All use-cases

Flagship flow

User management — end to end

The full invite-to-active journey — happy path, every negative branch, and four-eyes approval.

The full invite-to-active journey on one trail.

Happy path runs down the centre; edge cases branch to the right — expired invites, weak or breached passwords, MFA recovery, admin rejection, lockout and password reset. Every email and in-app alert is marked.

Mail = email sent Bell = in-app alert Amber diamond = automatic check Teal diamond = a person decides
Admin sends invite link invite email out User opens invite Invite valid? not expired yes no Set password Strong & safe? strength + HIBP check yes no Onboarding wizard Set up MFA (TOTP) authenticator app MFA verified? yes no Submit for approval admin gets request email Admin reviews approval gate approve reject Approved result: email + in-app Account activated Welcome notification in-app + email Invite expired / invalid Blocked. Admin resends a fresh invite link (new email). Weak / breached password Rejected. User picks a new one and retries. MFA failed / lost device Recovery flow: backup codes or admin re-issues MFA. Admin rejects User notified, fixes the issue, and resubmits. resubmit LOGIN-TIME EDGE CASES Too many failed logins Account locked → unlock or reset to recover. Forgot password Reset-link email → set a new password (re-checked).
app/admin/users
Team onboarding — invite member screen recording
Quick invite links, breached-password (HIBP) checks, TOTP MFA with recovery, account lockout, and four-eyes admin approval — with email and in-app alerts on every state change.