes the only user who had edit permission for something has
left the organization, or you configured a "Phase of the Moon" policy rule and
the stars aren't currently aligned.
You can use various CLI tools to unlock objects and accounts if you need to
regain access.
Unlocking Accounts
==================
If you need to regain access to an object, the easiest approach is usually to
recover access to the account which owns it, then change the object policies
to be more open using the web UI.
For example, if an important task was accidentally locked so that only a user
who is currently on vacation can edit it, you can log in as that user and
change the edit policy to something more permissive.
To regain access to an account:
```
$ ./bin/auth recover <username>
```
If the account you're recovering access to has MFA or other session prompts,
use the `--force-full-session` to bypass them:
```
$ ./bin/auth recover <username> --force-full-session
```
In either case, the command will give you a link you a one-time link you can
use to access the account from the web UI. From there, you can open up objects
or change settings.
Unlocking MFA
=============
You can completely strip MFA from a user account with:
```
$ ./bin/auth strip --user <username> ...
```
For detailed help on managing and stripping MFA, see the instructions in
@{article:User Guide: Multi-Factor Authentication}
Unlocking Objects
=================
If you aren't sure who owns an object, you can inspect the policies from the
CLI:
```
$ ./bin/policy show <object>
```
To identify the object you want to examine, you can specify an object
name (like `T123`) or a PHID as the `<object>` parameter.
If examining the policy isn't helpful, or no user account has access to an
object, you can then directly change object policies from the CLI:
```
$ ./bin/policy unlock <object> [--view ...] [--edit ...] [--owner ...]
```
Use the `--view` and `--edit` flags (and, for some objects, the `--owner`
flag) to specify new policies for the object.
For example, to make task `T123` editable by user `@alice`, run:
```
$ ./bin/policy unlock T123 --edit alice
```
Not every object has mutable view and edit policies, and not every object has
an owner, so each flag only works on some types of objects.
From here, you can log in to the web UI and change the relevant policies to
whatever you want to set them to.
No Enabled Users
================
If you accidentally disabled all administrator accounts, you can enable a
disabled account from the CLI like this:
```
$ ./bin/user enable --user <username>
```
From here, recover the account or log in normally.
No Administrators
=================
If you accidentally deleted all the administrator accounts, you can empower
a user as an administrator from the CLI like this:
```
$ ./bin/user empower --user <username>
```
This will upgrade the user account from a regular account to an administrator
account.

File Metadata

Mime Type
text/plain
Expires
Thu, Feb 6, 1:35 AM (8 h, 44 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
33760
Default Alt Text
unlocking.diviner (3 KB)

Event Timeline

styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)