User Accounts & Security
Range Warden supports multiple user accounts with role-based access control. This guide covers account management, security settings, and authentication features.
User roles
Section titled “User roles”Every user account is assigned one of three roles:
| Role | Access level |
|---|---|
| Admin | Full system access — settings, users, modules, audit logs, and everything below |
| Manager | Day-to-day operations — members, payments, reports, RSO scheduling |
| RSO | Range operations — check-in portal, RSO shifts, approval queue |
What each role can do
Section titled “What each role can do”| Feature | Admin | Manager | RSO |
|---|---|---|---|
| Dashboard | ✓ | ✓ | ✓ |
| Member management | ✓ | ✓ | — |
| Check-in portal | ✓ | ✓ | ✓ |
| RSO shifts | ✓ | ✓ | ✓ |
| RSO scheduling | ✓ | ✓ | — |
| Approval queue | ✓ | ✓ | ✓ |
| Payments | ✓ | ✓ | — |
| Reports | ✓ | ✓ | — |
| Settings & configuration | ✓ | — | — |
| User management | ✓ | — | — |
| Module management | ✓ | — | — |
| Audit log | ✓ | — | — |
Managing user accounts
Section titled “Managing user accounts”Required role: Admin
Navigate to Admin → People → Users.
Creating a user
Section titled “Creating a user”- Click Add User.
- Fill in:
- First Name and Last Name
- Email — This is their login email (must be unique)
- Password — Set a temporary password; the user should change it after first login
- Role — Select Admin, Manager, or RSO
- Linked Member — Optionally link to a member record (recommended for RSOs)
- Click Create.
The new user can now log in at your Range Warden URL.
Editing a user
Section titled “Editing a user”Click the edit button next to any user to change their name, email, role, or linked member.
Disabling a user
Section titled “Disabling a user”To prevent a user from logging in without deleting their account:
- Click the disable button next to the user.
- The account is immediately locked — all active sessions are invalidated.
- Re-enable the account at any time by clicking the enable button.
Resetting a user’s password
Section titled “Resetting a user’s password”If a user is locked out or has forgotten their password:
- Click Reset Password next to the user.
- A password reset email is sent to the user’s email address with a time-limited link.
Alternatively, the user can click Forgot Password on the login page to initiate a reset themselves.
Disabling a user’s 2FA
Section titled “Disabling a user’s 2FA”If a user loses access to their authenticator app and backup codes:
- Click Disable 2FA next to the user.
- Their two-factor authentication is removed.
- They’ll be prompted to set up 2FA again on their next login (admin and manager roles).
User settings (personal)
Section titled “User settings (personal)”Every user can access their own settings by clicking their name in the top-right corner.
Changing your password
Section titled “Changing your password”- Go to User Settings → Security.
- Enter your current password.
- Enter a new password.
Password requirements:
- Minimum 8 characters
- Must include uppercase and lowercase letters
- Must include at least one number
- Must include at least one special character
Setting a PIN
Section titled “Setting a PIN”A PIN provides quick authentication for the kiosk RSO portal:
- Go to User Settings → Security.
- Set a numeric PIN.
- Click Save.
Your PIN can be used instead of a full password when logging into the RSO Portal on a kiosk tablet.
Two-factor authentication (2FA)
Section titled “Two-factor authentication (2FA)”Range Warden supports TOTP-based two-factor authentication using standard authenticator apps.
Setting up 2FA
Section titled “Setting up 2FA”- Go to User Settings → Security → Two-Factor Authentication.
- Click Set Up 2FA.
- A QR code is displayed — scan it with your authenticator app:
- Google Authenticator
- Authy
- Microsoft Authenticator
- 1Password
- Or any TOTP-compatible app
- Enter the 6-digit code from your authenticator app to verify.
- Save your backup codes — These are one-time codes you can use if you lose access to your authenticator app. Store them in a secure location.
2FA enforcement
Section titled “2FA enforcement”Two-factor authentication is required for admin and manager accounts. If you haven’t set up 2FA, a banner will appear after login prompting you to enable it. You can continue using the system, but the prompt will persist until 2FA is configured.
Using 2FA to log in
Section titled “Using 2FA to log in”- Enter your email and password on the login page.
- A 2FA challenge screen appears.
- Enter the 6-digit code from your authenticator app.
- You’re logged in.
Using backup codes
Section titled “Using backup codes”If you don’t have access to your authenticator app:
- On the 2FA challenge screen, click Use Backup Code.
- Enter one of your saved backup codes.
- You’re logged in. The used backup code is consumed and cannot be reused.
Regenerating backup codes
Section titled “Regenerating backup codes”If you’ve used most of your backup codes or think they may be compromised:
- Go to User Settings → Security → Two-Factor Authentication.
- Click Regenerate Backup Codes.
- Save the new codes. The old codes are invalidated.
Disabling 2FA
Section titled “Disabling 2FA”- Go to User Settings → Security → Two-Factor Authentication.
- Click Disable 2FA.
- Confirm with your password.
Admins can also disable 2FA for other users from the user management page.
Session management
Section titled “Session management”Range Warden manages user sessions with the following security measures:
Idle timeout
Section titled “Idle timeout”Sessions automatically expire after a period of inactivity. The timeout duration is configurable by an admin in Admin → Range → Kiosk → Session Timeout.
Before the session expires, a 30-second countdown warning appears, giving you time to click “Stay Logged In” if you’re still active.
Multi-session limit
Section titled “Multi-session limit”Each user can have a maximum of 5 active sessions at a time (e.g., on different devices or browsers). If a 6th session is created, the oldest session is automatically invalidated.
Silent refresh
Section titled “Silent refresh”When you reload the page or return to Range Warden after closing the browser, the system attempts a silent refresh. If your session is still valid, you’re automatically authenticated without re-entering your password.
Account lockout
Section titled “Account lockout”To protect against brute-force password attacks:
- After 5 failed login attempts within 15 minutes, the account is temporarily locked.
- The lockout lasts 15 minutes.
- During lockout, no login attempts are accepted for that account.
- After 15 minutes, the account is automatically unlocked and the user can try again.
If a user is frequently locked out, an admin can reset their password from the user management page.
Audit log
Section titled “Audit log”Required role: Admin
Navigate to Admin → Audit Log.
The audit log is an immutable record of all significant actions in the system. Every entry includes:
- Timestamp — When the action occurred
- Action — What happened (e.g.,
member_created,payment_voided,setting_updated) - User — Who performed the action
- Entity — What was affected (member, payment, user, etc.)
- Details — Before and after values where applicable
What’s logged
Section titled “What’s logged”| Category | Events |
|---|---|
| Members | Created, updated, deleted, archived, restored |
| Check-ins | Check-in, check-out, kiosk check-in, kiosk checkout |
| Payments | Created, refunded, voided |
| Users | Created, updated, password reset |
| Settings | Updated (sensitive values are redacted in the log) |
| Import/Export | Member imports, member exports |
Filtering the audit log
Section titled “Filtering the audit log”Use the filters at the top of the page:
- Action type — Show only specific action types
- Date range — Narrow to a specific time period
Audit log security
Section titled “Audit log security”- Audit logs cannot be deleted or modified by any user, including admins.
- Sensitive values (passwords, API keys) are automatically redacted in log entries.
- Export operations are themselves logged in the audit trail.