User Admin

The User Admin page is the central hub for managing all user accounts on your QuickBox Pro server. From here you can view every user at a glance, create new accounts, modify roles and passwords, ban or delete users, and perform administrative actions like session revocation and user impersonation.

Admin only

User Admin requires admin privileges. admin.users.read is needed to view the user list. Additional permissions are required for specific actions — admin.users.create to add users, admin.users.update to modify them, and admin.users.delete to remove them.

User list

The User Admin page displays all server users in a searchable, filterable table. Each row shows the user’s name, status, role, and key account details. You can filter by user status and search by username or email.

Click the expand arrow on any user row to reveal additional details including:

Avatar and display information
Email address
Assigned role and group
Disk usage breakdown
Active session count
Account creation date
Media access — storage quota and media permissions (see below)

Creating users

Click the Create User button to open the new user dialog. You will need to provide:

Username — must comply with the username policy set in Registration Settings (character rules, length limits)
Password — must meet the password policy requirements
Email — optional email address for the user
Role — assign an initial role (determines dashboard permissions)
Group — assign to a group (determines application access)

When a user is created through the dashboard, the system automatically provisions the Linux account, home directory, default applications, and all required system files on the server.

User actions

Each user in the list has a set of actions available through the action menu:

Action	What it does	Permission required
Edit role	Change the user's role (promote to admin or demote to standard user)	`admin.users.update`
Change password	Reset the user's password. Updates both the dashboard login and the system account password	`admin.users.update`
Ban user	Ban the user with an optional reason. Stops all their services, terminates active processes, blocks login, and revokes their OpenVPN certificate (if any) so their existing .ovpn profile stops connecting immediately	`admin.users.update`
Unban user	Lift a ban and restore the user's access. Restarts their services and, for OpenVPN users, issues a fresh client profile (the old one stays permanently revoked — the user must re-download)	`admin.users.update`
Delete user	Permanently remove the user account, home directory, all installed software, and system files. Revokes their OpenVPN certificate as part of cleanup. Requires confirmation	`admin.users.delete`
Revoke sessions	Force logout by invalidating all of the user's active sessions	`admin.sessions.revoke`
Impersonate	Log in as the user to see exactly what they see. Useful for troubleshooting permission or display issues	`admin.users.impersonate`
Approve	Approve a pending registration (only visible when using admin approval activation mode)	`admin.users.update`

Deleting users is permanent

When you delete a user, the system removes their Linux account, home directory, all per-user application data, and database records. This action cannot be undone. Always confirm you have backed up any important data before proceeding.

Media access

Each user’s expanded panel includes a Media access section with two cards:

Storage quota

Shows the user’s effective Asset Management Center storage quota, current usage, and where the quota comes from:

Override — An explicit quota set for this user. A Reset button clears it, falling back to the inherited value
Inherited — The default from one of the user’s groups (the group name is shown)
Default — The instance-wide fallback

Enter a value in GB to set a per-user override. Overrides always win over group and instance defaults.

Media permissions

Lists the three media permissions — media.library.use, media.share.create, and media.share.email — with each one’s current state (Granted or Denied) and its source:

Inherit — Follow the user’s group grants (or the default deny if no group grants it)
Allow — Grant this user the permission regardless of group membership
Deny — Block the permission even if a group grants it

Administrator-level accounts always have every media permission — their rows show a shield indicator and no controls, since overrides would have no effect.

Viewing media access requires admin.users.read; changing quotas or permission overrides requires admin.users.update.

User policy toggles

At the top of the User Admin page, quick-access toggles let you control system-wide user policies:

Maintenance mode — When enabled, non-admin users see a maintenance notice instead of the dashboard
Registration mode — Quick visibility into the current registration activation mode

These are shortcuts to settings that are also available in the General Settings and Registration Settings pages.

CLI equivalents

Dashboard Action	CLI Command
Create a user	`qb user create -u <username> -p <password>`
Delete a user	`qb user delete -u <username>`
Ban a user	`qb user ban -u <username>`
Unban a user	`qb user unban -u <username>`
Change password	`qb user password -u <username> -p <password>`
Promote to admin	`qb user promote -u <username>`
Demote from admin	`qb user demote -u <username>`
Set disk quota	`qb user quota -u <username> -o <size>`
Set shell access	`qb user shell -u <username> -o <full\|limited\|sudo>`

Dashboard advantage

The dashboard provides features not available via the CLI, including user impersonation, session revocation, inline user details, and integration with the full RBAC system. The CLI is best suited for scripting and automation.

Best practices

Do

Assign the most restrictive role that meets each user's needs — use the User role for standard access and reserve admin roles for server operators
Use groups to control application access rather than relying on roles alone — groups provide fine-grained control over which software categories each user can see
Ban a user instead of deleting them if you may want to restore their access later — banning preserves the account and data while blocking all access
Review the user list regularly for inactive or unused accounts and remove them to keep your server tidy
Use impersonation to troubleshoot user-reported issues — you will see exactly what the user sees without needing their credentials

Don't

Don't delete users without first confirming that their data is backed up — deletion removes the home directory, all application data, and system files permanently
Don't give admin privileges to users who only need access to applications — use the standard User role with appropriate group membership instead
Don't forget to revoke sessions when changing a user's role or permissions — existing sessions may still have the old permissions until they expire

FAQ

Banning a user immediately stops all their running services, terminates their active processes, and blocks them from logging into the dashboard. If the user has an OpenVPN profile, their client certificate is also revoked — their already-distributed .ovpn stops connecting right away, enforced by the server's certificate revocation list, so a banned user cannot keep dialing in over the VPN. Their account data, home directory, and VPN membership are preserved, so you can unban them later.

No. Unbanning reissues a fresh OpenVPN client profile — the certificate revoked at ban time stays permanently dead and cannot be un-revoked. The user must re-download their new .ovpn bundle from their download link before they can reconnect. Login, SSH, and services are otherwise restored as before.

Yes. The email field is optional when creating a user. However, if you have email-based features enabled (such as password reset or email activation), the user will not be able to use those features without an email address.

The CLI qb user promote command changes the user to admin level and adjusts their shell access. The dashboard provides the same capability plus full RBAC role assignment, allowing you to assign any custom role — not just the admin/user binary.

The disk quota (set with qb user quota or the dashboard) limits the user's home directory on the server's filesystem — and because a managed user's Asset Management Center uploads live in their home (under ~/.QuickBox/storage/), those uploads count against this disk quota. The separate media storage quota applies to central assets that administrators upload to the shared dashboard area. They are managed in different places.

When you impersonate a user, the dashboard creates a temporary session that mirrors the target user's permissions and view. You see exactly what that user sees. An impersonation banner is visible at the top of the page, and you can end the impersonation at any time to return to your admin session.

The super admin account (the account created during installation) cannot be deleted. This is a safety measure to ensure there is always at least one admin account on the server.

Groups

Manage groups that control application access for users

Roles & Permissions

Define and assign roles with granular permissions

Registration Settings

Configure activation modes, username policies, and password requirements

Asset Management Center

The media features that quotas and media permissions govern

Join the Community

Media server operators sharing configs, getting support, and shaping the future of QuickBox Pro.

Dedicated Support

Feature Previews

Community Configs

Active Discussions

Join Discord Server