Users
Troubleshooting & FAQ
title: Troubleshooting & FAQ description: Frequently asked questions and troubleshooting for user management in Tidal Control sidebar_position: 4
Troubleshooting & FAQ
Frequently Asked Questions
What's the difference between user roles?
Role-based access control in Tidal Control:
Read Only User:
- Access: Can view all compliance data (controls, assets, risks)
- Limitations: Cannot change anything, execute tasks, or upload evidence
- Use: External auditors, management oversight, reporting specialists
- Strict Mode: Unchanged
Regular User:
- Access: Everything from Read Only plus execution rights
- Capabilities: Execute tasks, upload evidence, be assigned as owner
- Limitations: Cannot manage other users or change global settings
- Use: Compliance staff, control owners, daily users
- Strict Mode: Needs object-level roles for access
Super User (Administrator):
- Access: Full system rights
- Capabilities: Manage users, global settings, all functionalities
- Responsibilities: System management, user onboarding, configuration
- Use: IT administrators, compliance managers, implementation specialists
- Strict Mode: Unchanged
How can a user update their own profile?
Keycloak account access for personal data:
Access to account settings:
- Log in to Tidal Control
- Click profile icon top right (user avatar)
- Select "Account settings" from dropdown menu
- Keycloak interface opens in new tab
Editable personal information:
- Email - Contact address for system notifications
- First name / Last name - Names as displayed in Tidal interface
- Password - Secure password change
- Two-factor authentication - Authenticator app configuration
What users cannot change:
- Username - Login identifier (often email address)
- Global user role - Only Super Users can change roles
- Object-level access - Only Object Owners can assign object roles
- Organization settings - System configuration is reserved for administrators
Can a user change their own role?
No, users cannot change their own global role for security reasons and to ensure organizational control.
Role change process:
- Only Super Users can change global roles
- Role change happens via Users overview page
- Immediate effect - Changes are active immediately
- Audit trail - All role changes are logged
Strict Mode object-level roles:
- Object Owners can assign Viewer/Contributor roles
- Users cannot change their own object-level roles
- Escalation via Object Owner or Super User
What happens to data from deleted users?
Data integrity preserved when deleting users:
What remains:
- All compliance data - Controls, assets, risks, tasks
- Historical evidence - Uploads and documentation
- Audit trails - Complete activity history
- Tasks and assessments - Completed and ongoing work
What changes:
- Ownership display - Shows "Unknown user" instead of name
- Assignments - Remain but user can no longer respond
- Notifications - Automatically stop to deleted account
- Access - Immediately blocked from all systems
Practical impact:
- Ongoing tasks - Must be manually transferred
- Ownership - Assign new owners for continuity
- Teamwork - Colleagues must take over tasks
- Reporting - Historical contributions remain visible
How does Strict Mode work versus normal mode?
Access control differences:
Normal mode (default):
- Regular Users see all compliance objects
- Global roles determine what users can do
- Open access - All objects visible to all users
- Simple rights - Three roles for entire system
Strict Mode (enhanced security):
- Zero-trust principle - No access unless explicitly granted
- Object-level roles - Viewer, Executor, Assessor, Owner per object
- Granular control - Exact access per compliance object
- Compartmentalization - Users only see assigned objects
When to choose Strict Mode:
- Large organizations with many departments
- Sensitive compliance data requiring compartmentalization
- Legal requirements for data access control
Common Problems
User cannot login after invitation
Diagnosis and solution for login problems:
Check account status:
- Verify in Users table - Is user visible and active?
- Check invitation status - Has "Send invite" been executed?
- Confirm email receipt - Did user receive welcome email?
- Validate email address - Is address correct in Users table?
Common causes:
- Invitation not sent - Actions menu "Send invite" not yet used
- Invitation expired - User didn't accept invitation within 7 days
- Email not received - Spam filter or wrong email address
- Password not set - User didn't complete Keycloak activation
- Account timing - Invitation can take several minutes
Solution steps:
- Resend invitation via Actions menu
- Check spam folder of user
- Verify email address and correct if needed
- Guide password setup via Keycloak interface
- Test login process together with user
Invitation email doesn't arrive
Email delivery problem solving:
Initial diagnosis:
- Check spam/junk folder - Automatic filters can block email
- Verify email address - Typos in Users table
- Check organization firewall - Email security can block Tidal emails
- Validate email server - Organization email server problems
Troubleshooting steps:
- Correct email address in Users table if needed
- Send invite again via Actions menu
- Whitelist Tidal domains in organization email security
- Try alternative email address for testing
- Contact IT support for email server configuration
Alternative solutions:
- Manual account setup - Super User helps with password setup
- IT escalation - System administrator investigates email delivery
User has wrong access rights
Access rights diagnosis and correction:
Check global role:
- Go to Users overview and find user
- Verify current role in Role column
- Change role if needed via dropdown menu
- Test new rights with user
Strict Mode specific check:
- Object-level roles - Does user have correct Executor/Assessor/Owner role?
- Object assignment - Is user even assigned to relevant objects?
- Active objects - Are objects themselves active and available?
- Inheritance - Are rights correctly inherited from related objects?
Solution per scenario:
- Too few rights - Upgrade global role or add object-level roles
- Too many rights - Downgrade to appropriate role for function
- Inconsistent access - Review all object assignments systematically
- Timing issues - Wait several minutes after role changes
Strict Mode access problems
User sees no objects in Strict Mode:
Diagnosis steps:
- Check global role - Is user Regular User or higher?
- Verify object assignments - Does user have object-level roles?
- Check object status - Are objects themselves active?
- Check Strict Mode status via green indicator
Solution:
- Super User assigns correct object-level roles
- Object Owner can grant access within own scope
User cannot execute tasks:
Possible causes:
- Viewer role instead of Contributor role
- Object specific restrictions set by owner
- Task assignment to wrong user
Solution steps:
- Verify object-level role in object page
- Upgrade to Contributor if needed
- Check task assignment and deadline status
- Contact Object Owner for role escalation
Keycloak account problems
Authentication and profile management issues:
Password reset problems:
- Go to Keycloak login page via Tidal Control
- Click "Forgot Password" link
- Enter email address and send reset
- Check email including spam folder
- Follow reset instructions in received email
Come across an issue we haven't covered?
Send an email to support@tidalcontrol.com, and we'll get in touch as soon as possible.
Gathering support info: Note which browser you're using, exact error messages, and which steps you've already tried. This significantly speeds up the solution.
- Next
- Getting Started