Every user in the application has an entry in the person table that holds their details.
In the normal configuration users self-register with the application (a process that verifies the users email address) and authenticates using a password. The application supports password change and recovery via email. It is also possible to enable alternative web-based login mechanisms such as Shibboleth/UKAMF. These mechanisms are typically implemented in the apache httpd front-end.
If all potential users are known to be able to use an external authenticator it is also possible to configure the application to only use an external web-based authentication.
Access to additional permissions within the application is granted by a set of roles stored in the role_table database table. Key roles include:
Admin which gives access to the internal administration forms (The first user to register with a new application instance is usually given this role automatically unless you disable the service.feature.bootstrap.admin feature).
Developer this gives access to additional very low-level (and dangerous) functions like setting additional configuration properties or modifying the database tables.
Both of the above are usually set as “toggleable-roles” which can be explicitly turned on and off during a user session.