src/content/docs/whp/admin/user-management.mdx

---
title: Users & delegated access
description: Create sub-users, delegate panel access, and manage SFTP/SSH users at the server level.
sidebar:
  order: 5
  badge:
    text: Draft
    variant: caution
---

import { Aside } from '@astrojs/starlight/components';
import SuperAdmin from '~/content/partials/super-admin-callout.mdx';
import Draft from '~/content/partials/draft-callout.mdx';
import SignIn from '~/content/partials/signing-in.mdx';
import Support from '~/content/partials/support-link.mdx';

<SuperAdmin />

<Draft />

WHP super admin lets you give other people scoped access to the server — your dev team, a contractor, or a junior admin — without sharing your own credentials.

## Three kinds of access

| Type                | What they can do                                                                 | Where they sign in                      |
| ------------------- | -------------------------------------------------------------------------------- | --------------------------------------- |
| **WHP sub-user**    | Sign in to WHP with their own credentials. You control which sections they see.  | Same `:8443` URL as you.                |
| **Delegated panel access** | A read-only or scoped-write view onto a specific site, for a contractor. | Same WHP, but scoped to that one site.  |
| **SFTP / SSH user** | File access (and optionally SSH) without WHP at all.                             | SFTP client / SSH terminal.             |

## Sign in to WHP

<SignIn />

## Create a WHP sub-user

<Aside type="tip">
  WHP sub-users are the right model when someone needs to manage parts of the server alongside you. Use **delegated access** instead if they only need one site, or **SFTP/SSH** if they only need files.
</Aside>

1. Open **Users → WHP Users → Add User** in the admin sidebar.
2. Set a username, a strong password, and an email (used for password reset and 2FA).
3. Choose a **role**: pick from the predefined roles (Admin, Site Manager, Read-only, etc.) or build a custom role with specific pages enabled.
4. (Optional) Enable **Require 2FA** so they have to set up an authenticator app on first login.
5. Save. Share the credentials with them out-of-band; don't email passwords.

## Delegated access for a single site

Use the customer-facing **Delegated Users** page (sidebar → **Delegated Users**, available on every account) when a contractor only needs to work on one site:

1. Open **Delegated Users → Add**.
2. Pick the site they should have access to.
3. Set their permission scope: view-only, manage-files, manage-DNS, etc.
4. Send them the panel URL. They sign in with their own credentials and see only that site.

This is the right path for, say, a freelance designer who needs to upload assets but shouldn't see your other sites or your DNS.

## SFTP / SSH users

Pure file access without WHP. Created from the admin **Users → SFTP/SSH** page:

1. Open **Users → SFTP/SSH → Add**.
2. Set the username, password (or paste their public SSH key), and which directories they have access to.
3. Pick whether to grant interactive SSH or restrict to SFTP only.
4. Save. They can now connect with their preferred SFTP/SSH client.

<Aside type="caution">
  Interactive SSH is powerful — anyone with it can run arbitrary commands inside the container or VM. Restrict to SFTP-only unless they specifically need a shell.
</Aside>

## Managing existing users

The user list shows last sign-in, role, and 2FA status. Common actions from each user's row:

- **Disable** — keeps the user but blocks sign-in.
- **Delete** — removes the user.
- **Force password reset** — invalidates their current password; they receive an email link.
- **Revoke sessions** — kicks them out of any active panel sessions immediately.

When someone leaves your team, **revoke sessions first** (so they're out *now*), then disable or delete the user.

## Troubleshooting

**Sub-user can sign in but the page they expect is missing.** Their role doesn't include that section. Edit the role and tick the right page.

**SFTP user can connect but uploads land in the wrong directory.** Check their **Home directory** in the SFTP/SSH user page — it determines what they see as `/`.

**A delegated user can't see DNS records.** Delegated access defaults to file-only. Edit their permissions to include DNS Management.

## Related

- [Server settings & services](/whp/admin/server-settings/)

## Still stuck?

<Support />
docs(admin): add WHP super-admin section (5 draft articles) Adds /whp/admin/ with: overview, server-settings, coraza-waf, site-monitoring, user-management. Articles are product-neutral (no VDS in titles or required framing) since super admin may be offered as a separate service later. They're marked Draft via: - 'Draft' sidebar badge on the group + each article - A draft callout partial at the top of every page noting WIP The super-admin-callout partial (renamed from vds-only-callout) mentions VDS as today's most common way to get super admin without locking the docs to that single product. 2026-05-17 18:04:01 -07:00			`---`
			`title: Users & delegated access`
			`description: Create sub-users, delegate panel access, and manage SFTP/SSH users at the server level.`
			`sidebar:`
			`order: 5`
			`badge:`
			`text: Draft`
			`variant: caution`
			`---`

			`import { Aside } from '@astrojs/starlight/components';`
			`import SuperAdmin from '~/content/partials/super-admin-callout.mdx';`
			`import Draft from '~/content/partials/draft-callout.mdx';`
			`import SignIn from '~/content/partials/signing-in.mdx';`
			`import Support from '~/content/partials/support-link.mdx';`

			`<SuperAdmin />`

			`<Draft />`

			`WHP super admin lets you give other people scoped access to the server — your dev team, a contractor, or a junior admin — without sharing your own credentials.`

			`## Three kinds of access`

			`\| Type \| What they can do \| Where they sign in \|`
			`\| ------------------- \| -------------------------------------------------------------------------------- \| --------------------------------------- \|`
			\| WHP sub-user \| Sign in to WHP with their own credentials. You control which sections they see. \| Same `:8443` URL as you. \|
			`\| Delegated panel access \| A read-only or scoped-write view onto a specific site, for a contractor. \| Same WHP, but scoped to that one site. \|`
			`\| SFTP / SSH user \| File access (and optionally SSH) without WHP at all. \| SFTP client / SSH terminal. \|`

			`## Sign in to WHP`

			`<SignIn />`

			`## Create a WHP sub-user`

			`<Aside type="tip">`
			`WHP sub-users are the right model when someone needs to manage parts of the server alongside you. Use delegated access instead if they only need one site, or SFTP/SSH if they only need files.`
			`</Aside>`

			`1. Open Users → WHP Users → Add User in the admin sidebar.`
			`2. Set a username, a strong password, and an email (used for password reset and 2FA).`
			`3. Choose a role: pick from the predefined roles (Admin, Site Manager, Read-only, etc.) or build a custom role with specific pages enabled.`
			`4. (Optional) Enable Require 2FA so they have to set up an authenticator app on first login.`
			`5. Save. Share the credentials with them out-of-band; don't email passwords.`

			`## Delegated access for a single site`

			`Use the customer-facing Delegated Users page (sidebar → Delegated Users, available on every account) when a contractor only needs to work on one site:`

			`1. Open Delegated Users → Add.`
			`2. Pick the site they should have access to.`
			`3. Set their permission scope: view-only, manage-files, manage-DNS, etc.`
			`4. Send them the panel URL. They sign in with their own credentials and see only that site.`

			`This is the right path for, say, a freelance designer who needs to upload assets but shouldn't see your other sites or your DNS.`

			`## SFTP / SSH users`

			`Pure file access without WHP. Created from the admin Users → SFTP/SSH page:`

			`1. Open Users → SFTP/SSH → Add.`
			`2. Set the username, password (or paste their public SSH key), and which directories they have access to.`
			`3. Pick whether to grant interactive SSH or restrict to SFTP only.`
			`4. Save. They can now connect with their preferred SFTP/SSH client.`

			`<Aside type="caution">`
			`Interactive SSH is powerful — anyone with it can run arbitrary commands inside the container or VM. Restrict to SFTP-only unless they specifically need a shell.`
			`</Aside>`

			`## Managing existing users`

			`The user list shows last sign-in, role, and 2FA status. Common actions from each user's row:`

			`- Disable — keeps the user but blocks sign-in.`
			`- Delete — removes the user.`
			`- Force password reset — invalidates their current password; they receive an email link.`
			`- Revoke sessions — kicks them out of any active panel sessions immediately.`

			`When someone leaves your team, revoke sessions first (so they're out now), then disable or delete the user.`

			`## Troubleshooting`

			`Sub-user can sign in but the page they expect is missing. Their role doesn't include that section. Edit the role and tick the right page.`

			SFTP user can connect but uploads land in the wrong directory. Check their Home directory in the SFTP/SSH user page — it determines what they see as `/`.

			`A delegated user can't see DNS records. Delegated access defaults to file-only. Edit their permissions to include DNS Management.`

			`## Related`

			`- [Server settings & services](/whp/admin/server-settings/)`

			`## Still stuck?`

			`<Support />`