{creating && (

setNewProvider(v as 'local' | 'oidc')} orientation="horizontal" >

setNewUsername(e.target.value)} /> setNewDisplay(e.target.value)} />

{duplicateUsername && ( Username already exists )} setNewEmail(e.target.value)} /> {newProvider === 'local' && ( setNewPassword(e.target.value)} /> )} {newProvider === 'oidc' && ( OIDC users authenticate via the configured identity provider. Pre-register to assign roles/groups before their first login. )}

)} ( <>

{user.displayName} {user.provider !== 'local' && ( )}

{user.email || user.userId} ·{' '} {getUserGroupPath(user)}

{user.directRoles.map((r) => ( ))} {user.directGroups.map((g) => ( ))}

)} getItemId={(user) => user.userId} selectedId={selectedId ?? undefined} onSelect={(id) => { setSelectedId(id); setResettingPassword(false); }} searchPlaceholder="Search users..." onSearch={setSearch} addLabel="+ Add user" onAdd={() => setCreating(true)} emptyMessage="No users match your search" /> } detail={ selected ? ( <>

updateUser.mutate( { userId: selected.userId, displayName: v }, { onSuccess: () => toast({ title: 'Display name updated', variant: 'success', }), onError: () => toast({ title: 'Failed to update name', variant: 'error', }), }, ) } />

{selected.email || selected.userId}

Status

ID {selected.userId} Created {new Date(selected.createdAt).toLocaleDateString()} Provider {selected.provider}

Security

{selected.provider === 'local' ? ( <>

Password •••••••• {!resettingPassword && ( )}

{resettingPassword && (

setNewPw(e.target.value)} className={styles.resetInput} />

)} ) : ( <>

Authentication OIDC ({selected.provider})

Password managed by the identity provider. )}

Group membership (direct only)

{selected.directGroups.map((g) => ( { removeFromGroup.mutate( { userId: selected.userId, groupId: g.id }, { onSuccess: () => toast({ title: 'Group removed', variant: 'success' }), onError: () => toast({ title: 'Failed to remove group', variant: 'error', }), }, ); }} /> ))} {selected.directGroups.length === 0 && ( (no groups) )} { for (const groupId of ids) { addToGroup.mutate( { userId: selected.userId, groupId }, { onSuccess: () => toast({ title: 'Added to group', variant: 'success' }), onError: () => toast({ title: 'Failed to add group', variant: 'error', }), }, ); } }} placeholder="+ Add" />

Effective roles (direct + inherited)

{selected.directRoles.map((r) => ( { removeRole.mutate( { userId: selected.userId, roleId: r.id }, { onSuccess: () => toast({ title: 'Role removed', description: r.name, variant: 'success', }), onError: () => toast({ title: 'Failed to remove role', variant: 'error', }), }, ); }} /> ))} {inheritedRoles.map((r) => ( ))} {selected.directRoles.length === 0 && inheritedRoles.length === 0 && ( (no roles) )} { for (const roleId of roleIds) { assignRole.mutate( { userId: selected.userId, roleId }, { onSuccess: () => toast({ title: 'Role assigned', variant: 'success', }), onError: () => toast({ title: 'Failed to assign role', variant: 'error', }), }, ); } }} placeholder="+ Add" />

{inheritedRoles.length > 0 && ( Roles with ↑ are inherited through group membership )} ) : null } emptyMessage="Select a user to view details" /> setDeleteTarget(null)} onConfirm={handleDelete} message={`Delete user "${deleteTarget?.displayName}"? This cannot be undone.`} confirmText={deleteTarget?.displayName ?? ''} loading={deleteUser.isPending} /> setRemoveGroupTarget(null)} onConfirm={() => { if (removeGroupTarget && selected) { removeFromGroup.mutate( { userId: selected.userId, groupId: removeGroupTarget }, { onSuccess: () => toast({ title: 'Group removed', variant: 'success' }), onError: () => toast({ title: 'Failed to remove group', variant: 'error', }), }, ); } setRemoveGroupTarget(null); }} title="Remove group membership" description="Removing this group may also revoke inherited roles. Continue?" confirmLabel="Remove" variant="warning" /> ); }