#Profile Settings

11 min read
RoleAccess Level
Client AdminEdit own account profile details in Account, and manage available security/MFA lifecycle actions
Client ManagerReview managed profile and security facts, and manage available MFA lifecycle actions
Client StaffReview managed profile and security facts, and manage available MFA lifecycle actions
Partner AdminEdit own account profile details in Settings, and review required operations-managed MFA status
Partner UserEdit own account profile details in Settings, and review required operations-managed MFA status

#Overview

Profile settings let you review the identity and security posture attached to your current portal session. Partner Admin and Partner User sessions use Settings Profile at /settings?section=profile to edit their own supported account profile fields by reusing the Account Profile form and /api/account/profile contract. Client Manager and Client Staff users use the same Settings Profile section for a managed read-only profile summary. Client Admin users use the Account shell at /account; legacy /settings?section=profile links redirect to /account?section=profile for that role.

Client Manager and Client Staff display name and email address remain managed identity fields in the Settings Profile panel. The portal does not store local-only Settings profile values and does not offer unaudited identity changes. If either value is wrong in Settings Profile, open Support in the signed-in portal and create an account ticket for a profile update request.

Client Admin and partner users can edit the implemented Account Profile fields that the backend exposes for self-service: first name, last name, mobile number, timezone, and portal language. Email address remains read-only in Account Profile. Verified email-change requests use the dedicated email-change flow when available. Security and MFA management for Client Admin users is in Account > Security. Partner MFA appears in Settings as a required, operations-managed, non-editable summary.

#Prerequisites

  • You are signed in to the AiDial portal. See Signing In for instructions.
  • Your current session belongs to an active tenant.
  • Client Admin users need the /account shell for self-service profile edits. Partner Admin and Partner User sessions edit their own profile from /settings?section=profile. Client Manager and Client Staff users use /settings?section=profile for the managed profile summary.
  • If MFA remediation is required, other protected portal areas remain blocked until the identity-provider setup or verification is completed and the portal security status is refreshed.

#Reviewing Your Profile

For Partner Admin and Partner User:

  1. Select Settings from the sidebar.
  2. Open the Profile section at /settings?section=profile.
  3. Review and edit the supported Account Profile fields: first name, last name, mobile number, timezone, and portal language.
  4. Review the read-only email address and email verification badge when one is available.
  5. Review the required operations-managed MFA summary. MFA is required for integration-secret changes, key rotation, signing-secret rotation, SCIM token rotation, and SSO/SCIM setup. Step-up on publish, rollback, and compliance remains pending the audit mirror.

For Client Manager and Client Staff:

  1. Select Settings from the sidebar.
  2. Open the Profile section at /settings?section=profile.
  3. Review the profile and security summary:
  • Display name - the name from your authenticated session, or Unavailable when the session does not provide one
  • Email address - the email from your authenticated session, or Unavailable when the session does not provide one
  • Portal role - your current server-resolved portal role
  • Allowed factors - MFA factors currently permitted by role, policy, and tenant state
  • Enrolled factors - MFA factors currently reported for your account
  • Security status - whether MFA is required, satisfied, pending, failed, optional, or unavailable
  1. Use Refresh security status after completing MFA setup or verification with the identity provider.

For Client Admin:

  1. Open Profile from the account menu, or go to /account?section=profile.
  2. Review and edit the supported Account Profile fields: first name, last name, mobile number, timezone, and portal language.
  3. Review the read-only email address and email verification badge when one is available.
  4. Use Account > Security at /account?section=security for password, two-factor, recovery-code, and recent-activity security surfaces.

#Ownership Matrix

Field or ActionPortal BehaviourSource of Truth
Display nameManaged identity field for Client Manager and Client Staff. Partner and Client Admin display names are composed from self-service Account Profile fields after save.Identity provider, organisation-admin process, or aidial_api account profile endpoint
Email addressRead-only in Account Profile; selectable for copying but not directly edited in the profile form. Verified email-change requests use the dedicated email-change flow when available.Identity provider or account profile source
Client Admin, Partner Admin, and Partner User first name, last name, mobile, timezone, and languageSelf-service Account Profile fields saved through the Account BFF with ETag concurrency checks.aidial_api account profile endpoint
Portal roleRead-only security fact. The portal does not offer broad role changes from Profile.Server-resolved tenant assignment
Allowed factorsProvider-backed read-only security fact.Current MFA policy and identity-provider state
Enrolled factors and passkey metadataProvider-backed security fact; passkey rows show reported device label and last-used time when available.Identity provider lookup and session MFA state
Partner MFA statusRequired, operations-managed, non-editable summary in Settings Profile.Identity provider, portal security policy, and operations workflow
MFA lifecycle actionsClient-facing self-service only when the trusted identity-provider action is available for your account state. Partner Settings Profile does not expose MFA edit controls.Identity provider and portal security policy
Password changesNot a Profile form action. Use the identity-provider or administrator-supported recovery path.Identity provider

#MFA Actions

Settings Profile and Account Security show MFA actions only when the current session and account security state make them available. Partner Settings Profile shows the required operations-managed MFA summary instead of edit controls.

ActionWhen It AppearsBehaviour
Open MFA setupA trusted provider setup URL is available, or the portal can derive the standard trusted Zitadel setup URL for first-time mandatory-role remediation.Opens the identity provider in a new tab. Complete setup there, then refresh the profile security status.
MFA setup unavailable / MFA management unavailableThe portal cannot verify a trusted provider action for the current state.Refresh your security status after signing in again. If it remains unavailable, contact your administrator.
I stored my recovery codesA new or re-enabled MFA recovery-code set needs acknowledgement.Records that you stored the recovery codes. This action requires the current lifecycle marker.
I reviewed my recovery codesThis session used a recovery code and the portal shows a reminder.Records that you reviewed or regenerated provider-issued recovery codes. This action requires the current lifecycle marker and does not store raw codes in the portal.
I generated a new recovery-code setMFA is enrolled and a trusted provider setup URL is available.Records that you generated a new recovery-code set with the provider.
Open provider MFA management to disableThe current role and account state allow MFA disable.Opens the trusted provider management URL in a new tab after the portal records the launch. Roles with mandatory MFA do not receive this action.
Enrol SMS one-time codesms_otp is present in your allowed factors.Collects an Australian +61 mobile number, validates and rate-limits the request, forwards it once to Zitadel, and keeps only a masked tail in portal feedback and audit metadata.

Other protected portal areas remain blocked while mandatory MFA is not compliant. Complete setup or verification with the provider, then return to the profile or security surface and refresh the security status.

If you lose access to your authenticator, use a provider-issued recovery code during sign-in. If you no longer have recovery codes, contact your organisation administrator or help@aidial.com.au. The Profile section can show reminders and trusted provider links, but it cannot bypass MFA, reveal one-time codes, or reset your authenticator directly.

#Field Reference

Field NameDescriptionSource and Behaviour
Display nameName shown for the current signed-in user in Settings ProfileManaged by the identity provider or organisation-admin process for Client Manager and Client Staff. Partner and Client Admin display names update through the self-service Account Profile form. Blank or missing values are displayed as Unavailable where the managed summary is used.
First nameAccount Profile fieldEditable at /account?section=profile for Client Admin and at /settings?section=profile for Partner Admin and Partner User. Changes are saved through /api/account/profile with an If-Match ETag.
Last nameAccount Profile fieldEditable at /account?section=profile for Client Admin and at /settings?section=profile for Partner Admin and Partner User. Changes are saved through /api/account/profile with an If-Match ETag.
Mobile numberAccount Profile fieldEditable through the Account Profile form; backend validation is surfaced inline when the value is rejected.
TimezoneAccount Profile fieldEditable from the supported timezone list returned to the form.
Portal languageAccount Profile fieldCurrently limited to English (Australia), en-AU.
Email addressEmail shown for the current signed-in userIdentity-provider managed. Settings Profile shows blank or missing values as Unavailable. Account Profile renders email as read-only and shows an Email verified badge when reported.
Portal roleServer-resolved role for this sessionPortal role is a read-only access assignment resolved server-side from the session context. Navigation visibility is not a security boundary.
Allowed factorsMFA factors recognised for this sessionDerived from MFA state on the session, with supported labels for authenticator app, recovery code, email one-time code, SMS one-time code, and passkey or security key.
Enrolled factorsMFA factors reported for your accountDerived from session MFA state and provider lookup. Absence is not treated as editable profile data.
PolicyWhether MFA is required or optional for the current role/sessionDerived from the session MFA snapshot. Client Admin is optional by role; any client role may still be required by an explicit tenant or user policy.
EnrollmentCurrent MFA enrolment stateShows enrolled, not enrolled, or unknown.
Challenge stateCurrent MFA challenge stateShows satisfied, required, failed, or unknown.
Passkey device label and last usedMetadata for enrolled passkey or security-key factorsDisplayed only when WebAuthn is allowed or enrolled. Missing metadata is shown as not reported.
Lifecycle status last refreshedTime the MFA lifecycle status was last refreshedDisplayed in your portal locale.

#Access, Scope, and Runtime Behaviour

The browser uses your signed-in portal session. You do not need to enter or send an API key, and the browser must not send X-API-Key.

Profile details and MFA actions are scoped to the current signed-in user and active tenant. Browser calls go to portal route handlers such as /api/settings/profile, /api/settings/profile/mfa-lifecycle, /api/auth/mfa-sms-enrol, and /api/account/profile; those server-side routes inject the bearer token and call aidial_api. API routes enforce their own auth, CSRF, tenant checks, and route security headers because middleware does not protect /api/**.

Settings Profile reads MFA lifecycle state from aidial_api through /v1/portal-mfa-lifecycle. Account Profile reads and saves Client Admin, Partner Admin, and Partner User profile details through /v1/account/profile. The Account Profile save path requires an If-Match ETag, rejects unsupported fields before calling the API, and refreshes the trusted session context after a successful save.

MFA actions may be rate-limited and require a current trusted identity-provider state. If your tenant, session, or MFA state cannot be verified, the portal blocks the action and asks you to refresh or sign in again.

#Common Issues

IssueResolution
I am a Client Admin and /settings?section=profile opens Account insteadThis is expected. The middleware redirects Client Admin legacy Settings Profile links to /account?section=profile.
I cannot edit my display name or email address in Settings ProfileClient Manager and Client Staff identity fields are managed; open Support in the signed-in portal and create an account ticket for a profile update request. Partner roles edit first and last name through Settings Profile, while email remains read-only and uses the verified email-change flow when available.
I am a Client Admin and Save profile is disabledSave is only enabled after a supported field changes and the latest Account Profile load returned an ETag. Refresh the profile and try again if the page reports that it could not lock your profile.
My Account Profile save says the profile changed elsewhereThe portal reloaded the latest profile after an ETag conflict. Review your local edits, make another change if needed, then save again.
I cannot find a timezone field in Settings ProfileTimezone is not part of the managed Settings Profile summary. Client Admin users can edit their account timezone in /account?section=profile; Partner Admin and Partner User sessions can edit it in /settings?section=profile. Other roles use the project or browser timezone behaviour on other pages.
MFA setup is unavailableSign in again and refresh the security status. If no trusted provider action appears, use a provider-issued recovery code during sign-in where available, then contact your administrator or help@aidial.com.au if you remain locked out.
Other pages stay blocked after MFA setupReturn to the profile or security surface and refresh the security status so the portal can read the latest MFA state.
SMS one-time code enrolment is unavailableSMS appears only when your role and tenant policy include sms_otp in allowed factors. It currently accepts Australian +61 mobile numbers and may be rate-limited.
Passkey metadata is missingThe provider may not report a device label or last-used time. The portal shows the factor status and marks missing metadata as not reported.
A recovery-code prompt stays visibleConfirm that you stored or reviewed your provider-issued recovery codes, then use the matching acknowledgement action. If the lifecycle changed elsewhere, refresh the profile summary. Do not paste recovery-code values into portal support requests.
Profile summary will not loadRetry the profile summary. If it still fails, your session, tenant status, or MFA lifecycle state may need administrator attention.