Users

Troubleshooting & FAQ

title: Troubleshooting & FAQ description: Frequently asked questions and troubleshooting for user management in Tidal Control sidebar_position: 4

Troubleshooting & FAQ

Frequently Asked Questions

What's the difference between user roles?

Role-based access control in Tidal Control:

Read Only User:

  • Access: Can view all compliance data (controls, assets, risks)
  • Limitations: Cannot change anything, execute tasks, or upload evidence
  • Use: External auditors, management oversight, reporting specialists
  • Strict Mode: Unchanged

Regular User:

  • Access: Everything from Read Only plus execution rights
  • Capabilities: Execute tasks, upload evidence, be assigned as owner
  • Limitations: Cannot manage other users or change global settings
  • Use: Compliance staff, control owners, daily users
  • Strict Mode: Needs object-level roles for access

Super User (Administrator):

  • Access: Full system rights
  • Capabilities: Manage users, global settings, all functionalities
  • Responsibilities: System management, user onboarding, configuration
  • Use: IT administrators, compliance managers, implementation specialists
  • Strict Mode: Unchanged

How can a user update their own profile?

Keycloak account access for personal data:

Access to account settings:

  1. Log in to Tidal Control
  2. Click profile icon top right (user avatar)
  3. Select "Account settings" from dropdown menu
  4. Keycloak interface opens in new tab

Editable personal information:

  • Email - Contact address for system notifications
  • First name / Last name - Names as displayed in Tidal interface
  • Password - Secure password change
  • Two-factor authentication - Authenticator app configuration

What users cannot change:

  • Username - Login identifier (often email address)
  • Global user role - Only Super Users can change roles
  • Object-level access - Only Object Owners can assign object roles
  • Organization settings - System configuration is reserved for administrators

Can a user change their own role?

No, users cannot change their own global role for security reasons and to ensure organizational control.

Role change process:

  • Only Super Users can change global roles
  • Role change happens via Users overview page
  • Immediate effect - Changes are active immediately
  • Audit trail - All role changes are logged

Strict Mode object-level roles:

  • Object Owners can assign Viewer/Contributor roles
  • Users cannot change their own object-level roles
  • Escalation via Object Owner or Super User

What happens to data from deleted users?

Data integrity preserved when deleting users:

What remains:

  • All compliance data - Controls, assets, risks, tasks
  • Historical evidence - Uploads and documentation
  • Audit trails - Complete activity history
  • Tasks and assessments - Completed and ongoing work

What changes:

  • Ownership display - Shows "Unknown user" instead of name
  • Assignments - Remain but user can no longer respond
  • Notifications - Automatically stop to deleted account
  • Access - Immediately blocked from all systems

Practical impact:

  • Ongoing tasks - Must be manually transferred
  • Ownership - Assign new owners for continuity
  • Teamwork - Colleagues must take over tasks
  • Reporting - Historical contributions remain visible

How does Strict Mode work versus normal mode?

Access control differences:

Normal mode (default):

  • Regular Users see all compliance objects
  • Global roles determine what users can do
  • Open access - All objects visible to all users
  • Simple rights - Three roles for entire system

Strict Mode (enhanced security):

  • Zero-trust principle - No access unless explicitly granted
  • Object-level roles - Viewer, Executor, Assessor, Owner per object
  • Granular control - Exact access per compliance object
  • Compartmentalization - Users only see assigned objects

When to choose Strict Mode:

  • Large organizations with many departments
  • Sensitive compliance data requiring compartmentalization
  • Legal requirements for data access control

Common Problems

User cannot login after invitation

Diagnosis and solution for login problems:

Check account status:

  1. Verify in Users table - Is user visible and active?
  2. Check invitation status - Has "Send invite" been executed?
  3. Confirm email receipt - Did user receive welcome email?
  4. Validate email address - Is address correct in Users table?

Common causes:

  • Invitation not sent - Actions menu "Send invite" not yet used
  • Invitation expired - User didn't accept invitation within 7 days
  • Email not received - Spam filter or wrong email address
  • Password not set - User didn't complete Keycloak activation
  • Account timing - Invitation can take several minutes

Solution steps:

  1. Resend invitation via Actions menu
  2. Check spam folder of user
  3. Verify email address and correct if needed
  4. Guide password setup via Keycloak interface
  5. Test login process together with user

Invitation email doesn't arrive

Email delivery problem solving:

Initial diagnosis:

  • Check spam/junk folder - Automatic filters can block email
  • Verify email address - Typos in Users table
  • Check organization firewall - Email security can block Tidal emails
  • Validate email server - Organization email server problems

Troubleshooting steps:

  1. Correct email address in Users table if needed
  2. Send invite again via Actions menu
  3. Whitelist Tidal domains in organization email security
  4. Try alternative email address for testing
  5. Contact IT support for email server configuration

Alternative solutions:

  • Manual account setup - Super User helps with password setup
  • IT escalation - System administrator investigates email delivery

User has wrong access rights

Access rights diagnosis and correction:

Check global role:

  1. Go to Users overview and find user
  2. Verify current role in Role column
  3. Change role if needed via dropdown menu
  4. Test new rights with user

Strict Mode specific check:

  • Object-level roles - Does user have correct Executor/Assessor/Owner role?
  • Object assignment - Is user even assigned to relevant objects?
  • Active objects - Are objects themselves active and available?
  • Inheritance - Are rights correctly inherited from related objects?

Solution per scenario:

  • Too few rights - Upgrade global role or add object-level roles
  • Too many rights - Downgrade to appropriate role for function
  • Inconsistent access - Review all object assignments systematically
  • Timing issues - Wait several minutes after role changes

Strict Mode access problems

User sees no objects in Strict Mode:

Diagnosis steps:

  1. Check global role - Is user Regular User or higher?
  2. Verify object assignments - Does user have object-level roles?
  3. Check object status - Are objects themselves active?
  4. Check Strict Mode status via green indicator

Solution:

  • Super User assigns correct object-level roles
  • Object Owner can grant access within own scope

User cannot execute tasks:

Possible causes:

  • Viewer role instead of Contributor role
  • Object specific restrictions set by owner
  • Task assignment to wrong user

Solution steps:

  1. Verify object-level role in object page
  2. Upgrade to Contributor if needed
  3. Check task assignment and deadline status
  4. Contact Object Owner for role escalation

Keycloak account problems

Authentication and profile management issues:

Password reset problems:

  1. Go to Keycloak login page via Tidal Control
  2. Click "Forgot Password" link
  3. Enter email address and send reset
  4. Check email including spam folder
  5. Follow reset instructions in received email

Come across an issue we haven't covered?

Send an email to support@tidalcontrol.com, and we'll get in touch as soon as possible.

Info

Gathering support info: Note which browser you're using, exact error messages, and which steps you've already tried. This significantly speeds up the solution.

Next
Getting Started