Skip to content

CLI user and group

Jump to bottom
Nicholas K. Dionysopoulos edited this page Jun 4, 2026 · 1 revision

CLI: User and Group Management

The user:* and group:* CLI commands let you manage accounts and access control entirely from the command line — no web interface required. This is invaluable for scripted deployments, headless installations, CI/CD pipelines, and bulk onboarding of client users.

user namespace

user:create

Creates a Super User account with full administrative access. This is the command to run first when setting up Panopticon in a headless or automated environment — it creates the initial administrator account regardless of whether a web interface is available. The panopticon.super permission is always granted; you cannot create a non-super user with this command (see user:add instead).

Run without options for an interactive prompt that validates password strength and email format as you type.

# Non-interactive — suitable for setup scripts and CI pipelines
php cli/panopticon.php user:create \
    --username admin \
    --password "MyStr0ngP@ss!" \
    --email admin@example.com \
    --name "Site Administrator"

# Overwrite an existing account — useful for resetting a forgotten admin password
php cli/panopticon.php user:create \
    --username admin \
    --password "NewP@ss2025!" \
    --email admin@example.com \
    --overwrite
Option Description
--username The login username
--password The account password (must pass strength check)
--email The email address
--name Display name (defaults to the username if omitted)
--overwrite Update the account if it already exists instead of erroring

Tip: Use --overwrite in idempotent provisioning scripts so the command succeeds whether or not the account already exists.

user:add

Creates a user with a specific, controlled set of permissions. Unlike user:create, this command does not automatically grant super admin — you choose exactly which permissions the account receives. Use it to create client users with read-only access, operators who can run updates but not change configuration, or any other restricted role.

# Read-only monitoring account — can see sites but cannot change anything
php cli/panopticon.php user:add \
    --username monitor \
    --password "V1ewOnly#Pass" \
    --email monitor@agency.com \
    --permission panopticon.view

# Operator — can view sites and trigger updates, but cannot edit configuration
php cli/panopticon.php user:add \
    --username operator \
    --password "0p3rator#Pass" \
    --email ops@agency.com \
    --permission panopticon.view \
    --permission panopticon.run

Available permissions

Permission What it grants
panopticon.super Full super admin access (equivalent to user:create)
panopticon.admin Can configure sites and Panopticon settings
panopticon.view Can view sites and their status
panopticon.run Can trigger updates, backups, and other tasks
panopticon.addown Can add and configure sites they own
panopticon.editown Can edit configuration of sites they own

Pass --permission multiple times to combine permissions. If you omit --permission entirely, the account is created with no permissions at all.

user:list

Lists all user accounts with their numeric IDs, usernames, display names, and email addresses. Run this first when you need the numeric ID for user:set, user:delete, or user:config:*.

# List all users
php cli/panopticon.php user:list

# Filter to accounts matching a search term
php cli/panopticon.php user:list --search alice

# Machine-readable JSON output for scripting
php cli/panopticon.php user:list --format json

user:set

Updates one or more properties of an existing user account. You must provide the numeric user ID (use user:list to find it). At least one update option is required; you can combine several in a single call.

# Change a user's email address
php cli/panopticon.php user:set 3 --email new@example.com

# Reset a user's password
php cli/panopticon.php user:set 3 --password "Br@ndNew2025!"

# Rename the account and update the display name at the same time
php cli/panopticon.php user:set 3 --username newname --name "New Display Name"
Option Description
--username New login username
--password New password
--email New email address
--name New display name

user:delete

Permanently deletes a user account by its numeric ID. There is no confirmation prompt, so take care when using this in scripts. Find the ID with user:list first.

php cli/panopticon.php user:delete 42

Warning: Deletion is immediate and irreversible. If you are scripting bulk user removal, double-check your ID list before running.

user:config:list

Lists all configuration parameters stored for a specific user — UI preferences, display settings, web push subscriptions, and so on. Useful for auditing user preferences or debugging unexpected UI behaviour for a specific account.

php cli/panopticon.php user:config:list 3
php cli/panopticon.php user:config:list 3 --format json

user:config:get

Retrieves the current value of a single user configuration parameter.

php cli/panopticon.php user:config:get 3 display.darkmode
php cli/panopticon.php user:config:get 3 display.base_font_size

user:config:set

Sets a user configuration parameter directly, without that user needing to log in. Handy for provisioning consistent UI defaults across accounts in a scripted setup, or for correcting a broken preference that is preventing a user from using the interface normally.

# Enable dark mode for user ID 3
php cli/panopticon.php user:config:set 3 display.darkmode 1

# Set a specific font size
php cli/panopticon.php user:config:set 3 display.base_font_size 14

group namespace

Groups let you control which users can see and operate which sites. A user assigned to a group inherits the privileges that group has on the sites associated with it. Managing groups from the CLI is particularly useful when scripting multi-tenant deployments where each client organisation gets its own group.

group:add

Creates a new group or updates an existing one. Run without options for an interactive prompt. When used with --overwrite, the existing group's privileges are replaced entirely with the ones specified in the current command.

# Create a client group with view-only access
php cli/panopticon.php group:add \
    --title "Acme Corp" \
    --privilege panopticon.view

# Create an operations group that can view and trigger updates
php cli/panopticon.php group:add \
    --title "DevOps Team" \
    --privilege panopticon.view \
    --privilege panopticon.run

# Update an existing group's privileges (replaces current privileges)
php cli/panopticon.php group:add \
    --title "Acme Corp" \
    --privilege panopticon.view \
    --privilege panopticon.run \
    --overwrite

Available privileges

Privilege What it grants on assigned sites
panopticon.view Can view the site and its status
panopticon.run Can trigger updates, backups, and scheduled tasks
panopticon.admin Can edit site configuration

Pass --privilege multiple times to assign more than one privilege to the group.

group:list

Lists all groups with their numeric IDs, titles, and assigned privileges. Use this to find the numeric ID you need when assigning a group to a site via site:add --groups, or when you need to reference a group in other commands.

php cli/panopticon.php group:list
php cli/panopticon.php group:list --search acme
php cli/panopticon.php group:list --format json

group:delete

Deletes a group by its numeric ID. Find the ID with group:list first. Deleting a group removes the access-control association between its member users and the sites assigned to that group — it does not delete users or sites.

php cli/panopticon.php group:delete 5

Common workflows

Scripted initial setup

When provisioning a fresh Panopticon installation non-interactively (e.g. in a Docker entrypoint or Ansible playbook), the typical sequence is:

# Create the initial super admin
php cli/panopticon.php user:create \
    --username admin \
    --password "${ADMIN_PASSWORD}" \
    --email "${ADMIN_EMAIL}" \
    --name "Administrator"

# Create a client group
php cli/panopticon.php group:add \
    --title "Acme Corp" \
    --privilege panopticon.view \
    --privilege panopticon.run

# Create a restricted user for that client
php cli/panopticon.php user:add \
    --username acme_ops \
    --password "${CLIENT_PASSWORD}" \
    --email "ops@acmecorp.example" \
    --permission panopticon.view \
    --permission panopticon.run

Auditing access

To review what accounts and groups exist:

php cli/panopticon.php user:list --format json > users.json
php cli/panopticon.php group:list --format json > groups.json

Resetting a locked-out admin password

If an admin has lost access and you have shell access to the server:

# Find the username
php cli/panopticon.php user:list --search admin

# Reset the password by overwriting the account
php cli/panopticon.php user:create \
    --username admin \
    --password "Temp#Pass9999!" \
    --email admin@example.com \
    --overwrite

Documentation Copyright ©2023–2025 Akeeba Ltd.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

You can also obtain a copy of the GNU Free Documentation License from the Free Software Foundation

Home

Getting Started

Installation

Using Panopticon

Administration

How it works

For Experts

Installation and updates

Customisation

CLI Reference

Reference

JSON API

AI integration

Translation

Miscellaneous

Clone this wiki locally