#Profile Settings
| Role | Access Level |
|---|---|
| Client Admin | Edit own account profile details in Account, and manage available security/MFA lifecycle actions |
| Client Manager | Review managed profile and security facts, and manage available MFA lifecycle actions |
| Client Staff | Review managed profile and security facts, and manage available MFA lifecycle actions |
| Partner Admin | Edit own account profile details in Settings, and review required operations-managed MFA status |
| Partner User | Edit own account profile details in Settings, and review required operations-managed MFA status |
#Overview
Profile settings let you review the identity and security posture attached to your current portal session. Partner Admin and Partner User sessions use Settings Profile at /settings?section=profile to edit their own supported account profile fields by reusing the Account Profile form and /api/account/profile contract. Client Manager and Client Staff users use the same Settings Profile section for a managed read-only profile summary. Client Admin users use the Account shell at /account; legacy /settings?section=profile links redirect to /account?section=profile for that role.
Client Manager and Client Staff display name and email address remain managed identity fields in the Settings Profile panel. The portal does not store local-only Settings profile values and does not offer unaudited identity changes. If either value is wrong in Settings Profile, open Support in the signed-in portal and create an account ticket for a profile update request.
Client Admin and partner users can edit the implemented Account Profile fields that the backend exposes for self-service: first name, last name, mobile number, timezone, and portal language. Email address remains read-only in Account Profile. Verified email-change requests use the dedicated email-change flow when available. Security and MFA management for Client Admin users is in Account > Security. Partner MFA appears in Settings as a required, operations-managed, non-editable summary.
#Prerequisites
- You are signed in to the AiDial portal. See Signing In for instructions.
- Your current session belongs to an active tenant.
- Client Admin users need the
/accountshell for self-service profile edits. Partner Admin and Partner User sessions edit their own profile from/settings?section=profile. Client Manager and Client Staff users use/settings?section=profilefor the managed profile summary. - If MFA remediation is required, other protected portal areas remain blocked until the identity-provider setup or verification is completed and the portal security status is refreshed.
#Reviewing Your Profile
For Partner Admin and Partner User:
- Select Settings from the sidebar.
- Open the Profile section at
/settings?section=profile. - Review and edit the supported Account Profile fields: first name, last name, mobile number, timezone, and portal language.
- Review the read-only email address and email verification badge when one is available.
- Review the required operations-managed MFA summary. MFA is required for integration-secret changes, key rotation, signing-secret rotation, SCIM token rotation, and SSO/SCIM setup. Step-up on publish, rollback, and compliance remains pending the audit mirror.
For Client Manager and Client Staff:
- Select Settings from the sidebar.
- Open the Profile section at
/settings?section=profile. - Review the profile and security summary:
- Display name - the name from your authenticated session, or Unavailable when the session does not provide one
- Email address - the email from your authenticated session, or Unavailable when the session does not provide one
- Portal role - your current server-resolved portal role
- Allowed factors - MFA factors currently permitted by role, policy, and tenant state
- Enrolled factors - MFA factors currently reported for your account
- Security status - whether MFA is required, satisfied, pending, failed, optional, or unavailable
- Use Refresh security status after completing MFA setup or verification with the identity provider.
For Client Admin:
- Open Profile from the account menu, or go to
/account?section=profile. - Review and edit the supported Account Profile fields: first name, last name, mobile number, timezone, and portal language.
- Review the read-only email address and email verification badge when one is available.
- Use Account > Security at
/account?section=securityfor password, two-factor, recovery-code, and recent-activity security surfaces.
#Ownership Matrix
| Field or Action | Portal Behaviour | Source of Truth |
|---|---|---|
| Display name | Managed identity field for Client Manager and Client Staff. Partner and Client Admin display names are composed from self-service Account Profile fields after save. | Identity provider, organisation-admin process, or aidial_api account profile endpoint |
| Email address | Read-only in Account Profile; selectable for copying but not directly edited in the profile form. Verified email-change requests use the dedicated email-change flow when available. | Identity provider or account profile source |
| Client Admin, Partner Admin, and Partner User first name, last name, mobile, timezone, and language | Self-service Account Profile fields saved through the Account BFF with ETag concurrency checks. | aidial_api account profile endpoint |
| Portal role | Read-only security fact. The portal does not offer broad role changes from Profile. | Server-resolved tenant assignment |
| Allowed factors | Provider-backed read-only security fact. | Current MFA policy and identity-provider state |
| Enrolled factors and passkey metadata | Provider-backed security fact; passkey rows show reported device label and last-used time when available. | Identity provider lookup and session MFA state |
| Partner MFA status | Required, operations-managed, non-editable summary in Settings Profile. | Identity provider, portal security policy, and operations workflow |
| MFA lifecycle actions | Client-facing self-service only when the trusted identity-provider action is available for your account state. Partner Settings Profile does not expose MFA edit controls. | Identity provider and portal security policy |
| Password changes | Not a Profile form action. Use the identity-provider or administrator-supported recovery path. | Identity provider |
#MFA Actions
Settings Profile and Account Security show MFA actions only when the current session and account security state make them available. Partner Settings Profile shows the required operations-managed MFA summary instead of edit controls.
| Action | When It Appears | Behaviour |
|---|---|---|
| Open MFA setup | A trusted provider setup URL is available, or the portal can derive the standard trusted Zitadel setup URL for first-time mandatory-role remediation. | Opens the identity provider in a new tab. Complete setup there, then refresh the profile security status. |
| MFA setup unavailable / MFA management unavailable | The portal cannot verify a trusted provider action for the current state. | Refresh your security status after signing in again. If it remains unavailable, contact your administrator. |
| I stored my recovery codes | A new or re-enabled MFA recovery-code set needs acknowledgement. | Records that you stored the recovery codes. This action requires the current lifecycle marker. |
| I reviewed my recovery codes | This session used a recovery code and the portal shows a reminder. | Records that you reviewed or regenerated provider-issued recovery codes. This action requires the current lifecycle marker and does not store raw codes in the portal. |
| I generated a new recovery-code set | MFA is enrolled and a trusted provider setup URL is available. | Records that you generated a new recovery-code set with the provider. |
| Open provider MFA management to disable | The current role and account state allow MFA disable. | Opens the trusted provider management URL in a new tab after the portal records the launch. Roles with mandatory MFA do not receive this action. |
| Enrol SMS one-time code | sms_otp is present in your allowed factors. | Collects an Australian +61 mobile number, validates and rate-limits the request, forwards it once to Zitadel, and keeps only a masked tail in portal feedback and audit metadata. |
Other protected portal areas remain blocked while mandatory MFA is not compliant. Complete setup or verification with the provider, then return to the profile or security surface and refresh the security status.
If you lose access to your authenticator, use a provider-issued recovery code during sign-in. If you no longer have recovery codes, contact your organisation administrator or help@aidial.com.au. The Profile section can show reminders and trusted provider links, but it cannot bypass MFA, reveal one-time codes, or reset your authenticator directly.
#Field Reference
| Field Name | Description | Source and Behaviour |
|---|---|---|
| Display name | Name shown for the current signed-in user in Settings Profile | Managed by the identity provider or organisation-admin process for Client Manager and Client Staff. Partner and Client Admin display names update through the self-service Account Profile form. Blank or missing values are displayed as Unavailable where the managed summary is used. |
| First name | Account Profile field | Editable at /account?section=profile for Client Admin and at /settings?section=profile for Partner Admin and Partner User. Changes are saved through /api/account/profile with an If-Match ETag. |
| Last name | Account Profile field | Editable at /account?section=profile for Client Admin and at /settings?section=profile for Partner Admin and Partner User. Changes are saved through /api/account/profile with an If-Match ETag. |
| Mobile number | Account Profile field | Editable through the Account Profile form; backend validation is surfaced inline when the value is rejected. |
| Timezone | Account Profile field | Editable from the supported timezone list returned to the form. |
| Portal language | Account Profile field | Currently limited to English (Australia), en-AU. |
| Email address | Email shown for the current signed-in user | Identity-provider managed. Settings Profile shows blank or missing values as Unavailable. Account Profile renders email as read-only and shows an Email verified badge when reported. |
| Portal role | Server-resolved role for this session | Portal role is a read-only access assignment resolved server-side from the session context. Navigation visibility is not a security boundary. |
| Allowed factors | MFA factors recognised for this session | Derived from MFA state on the session, with supported labels for authenticator app, recovery code, email one-time code, SMS one-time code, and passkey or security key. |
| Enrolled factors | MFA factors reported for your account | Derived from session MFA state and provider lookup. Absence is not treated as editable profile data. |
| Policy | Whether MFA is required or optional for the current role/session | Derived from the session MFA snapshot. Client Admin is optional by role; any client role may still be required by an explicit tenant or user policy. |
| Enrollment | Current MFA enrolment state | Shows enrolled, not enrolled, or unknown. |
| Challenge state | Current MFA challenge state | Shows satisfied, required, failed, or unknown. |
| Passkey device label and last used | Metadata for enrolled passkey or security-key factors | Displayed only when WebAuthn is allowed or enrolled. Missing metadata is shown as not reported. |
| Lifecycle status last refreshed | Time the MFA lifecycle status was last refreshed | Displayed in your portal locale. |
#Access, Scope, and Runtime Behaviour
The browser uses your signed-in portal session. You do not need to enter or send an API key, and the browser must not send X-API-Key.
Profile details and MFA actions are scoped to the current signed-in user and active tenant. Browser calls go to portal route handlers such as /api/settings/profile, /api/settings/profile/mfa-lifecycle, /api/auth/mfa-sms-enrol, and /api/account/profile; those server-side routes inject the bearer token and call aidial_api. API routes enforce their own auth, CSRF, tenant checks, and route security headers because middleware does not protect /api/**.
Settings Profile reads MFA lifecycle state from aidial_api through /v1/portal-mfa-lifecycle. Account Profile reads and saves Client Admin, Partner Admin, and Partner User profile details through /v1/account/profile. The Account Profile save path requires an If-Match ETag, rejects unsupported fields before calling the API, and refreshes the trusted session context after a successful save.
MFA actions may be rate-limited and require a current trusted identity-provider state. If your tenant, session, or MFA state cannot be verified, the portal blocks the action and asks you to refresh or sign in again.
#Common Issues
| Issue | Resolution |
|---|---|
I am a Client Admin and /settings?section=profile opens Account instead | This is expected. The middleware redirects Client Admin legacy Settings Profile links to /account?section=profile. |
| I cannot edit my display name or email address in Settings Profile | Client Manager and Client Staff identity fields are managed; open Support in the signed-in portal and create an account ticket for a profile update request. Partner roles edit first and last name through Settings Profile, while email remains read-only and uses the verified email-change flow when available. |
| I am a Client Admin and Save profile is disabled | Save is only enabled after a supported field changes and the latest Account Profile load returned an ETag. Refresh the profile and try again if the page reports that it could not lock your profile. |
| My Account Profile save says the profile changed elsewhere | The portal reloaded the latest profile after an ETag conflict. Review your local edits, make another change if needed, then save again. |
| I cannot find a timezone field in Settings Profile | Timezone is not part of the managed Settings Profile summary. Client Admin users can edit their account timezone in /account?section=profile; Partner Admin and Partner User sessions can edit it in /settings?section=profile. Other roles use the project or browser timezone behaviour on other pages. |
| MFA setup is unavailable | Sign in again and refresh the security status. If no trusted provider action appears, use a provider-issued recovery code during sign-in where available, then contact your administrator or help@aidial.com.au if you remain locked out. |
| Other pages stay blocked after MFA setup | Return to the profile or security surface and refresh the security status so the portal can read the latest MFA state. |
| SMS one-time code enrolment is unavailable | SMS appears only when your role and tenant policy include sms_otp in allowed factors. It currently accepts Australian +61 mobile numbers and may be rate-limited. |
| Passkey metadata is missing | The provider may not report a device label or last-used time. The portal shows the factor status and marks missing metadata as not reported. |
| A recovery-code prompt stays visible | Confirm that you stored or reviewed your provider-issued recovery codes, then use the matching acknowledgement action. If the lifecycle changed elsewhere, refresh the profile summary. Do not paste recovery-code values into portal support requests. |
| Profile summary will not load | Retry the profile summary. If it still fails, your session, tenant status, or MFA lifecycle state may need administrator attention. |