Users management

[cojack]

Feature search

• I have searched the existing issues and this feature has not been requested yet or is already in our Public Roadmap

Which component would this feature affect?

Prowler UI

Related to specific cloud provider?

Not provider-specific

New feature motivation

Currently, Prowler's user management system has significant limitations that make it difficult to operate in a team or enterprise environment:

1. No super admin concept - The first registered user does not receive any elevated administrative privileges
2. Open registration without control - Any user can register and automatically gets their own isolated tenant
3. Tenant isolation without flexibility - Users cannot switch between tenants or be invited to existing tenants
4. No centralized user management - There is no way for administrators to manage users, assign roles, or control access across the organization

This makes it challenging to deploy Prowler as a shared security scanning platform for teams or organizations.

Solution Proposed

Solution Proposed

1. Introduce super admin role - The first registered user (or a configurable user) should become a super admin with full control over the instance
2. Disable open registration (optional) - Allow admins to disable public registration and use invite-only mode
3. User invitation system - Allow tenant admins to invite users to their tenant via email
4. Multi-tenant membership - Allow users to belong to multiple tenants and switch between them
5. Role-based access control (RBAC) - Implement roles such as:
   - Super Admin (instance-wide)
   - Tenant Admin (tenant-wide)
   - Member (read/write within tenant)
   - Viewer (read-only within tenant)

Use case and benefits

Use case: An organization deploys self-hosted Prowler to scan multiple AWS accounts. The security team needs to:

• Onboard new team members without them creating separate tenants
• Share scan results across the team
• Control who can configure cloud providers and run scans
• Prevent unauthorized users from registering

Benefits:

• Enterprise-ready deployment
• Centralized security scanning for teams
• Better access control and audit trail
• Reduced operational overhead (no need to manage multiple isolated instances)

Describe alternatives you've considered

1. Single user per instance - Running Prowler with a shared account, but this lacks audit trail and individual accountability
2. Multiple Prowler instances - Deploying separate instances per team/user, but this increases infrastructure costs and operational complexity
3. External authentication proxy - Using an external reverse proxy with authentication, but this doesn't solve the tenant isolation problem within Prowler itself

All of them are painful

Additional context

No response

[pedrooot]

Hey! @cojack thanks for raising this feature request. We'll evaluate it with the team 🚀

[jfagoagas]

Hi @cojack, this the current status for the items you requested:

Item	Status
No super admin concept - The first registered user does not receive any elevated administrative privileges	This is not planned as there is a Tenant administrator.
Open registration without control - Any user can register and automatically gets their own isolated tenant	As of today this is not planned for the Self-Managed deployment
Tenant isolation without flexibility - Users cannot switch between tenants or be invited to existing tenants	This is planned. We'll add multi-tenant support in the UI as the API does support it.
No centralized user management - There is no way for administrators to manage users, assign roles, or control access across the organization	This is available in the Prowler App Users page.

Thanks!