#Profile Settings
| Role | Access Level |
|---|---|
| Client Admin | Edit own account profile details in Account, and manage available security/MFA lifecycle actions |
| Client Manager | Review managed profile and security facts, and manage available MFA lifecycle actions |
| Client Staff | Review managed profile and security facts, and manage available MFA lifecycle actions |
#Overview
Profile settings let you review the identity and security posture attached to your current portal session. Client Manager and Client Staff users use the Settings Profile section at /settings?section=profile. Client Admin users use the Account shell at /account; legacy /settings?section=profile links redirect to /account?section=profile for that role.
Display name and email address are managed identity fields in the Settings Profile panel. The portal does not store local-only Settings profile values and does not offer unaudited identity changes. If either value is wrong in Settings Profile, open Support in the signed-in portal and create an account ticket for a profile update request.
Client Admin users can edit the implemented Account Profile fields that the backend exposes for self-service: first name, last name, mobile number, timezone, and portal language. Email address remains read-only in Account Profile. Security and MFA management for Client Admin users is in Account > Security.
#Prerequisites
- You are signed in to the AiDial portal. See Signing In for instructions.
- Your current session belongs to an active tenant.
- Client Admin users need the
/accountshell for self-service profile edits. Client Manager and Client Staff users use/settings?section=profile. - If MFA remediation is required, other protected portal areas remain blocked until the identity-provider setup or verification is completed and the portal security status is refreshed.
#Reviewing Your Profile
For Client Manager and Client Staff:
- Select Settings from the sidebar.
- Open the Profile section at
/settings?section=profile. - Review the profile and security summary:
- Display name - the name from your authenticated session, or Unavailable when the session does not provide one
- Email address - the email from your authenticated session, or Unavailable when the session does not provide one
- Portal role - your current server-resolved portal role
- Allowed factors - MFA factors currently permitted by role, policy, and tenant state
- Enrolled factors - MFA factors currently reported for your account
- Security status - whether MFA is required, satisfied, pending, failed, optional, or unavailable
- Use Refresh security status after completing MFA setup or verification with the identity provider.
For Client Admin:
- Open Profile from the account menu, or go to
/account?section=profile. - Review and edit the supported Account Profile fields: first name, last name, mobile number, timezone, and portal language.
- Review the read-only email address and email verification badge when one is available.
- Use Account > Security at
/account?section=securityfor password, two-factor, recovery-code, and recent-activity security surfaces.
#Ownership Matrix
| Field or Action | Portal Behaviour | Source of Truth |
|---|---|---|
| Display name | Managed identity field. The portal shows the session value or Unavailable and directs you to open Support in the signed-in portal for a profile update request. | Identity provider or organisation-admin process |
| Email address | Managed identity field. The portal shows the session value or Unavailable and directs you to open Support in the signed-in portal for a profile update request. | Identity provider |
| Client Admin first name, last name, mobile, timezone, and language | Self-service Account Profile fields saved through the Account BFF with ETag concurrency checks. | aidial_api account profile endpoint |
| Client Admin email address | Read-only in Account Profile; selectable for copying but not editable in the portal. | Identity provider or account profile source |
| Portal role | Read-only security fact. The portal does not offer broad role changes from Profile. | Server-resolved tenant assignment |
| Allowed factors | Provider-backed read-only security fact. | Current MFA policy and identity-provider state |
| Enrolled factors and passkey metadata | Provider-backed security fact; passkey rows show reported device label and last-used time when available. | Identity provider lookup and session MFA state |
| MFA lifecycle actions | Self-service only when the trusted identity-provider action is available for your account state. | Identity provider and portal security policy |
| Password changes | Not a Profile form action. Use the identity-provider or administrator-supported recovery path. | Identity provider |
#MFA Actions
Settings Profile and Account Security show MFA actions only when the current session and account security state make them available.
| Action | When It Appears | Behaviour |
|---|---|---|
| Open MFA setup | A trusted provider setup URL is available, or the portal can derive the standard trusted Zitadel setup URL for first-time mandatory-role remediation. | Opens the identity provider in a new tab. Complete setup there, then refresh the profile security status. |
| MFA setup unavailable / MFA management unavailable | The portal cannot verify a trusted provider action for the current state. | Refresh your security status after signing in again. If it remains unavailable, contact your administrator. |
| I stored my recovery codes | A new or re-enabled MFA recovery-code set needs acknowledgement. | Records that you stored the recovery codes. This action requires the current lifecycle marker. |
| I reviewed my recovery codes | This session used a recovery code and the portal shows a reminder. | Records that you reviewed or regenerated provider-issued recovery codes. This action requires the current lifecycle marker and does not store raw codes in the portal. |
| I generated a new recovery-code set | MFA is enrolled and a trusted provider setup URL is available. | Records that you generated a new recovery-code set with the provider. |
| Open provider MFA management to disable | The current role and account state allow MFA disable. | Opens the trusted provider management URL in a new tab after the portal records the launch. Roles with mandatory MFA do not receive this action. |
| Enrol SMS one-time code | sms_otp is present in your allowed factors. | Collects an Australian +61 mobile number, validates and rate-limits the request, forwards it once to Zitadel, and keeps only a masked tail in portal feedback and audit metadata. |
Other protected portal areas remain blocked while mandatory MFA is not compliant. Complete setup or verification with the provider, then return to the profile or security surface and refresh the security status.
If you lose access to your authenticator, use a provider-issued recovery code during sign-in. If you no longer have recovery codes, contact your organisation administrator or help@aidial.com.au. The Profile section can show reminders and trusted provider links, but it cannot bypass MFA, reveal one-time codes, or reset your authenticator directly.
#Field Reference
| Field Name | Description | Source and Behaviour |
|---|---|---|
| Display name | Name shown for the current signed-in user in Settings Profile | Managed by the identity provider or organisation-admin process. Blank or missing values are displayed as Unavailable. Use the profile update support request if it is wrong in Settings Profile. |
| First name | Client Admin Account Profile field | Editable at /account?section=profile. Changes are saved through /api/account/profile with an If-Match ETag. |
| Last name | Client Admin Account Profile field | Editable at /account?section=profile. Changes are saved through /api/account/profile with an If-Match ETag. |
| Mobile number | Client Admin Account Profile field | Editable at /account?section=profile; backend validation is surfaced inline when the value is rejected. |
| Timezone | Client Admin Account Profile field | Editable at /account?section=profile from the supported timezone list returned to the form. |
| Portal language | Client Admin Account Profile field | Currently limited to English (Australia), en-AU. |
| Email address | Email shown for the current signed-in user | Identity-provider managed. Settings Profile shows blank or missing values as Unavailable. Account Profile renders email as read-only and shows an Email verified badge when reported. |
| Portal role | Server-resolved role for this session | Portal role is a read-only access assignment resolved server-side from the session context. Navigation visibility is not a security boundary. |
| Allowed factors | MFA factors recognised for this session | Derived from MFA state on the session, with supported labels for authenticator app, recovery code, email one-time code, SMS one-time code, and passkey or security key. |
| Enrolled factors | MFA factors reported for your account | Derived from session MFA state and provider lookup. Absence is not treated as editable profile data. |
| Policy | Whether MFA is required or optional for the current role/session | Derived from the session MFA snapshot. Client Admin is optional by role; any client role may still be required by an explicit tenant or user policy. |
| Enrollment | Current MFA enrolment state | Shows enrolled, not enrolled, or unknown. |
| Challenge state | Current MFA challenge state | Shows satisfied, required, failed, or unknown. |
| Passkey device label and last used | Metadata for enrolled passkey or security-key factors | Displayed only when WebAuthn is allowed or enrolled. Missing metadata is shown as not reported. |
| Lifecycle status last refreshed | Time the MFA lifecycle status was last refreshed | Displayed in your portal locale. |
#Access, Scope, and Runtime Behaviour
The browser uses your signed-in portal session. You do not need to enter or send an API key, and the browser must not send X-API-Key.
Profile details and MFA actions are scoped to the current signed-in user and active tenant. Browser calls go to portal route handlers such as /api/settings/profile, /api/settings/profile/mfa-lifecycle, /api/auth/mfa-sms-enrol, and /api/account/profile; those server-side routes inject the bearer token and call aidial_api. API routes enforce their own auth, CSRF, tenant checks, and route security headers because middleware does not protect /api/**.
Settings Profile reads MFA lifecycle state from aidial_api through /v1/portal-mfa-lifecycle. Account Profile reads and saves Client Admin profile details through /v1/account/profile. The Account Profile save path requires an If-Match ETag, rejects unsupported fields before calling the API, and refreshes the trusted session context after a successful save.
MFA actions may be rate-limited and require a current trusted identity-provider state. If your tenant, session, or MFA state cannot be verified, the portal blocks the action and asks you to refresh or sign in again.
#Common Issues
| Issue | Resolution |
|---|---|
I am a Client Admin and /settings?section=profile opens Account instead | This is expected. The middleware redirects Client Admin legacy Settings Profile links to /account?section=profile. |
| I cannot edit my display name or email address in Settings Profile | These are managed identity fields in the Settings Profile panel. Open Support in the signed-in portal and create an account ticket for a profile update request, or contact your administrator if the identity provider has the wrong details. |
| I am a Client Admin and Save profile is disabled | Save is only enabled after a supported field changes and the latest Account Profile load returned an ETag. Refresh the profile and try again if the page reports that it could not lock your profile. |
| My Account Profile save says the profile changed elsewhere | The portal reloaded the latest profile after an ETag conflict. Review your local edits, make another change if needed, then save again. |
| I cannot find a timezone field in Settings Profile | Timezone is not part of the Settings Profile summary. Client Admin users can edit their account timezone in /account?section=profile; other roles use the project or browser timezone behaviour on other pages. |
| MFA setup is unavailable | Sign in again and refresh the security status. If no trusted provider action appears, use a provider-issued recovery code during sign-in where available, then contact your administrator or help@aidial.com.au if you remain locked out. |
| Other pages stay blocked after MFA setup | Return to the profile or security surface and refresh the security status so the portal can read the latest MFA state. |
| SMS one-time code enrolment is unavailable | SMS appears only when your role and tenant policy include sms_otp in allowed factors. It currently accepts Australian +61 mobile numbers and may be rate-limited. |
| Passkey metadata is missing | The provider may not report a device label or last-used time. The portal shows the factor status and marks missing metadata as not reported. |
| A recovery-code prompt stays visible | Confirm that you stored or reviewed your provider-issued recovery codes, then use the matching acknowledgement action. If the lifecycle changed elsewhere, refresh the profile summary. Do not paste recovery-code values into portal support requests. |
| Profile summary will not load | Retry the profile summary. If it still fails, your session, tenant status, or MFA lifecycle state may need administrator attention. |