Onboard an Operator

What this is: giving a new person their own login so they can use the system. When you'd do it: someone new joins and needs access. How long it takes: about two minutes, with the person and their security key next to you.

Who can do this: an Admin. These screens only show up if your own login has the Admin role. A normal Operator login won't see them — if the menu below isn't there, ask an admin to do this or to upgrade your access.

You'll do everything on the Directory website — the admin site you log in to. No command line, no technical steps. If you can fill in a web form, you can do this.

The shape of it

flowchart LR
    A["You open the<br/>Directory site"] --> B["Create the<br/>person's profile"]
    B --> C["They tap their<br/>security key"]
    C --> D["They log in —<br/>done"]

Three things happen: you make them a profile, they register their security key (the little USB/NFC key, or their phone), and then they can log in. That's it.

Before you start

• You're signed in to the Directory site as an admin.
• The new person is with you, and they have their security key (or phone) on them. They need to tap it themselves — you can't do this part for them.

Steps

1. Open the people list. In the top menu, click Principals. ("Principal" is just the system's word for a person or thing with a login.)

2. Start a new one. Click Create Principal (top right). A short form opens.

3. Fill in the form:

4. Display Name — their name, e.g. James Ward.
5. Unit — their team or unit, e.g. 1 Platoon, A Coy. Optional — skip it if you're not sure.

6. Role — leave it on Operator for a normal user. Only pick Admin if this person should also be able to manage other people. (Position Only is for someone who should appear on the map but not send messages.)

7. Save it. Click Create Principal. You'll land on the new person's page.

8. Register their security key. On that page, click Register FIDO Key. Give the key a name they'll recognise (e.g. James's YubiKey) — or just leave the default — then click Tap Security Key to Register. The person taps their key now. When you see "Key registered successfully", you're done.

9. They log in. The person can now log in on their own device using that same key. The first login quietly hands their device a batch of passes that keep it working for the next few weeks — nothing for you to do.

How to know it worked

• Their page shows a green active badge.
• Under FIDO Credentials, you can see the key you just registered.
• They can log in on their own device.

If something goes wrong

• The key tap failed or timed out. No harm done — just click Register FIDO Key again and retry. Make sure the key is plugged in (or the phone is unlocked and close).
• They registered the wrong key, or lost it. On their page, under FIDO Credentials, click Delete next to the old key, then register the right one. They keep the same profile — you don't start over.
• You picked the wrong role. Click Edit on their page and change it.

See also

• Operator training index
• Onboard a device — for a drone, sensor, or feed instead of a person
• Revoke a principal — when someone leaves
• Curious how identity works under the hood? See the security model.

---

Verified against directory@e8287cd on 2026-06-07 — screens: resources/views/domains/admin/principals/ (create, fido_register, show); logic: app/domains/admin/principals/principals_controller.ts.