Wednesday, 1 April, 2026
Anthropogenic eutrophication of Lake Titicaca (Bolivia) revealed by carbon and nitrogen stable isotopes fingerprinting
The contribution of stable isotopes of antimony for tracing pollution sources and transfer processes in aquatic environments.
Multi-isotope (Pb, Sb) approach to trace metallic contaminant sources at a historical mining and metallurgical site
Antimony isotope fractionation during Sb(V) and Sb(III) adsorption on secondary Fe-minerals (schwertmannite, ferrihydrite) typical of mine waters
Linkedin
Guides
Collaborer

Adding Users

IsoFind can operate in single-user mode (direct access, no authentication) or multi-user mode (separate accounts, roles, sessions). This page covers the choice of mode at installation, account creation and management, available roles, and access recovery procedures.

The Two Installation Modes

The operating mode is chosen at IsoFind installation. It is recorded in the configuration file isofind_config.json and cannot be changed without reinstallation.

Single-user mode

IsoFind opens directly, without a login page. All features are immediately available. This mode is suited to an individual workstation where only one person uses the software. The user menu in the top right allows preferences, session locking and security settings to be configured, but there is no separate account management.

Multi-user mode

A login screen is displayed at startup. Each user logs in with their username and password. Sessions are isolated. Access to administration functions is restricted to the administrator role. This mode is recommended for shared laboratories or teams of several people working on the same workstation or local network.

The mode can be specified during installation via the installation wizard, which offers both options with a description of the implications of each choice. In multi-user mode, the installer specifies that the first startup creates an administrator account whose temporary password is displayed on screen once only.

First Login in Multi-User Mode

On the first startup after a multi-user installation, IsoFind automatically generates an administrator account with the username admin and a random temporary password. This password is displayed on screen once only during first startup. It is never written to disk in plain text.

The first action after logging in is to change this temporary password from the user menu:

User menu Security Change password
The temporary password displayed at first startup cannot be retrieved afterwards. If the window is closed before noting it down, the only recovery option is the admin recovery code (see section below).

Creating a User

Creating additional accounts is restricted to the administrator role. It is done from the user management panel:

User menu User management Add a user

Required fields are the username (unique), email address (unique, used as an alternative identifier), password (minimum 6 characters) and role. The display name is optional.

The Four Available Roles

Each account is associated with a role that determines the actions accessible in the interface. The role is assigned at creation and can be modified later by an administrator.

Role Access
User Data consultation, correspondence search, visualisation. No sample creation, modification or deletion. No access to administration settings.
Analyst All User actions, plus: data import, sample creation and modification, export, access to advanced analysis modules (Nexus, spreadsheet, mapping).
Manager All Analyst actions, plus: sample deletion, project management, access to system activity logs.
Administrator Full access. User account management (creation, modification, deactivation, deletion), system configuration, licence and certificate management, access to the full audit trail, database protection activation/deactivation.
In a shared laboratory context, it is advisable to assign the Analyst role to technicians who import and process data, the Manager role to the laboratory manager, and to keep the Administrator role for the person responsible for system configuration. This limits the risk of accidental data deletion by an inexperienced user.

Modifying an Existing Account

Changing a user's role

In the user management panel, each row exposes a directly editable role selector. The change is immediate and applies from the next action by the user concerned. An administrator cannot lower their own role.

Deactivating or reactivating an account

An account can be deactivated without being deleted. A deactivated account can no longer log in but its data and activity history are preserved. Deactivation is reversible. It is useful for team members temporarily absent or in a period of suspended access.

The active/inactive toggle button is accessible on each row of the user list. An account cannot be deactivated if it is the last active administrator account.

Resetting a user's password

An administrator can reset any user's password from the management panel. A new temporary password is generated and displayed once only. The user must change it on their next login.

Deleting an account

Account deletion is permanent. Analytical data created by that user is retained in the database; only the account and its session history are deleted. An administrator cannot delete their own account.

Session Management

Session duration

IsoFind sessions have a default validity of 8 hours. On expiry, the user is redirected to the login page. The duration can be adjusted in the administration settings according to deployment needs.

Automatic locking

Each user can enable automatic session locking after a configurable period of inactivity (1 to 60 minutes). This option is independent of the installation mode and works in single-user mode as well.

User menu Security Automatic locking

A locked session displays the lock screen. Unlocking requires the account password. Other users' sessions are unaffected.

Manual locking

Immediate locking of the current session is accessible from the user menu via the lock button. The lock screen is displayed instantly.

Simultaneous active sessions

IsoFind allows viewing and terminating the active sessions of an account from the user menu. In multi-user mode, an administrator can view the active sessions of all accounts from the administration panel and end any session.

Protection Against Authentication Attempts

IsoFind applies automatic account locking after 5 consecutive failed login attempts. The account is locked for 15 minutes. After this period it unlocks automatically. An administrator can also manually unlock an account from the user management panel before the delay expires.

Password hashing uses PBKDF2-HMAC-SHA256 with 600,000 iterations and a random 16-byte salt per account. Passwords are never stored in plain text and cannot be recovered, only reset.

Administrator Access Recovery

If the administrator account password is lost and no other active administrator exists on the installation, the only recovery mechanism is the admin recovery code.

The admin recovery code

IsoFind generates a single-use recovery code at system initialisation. This code has the following properties:

It has 192 bits of entropy (generated via secrets.token_urlsafe(24)). Only its PBKDF2 hash is stored in the database, never the plain-text code. It is single-use: once used to reset the admin password, it is atomically consumed and a new code is immediately generated. It cannot be regenerated on demand without administrator access.

User menu Security Recovery code

The recovery code is displayed once from the security menu by a logged-in administrator. It must be kept in a secure location separate from the IsoFind workstation, for example in a password manager or a physical safe.

Using the recovery code

On the login page, a "Forgot password" link opens the recovery form. It requests the recovery code and the new password for the admin account (minimum 8 characters). If the code is valid, the password is reset, all active admin sessions are invalidated, and a new recovery code is generated for the next emergency.

If the admin password is lost AND the recovery code has not been kept, there is no way to regain access without reinstalling IsoFind. A reinstallation recreates the user database from scratch. Analytical data in isofind.db is not affected, but all user accounts are lost.

User Activity Log

In multi-user mode, IsoFind records each account's activity in a dedicated log. Logged events include successful and failed logins and logouts, session locks, preference changes and log exports. This log is accessible from the user menu for each account regarding its own activities, and from the administration panel for an administrator viewing all accounts.

The user activity log is distinct from the analytical database audit trail described on the Securing the Software page. The two logging systems coexist and cover different scopes.

For deployments in sensitive environments requiring complete operator traceability, using multi-user mode jointly with the Advanced protection level (HMAC-SHA256 audit trail) allows precise identification of which account performed which operation on the analytical data, with timestamp and tamper-proof cryptographic chaining.
  • Foix, FRANCE
Linkedin

All Rights Reserved by IsoFind