.. index:: Admin .. _ops-admin: Admin ==================== There is one group of users, called "Admins", which have elevated powers. This includes: * They have an "Admin" tab at the top right. * There, they can configure settings of the server in "Site Settings" – i.e. those values, which are not set in the ``globals.settings`` dict in your :ref:`my-values.yaml ` config file. * Create/modify Licenses. * Manage "Registration Tokens". * Open any project. * Adjust resources of individual projects: open a project → Upgrades → "Admin Quota Editor" → "Edit". * Impersonate any user to give support, debugging issues, etc.: Admin → "User Search". * Access more detailed information via "CRM" files: create them with the ending ``*.cocalc-crm``. Elevate privileges ------------------------------- If you created an admin via the :ref:`initial-admin-setup`, but you want more users to have that role, you have to modify the database directly. Note, for security reasons (lack of monitoring/oversight), there is no control for admins to elect other users as admins. .. code: sql :: UPDATE accounts SET groups='{admin}' WHERE email_address='email@address.tld' or by account id: :: UPDATE accounts SET groups='{admin}' WHERE account_id='Account-UUID-XYZ-ABC' .. note:: To remove someone from the admin group: :: UPDATE accounts SET groups=NULL WHERE email_address='email@address.tld' -- or, see above WHERE account_id='Account-UUID-XYZ-ABC' .. note:: It's also a good practice, to wrap such statements in a `transaction `_. Create accounts ---------------------------------------- If those additional accounts for admins do not exist yet, you can either create these accounts via the `API `_ or directly via the database as well. In the latter case, you have to make sure the ``email_address`` field is unique and other setup actions will not run – which is fine, if you just want a brand new account on a fresh setup. :: INSERT INTO accounts (account_id, first_name, last_name, email_address, creation_actions_done, created) VALUES (gen_random_uuid(), 'Foo', 'Bar', 'foo.bar@domain.tld', TRUE, NOW()) To set a password, it's probably best to `trigger a password reset `_ or tell the user to open the path: ``/auth/password-reset``.