Version: v2 (current)

Create users and assign roles on on-prem

TL;DR. On-prem PanDev Metrics has no public sign-up and no Google OAuth. The admin creates each user by hand (or syncs them from LDAP) and assigns roles separately. This guide walks you through adding employees, picking the right role, and managing access over time.

Before you begin

Confirm the deployment is up and that the first admin can sign in before creating other users.

PanDev Metrics on-prem deployed — see Installation
First admin account created — see First login
Optional: LDAP / LDAPS already configured if you want directory sync — see LDAP integration
Owner role on the tenant

Authentication options

On-prem supports two ways for employees to sign in:

Option	When to pick	Where credentials live
Manual accounts	LDAP unavailable, contractors, testing	Stored in PanDev Metrics, set by admin
LDAP / LDAPS	Corporate AD or LDAP exists	Lives in your directory, synced on sign-in

You can mix both — use LDAP for staff and manual accounts for external contractors.

Step 1 — Open the employees section

The employees section is the entry point for every user-management action on on-prem PanDev Metrics.

Sign in to PanDev Metrics as an admin.
Go to Organization → Employees.

The page lists every user in the tenant with their email, role, departments, and status.

Step 2 — Create a user

Fill in the basics for one employee. The account is created without a role — that comes next.

Select Create employee.
Fill in the form:

Field	Notes
First name	Employee's first name
Last name	Employee's last name
Email	Used as the login
Position	Optional, for HR reporting
New password	Initial password — share with the employee, they can change it later
Confirm password	Repeat the password

Select Save.

The employee account is created without a role — assign one in the next step. Per Q17, role assignment is always a separate action after creation.

Step 3 — Assign a tenant role

Open the new user's profile and pick one tenant-level role:

Role	What it grants
Viewer	Read-only access to dashboards and analytics
Maintainer	Edit data, manage integrations, support day-to-day workflows
Owner	Full control — settings, users, integrations, all data

Roles can be combined with department-level permissions (Department owner, Department maintainer, Department viewer). A user can be a tenant Maintainer and a department Owner simultaneously — that's a normal pattern.

A virtual Finance permission unlocks the finance section, including hourly rates and payroll reports. Grant it only to people who should see salaries.

Step 4 — Assign departments (optional)

To scope a user to specific departments:

Open the user's profile.
Select Departments.
Add the departments they belong to.
Pick the department-level role for each.

A user with no department membership only sees tenant-level dashboards.

After creation:

Send the employee their email (login) and the password you set.
Share the dashboard URL.
They use the same credentials to sign in from the IDE plugin, browser extension, or CLI.

If LDAP is enabled and the user exists in your directory, they sign in with their corporate password — no need to set one manually.

Verify

The employee should be able to:

Open http://<your-server>:8080 and sign in
See dashboards appropriate to their role
Authenticate from a JetBrains or VS Code plugin with the same email and password

Reset a password

Use this when an employee forgot their password or you suspect the credential is compromised.

Open the user's profile in Organization → Employees.
Select Reset password.
Set the new password and pass it to the user securely.

For LDAP users, password resets happen in the directory, not in PanDev Metrics.

Change a role

Role changes apply immediately — no rebuild or container restart required.

Open the user's profile.
Select the new tenant or department role.
Save.

Role changes take effect on the user's next request — no restart required.

Archive a user

PanDev Metrics keeps historical data forever — there's no hard delete, only archive. Archiving a user revokes access and hides them from active lists, but their historical metrics, commits, and time spent on tasks stay intact for reporting.

Open the user's profile.
Select Archive (the button may be labelled "Delete" in some UI surfaces — it still archives).
Confirm.

You can restore an archived employee later by selecting Show archived in the employees list.

Troubleshooting

These are the most frequent user-management issues admins hit on on-prem.

User signs in but sees an empty dashboard

No role is assigned. Go to the user's profile and pick a tenant role (Viewer / Maintainer / Owner).

LDAP user can't sign in

Check that the LDAP base DN includes the user, that the bind account has read access, and that the user's email in LDAP matches what they enter. See [LDAP integration](./ldap-integration).

"Permission denied" when opening a department dashboard

The user has a tenant role but no department membership for that department. Add them in **Departments** → **Members**.

Plugin authentication fails for a manual user

Confirm the user can sign in to the web UI first. The plugin uses the same credentials. If the web sign-in works but the plugin doesn't, check the plugin's server URL points to your on-prem instance, not the cloud URL.

FAQ

Common questions admins ask when onboarding the team into on-prem PanDev Metrics.

No. On-prem has no public sign-up. The admin creates every account manually or syncs from LDAP. This is by design — on-prem is single-tenant and the customer controls who gets in.

Why is there no Google OAuth on on-prem?

Google OAuth is a Cloud-only feature. On-prem deployments run in a customer-controlled network and use either local accounts or LDAP / LDAPS for authentication.

Can I invite a user by email?

You set the password directly when creating the account, then share it with the employee over your normal channel. Self-serve email invites are a Cloud workflow.

How many users can I create?

Your license defines the cap. Talk to sales@pandev.io if you need to grow the team beyond your current allowance.

Are there service accounts for CI or scripts?

PanDev Metrics doesn't have a dedicated service-account role. If you need an automated client, create a regular employee user with the minimum role needed — the same way any other account works.

What happens to a user's data when I archive them?

Nothing is deleted. Their commits, time spent on tasks, and historical activity remain in the database and continue to feed team-level reports. Archiving only revokes their ability to sign in.

Next steps

Once your users are in, organise them into departments and connect external systems.

Configure LDAP integration — single sign-on for staff
Manage employees in detail — the broader employee handbook
Create departments and teams

Sideways reading for on-prem admins.

Reference: Architecture
Tutorial: First login

Before you begin​

Authentication options​

Step 1 — Open the employees section​

Step 2 — Create a user​

Step 3 — Assign a tenant role​

Step 4 — Assign departments (optional)​

Step 5 — Share the credentials​

Verify​

Reset a password​

Change a role​

Archive a user​

Troubleshooting​

FAQ​

Can users sign up themselves on on-prem?​

Why is there no Google OAuth on on-prem?​

Can I invite a user by email?​

How many users can I create?​

Are there service accounts for CI or scripts?​

What happens to a user's data when I archive them?​

Next steps​

Related​