Users & Security
Users
Navigate to Settings → Users to manage user accounts.
Roles
Vodia Wallboards has four roles:
| Role | Access |
|---|---|
| Super Admin | Full access to all PBX servers, tenants, queues, and settings |
| Admin | Access scoped to specific tenants across one or more PBX servers |
| Queue Manager | Access scoped to specific queues within specific tenants |
| Viewer | Read-only access scoped to specific tenants |
Inviting Users
Click Invite User to add a new user. Enter their email address, name, and role, then assign their access scope using the scope picker:
- Super Admin — no scope picker needed; full access is granted automatically
- Admin — select which tenants the user can access
- Queue Manager — select which specific queues within which tenants the user can access
- Viewer — select which tenants the user can view
Vodia Wallboards sends an invite email to the user (requires SMTP to be configured). The invite link expires after 24 hours. If email is not configured, the invite link is displayed on screen for you to share manually.
Invite Acceptance Flow
When a user opens their invite link they are walked through a three-step setup:
- Set password — minimum 8 characters
- Enrol MFA — required for admin and super_admin roles; optional for others. Choose between a passkey (Touch ID, Face ID, Windows Hello, hardware key) or a TOTP authenticator app
- Done — account is active and ready to use
Editing Users
Click the edit icon on any user to update their name, role, access scope, or reset their password. Email addresses cannot be changed after an account is created.
Security
Two-Factor Authentication (MFA)
Navigate to Settings → Security to manage MFA for your own account.
MFA is required for super_admin and admin accounts. Admins who log in without MFA enrolled are redirected to the security settings page before they can access anything else.
Two methods are supported and can both be active simultaneously:
Authenticator App (TOTP) — works with Google Authenticator, Authy, 1Password, and any standard TOTP app. To set up, click Set Up Authenticator, scan the QR code, enter the 6-digit verification code, and click Verify & Enable. If you cannot scan the QR code, copy the manual key and enter it into your app.
Passkeys — uses your device's built-in authenticator: Touch ID on Mac, Face ID on iPhone, Windows Hello, or a hardware security key (YubiKey etc.). Click Add Passkey, follow the browser prompt, and give the passkey a name. You can register multiple passkeys on different devices. Passkeys are supported in Chrome, Safari, and Edge.
Login Flow
The login page asks for email and password. If MFA is enrolled, a second screen appears immediately after — either a passkey prompt or a 6-digit TOTP code entry. If both methods are enrolled, tabs let you choose which to use.
Credential Security
All PBX credentials stored in Vodia Wallboards (admin usernames and passwords for each PBX connection) are encrypted at rest using AES-256-GCM.
Session tokens use JWT with a 24-hour expiry. TV display tokens use a separate scoped JWT that grants read-only access to wallboard data only, with no access to settings or user management.