Account Security

Account Lockout

To protect against unauthorized access, Primentra locks user accounts after 5 consecutive failed login attempts.

What happens when an account is locked:

• The account's IsActive status is set to inactive
• A lock message appears on the login screen: *"Account is locked after too many failed attempts. Contact your administrator."*
• The lockout is recorded in the audit log

How to unlock an account:

Only an administrator can reactivate a locked account:

1. Go to Settings → Access Management
2. Find the locked user
3. Set their Active status back to active
4. Save the changes

After reactivation, the failed attempt counter is reset and the user can sign in again.

Changing Your Password

Every user can change their own password at any time without administrator involvement.

How to change your password:

1. Click the gear icon (⚙) in the top-right corner
2. Under My Account, click Change Password
3. Enter your current password and your desired new password (minimum 8 characters)
4. Confirm the new password and click Update Password

A success message appears and the modal closes automatically.

Password requirements:

• Minimum 8 characters
• New password must differ from the current one

If you forgot your password:

Use the Forgot password? link on the login screen to request a reset email (valid 30 minutes). If you do not receive the email, check your spam folder or contact your administrator.

Account Recovery

If all administrator accounts are locked, forgotten, or inaccessible, there are two recovery methods.

Option 1: Force Setup Screen (easiest)

If you have access to the server's file system, you can trigger the "Create Administrator" setup screen — the same one shown during first-time installation.

1. Open the file mds-config.json in the Primentra installation folder
2. Find the forceSetupScreen setting and change it to true:

"forceSetupScreen": true

1. Open Primentra in your browser — the admin account creation screen appears
2. Create a new administrator account
3. The forceSetupScreen flag is automatically set back to false after the account is created

This method creates a brand new administrator account and assigns it to the Administrators role. It does not affect existing user accounts.

Option 2: CLI Password Reset

Use the built-in command-line recovery tool to reset an existing account's password.

Requirements:

• Direct access to the server (command prompt)
• The API server must be running and connected to the database

How to use it:

Open Command Prompt or PowerShell as Administrator, navigate to the Primentra installation folder, and run:

node scripts\recover-admin.mjs

What the tool does:

1. Lists all users — Shows every user account with their email, display name, active status, and administrator flag
2. Select a user — Enter the number of the account you want to recover
3. Reset password — Enter a new password (minimum 8 characters). The password is hashed and saved
4. Clear lockout — The account is reactivated (IsActive = 1) and the failed login counter is reset to 0
5. Grant admin access — Optionally assigns the user to an administrator role, so they can manage the system immediately after signing in

The tool connects directly to the database using the connection settings from the application's config file.

When to use these tools:

• The only administrator account was locked after too many failed login attempts
• A password was forgotten and no other admin can reset it
• You need to create a new administrator without access to the UI

Security notes:

• Both methods require direct server access — they cannot be triggered remotely through the browser
• This is intentional: if a remote reset were possible, it would create a security vulnerability
• The forceSetupScreen flag is automatically cleared after one use — the setup screen is never shown to end users
• Use these tools only in genuine lockout emergencies; for routine password changes, use the Users admin page