Skip to content

User Management

User Scenarios & Testing

User Story 1 - Admin Creates Organiser Accounts (Priority: P1)

Administrators need to create organiser accounts for conference organisers who will manage events and invite sponsors, enabling the hierarchical user structure of the platform.

Why this priority: Foundation of the platform's user hierarchy. Without organisers, no events can be managed and no sponsors can be invited. This is the essential first step in onboarding.

Independent Test: Can be fully tested by admin logging in, creating an organiser account with required details, and verifying the organiser receives an invitation email and can set up their account.

Acceptance Scenarios:

  1. Given an authenticated administrator, When they create a new organiser account with name, email, and initial details, Then the system creates the organiser account and sends an invitation email with a secure setup link
  2. Given an administrator creating an organiser, When they use an email address already in the system, Then the system prevents duplicate accounts and displays a clear error message
  3. Given an organiser invitation has been sent, When the organiser clicks the setup link within 7 days, Then they can set their password and complete their profile setup
  4. Given an organiser invitation link has expired (>7 days), When the organiser attempts to use it, Then the system rejects the link and provides instructions to request a new invitation
  5. Given an administrator viewing organisers, When they access the organiser list, Then they see all organisers with their status (invited, active, deactivated) and last activity date

User Story 2 - Organiser Creates Sponsor Accounts (Priority: P1)

Organisers need to create sponsor accounts and invite sponsors to participate in their events, managing the complete sponsor onboarding workflow.

Why this priority: Core workflow enabling sponsors to access the platform. Without this, sponsors cannot be invited to events or assigned to stands. Essential for platform functionality.

Independent Test: Can be fully tested by organiser logging in, creating a sponsor account, and verifying the sponsor receives invitation and can complete setup successfully.

Acceptance Scenarios:

  1. Given an authenticated organiser, When they create a new sponsor account with name, email, and company details, Then the system creates the sponsor account and sends an invitation email with a secure setup link
  2. Given an organiser creating a sponsor, When they provide required information (name, email, company), Then the system validates all fields before creating the account
  3. Given a sponsor invitation has been sent, When the sponsor clicks the setup link within 7 days, Then they can set their password and complete their profile
  4. Given an organiser viewing their sponsors, When they access the sponsor list, Then they see sponsors they created with their status and last activity
  5. Given an organiser needs to re-send an invitation, When they request to resend for a pending sponsor, Then the system generates a new secure link and sends a fresh invitation email

User Story 3 - User Profile Management (Priority: P1)

All users need to view and update their own profile information including personal details, contact information, and preferences to keep their account information current.

Why this priority: Essential for all user types to maintain accurate account information and preferences. Required for communication, identification, and personalization. Core self-service functionality.

Independent Test: Can be fully tested by any user logging in, accessing their profile, updating information, and verifying changes are saved and displayed correctly.

Acceptance Scenarios:

  1. Given an authenticated user, When they access their profile, Then they see their current information including name, email, job title, company, and profile picture
  2. Given a user editing their profile, When they update their name, job title, or contact details, Then the system saves the changes and displays a confirmation message
  3. Given a user wants to change their email address, When they update their email, Then the system sends a verification email to the new address and requires confirmation before updating
  4. Given a user uploading a profile picture, When they select an image file, Then the system validates file type and size, uploads the image, and displays it on their profile
  5. Given a user viewing their profile, When they see their role (admin, organiser, or sponsor), Then they understand their account type and access level

User Story 4 - User Account Status Management (Priority: P2)

Administrators and organisers need to activate, deactivate, and manage user account statuses to control access and maintain security across the platform.

Why this priority: Important for security and access control, but platform can function initially with all users active. Enhances administrative capabilities but not blocking for core functionality.

Independent Test: Can be fully tested by admin/organiser deactivating a user account, verifying that user cannot log in, then reactivating and verifying access is restored.

Acceptance Scenarios:

  1. Given an administrator viewing a user account, When they deactivate the account, Then the user's active sessions are invalidated and they cannot log in until reactivated
  2. Given an organiser managing their sponsors, When they deactivate a sponsor account, Then that sponsor loses access but their data and stand assignments are preserved
  3. Given an administrator reactivating a user, When the account status changes to active, Then the user receives a notification and can log in again with their existing credentials
  4. Given a deactivated user attempting to log in, When they submit their credentials, Then the system displays a clear message indicating their account is deactivated and provides contact information
  5. Given an administrator viewing user lists, When filtering by status, Then they can see all users or filter to active, deactivated, or pending invitation statuses

User Story 5 - Bulk User Operations (Priority: P2)

Organisers need to perform bulk operations like inviting multiple sponsors at once or importing user data from CSV to efficiently manage large numbers of users.

Why this priority: Valuable for efficiency and scalability, especially for large events, but platform can function with individual user creation. Enhances user experience but not essential for MVP.

Independent Test: Can be fully tested by organiser uploading a CSV with multiple sponsor records, verifying all valid records create accounts and send invitations, and invalid records are reported with clear errors.

Acceptance Scenarios:

  1. Given an organiser wants to invite multiple sponsors, When they upload a CSV file with sponsor details (name, email, company), Then the system validates all records and creates accounts for valid entries
  2. Given a bulk import contains errors, When the system processes the file, Then it reports all validation errors with row numbers and specific issues for correction
  3. Given an organiser performing bulk operations, When the process completes, Then they receive a summary showing successful creations, failures, and duplicate emails
  4. Given an organiser wants to resend invitations to multiple pending users, When they select users and bulk resend, Then all selected users receive fresh invitation emails with new secure links
  5. Given an administrator managing multiple events, When they export user data, Then they receive a CSV with all user information for their records or external processing

User Story 6 - User Activity Audit Trail (Priority: P3)

Administrators need to view detailed audit logs of user activities including logins, profile changes, and administrative actions for security monitoring and compliance.

Why this priority: Important for security and compliance but not needed for core platform functionality. Can be added after platform is stable and being used in production.

Independent Test: Can be fully tested by performing various user actions (login, profile update, user creation) and verifying all actions are logged with timestamps, user identifiers, and action details.

Acceptance Scenarios:

  1. Given an administrator accessing audit logs, When they view user activity, Then they see chronological log of all user actions with timestamps, action types, and affected entities
  2. Given an administrator investigating account security, When they view a specific user's audit trail, Then they see all login attempts, profile changes, and access patterns for that user
  3. Given an administrator monitoring the platform, When they filter audit logs by date range or action type, Then they can identify patterns or investigate specific incidents
  4. Given an administrator reviewing compliance records, When they export audit logs, Then they receive complete records suitable for compliance reporting and security audits

Edge Cases

  • Duplicate email addresses: System prevents creating multiple accounts with the same email address, displays clear error with resolution instructions
  • Expired invitations: Users with expired invitation links (>7 days) cannot complete setup and must request new invitation from their inviter
  • Orphaned sponsors: If a sponsor is created and the organiser who created them is deactivated, the sponsor account remains active for future assignment to events/stands
  • Email verification failure: If email verification for profile changes fails to deliver, user can request resend and system tracks verification attempts
  • Concurrent profile updates: If same user updates profile from multiple devices simultaneously, last write wins with timestamp tracking
  • Invitation link reuse: Used invitation links cannot be reused for security; system requires new invitation generation
  • Account deletion vs deactivation: Deactivation preserves all data and allows reactivation; deletion permanently removes user but keeps audit trail
  • Profile picture file limits: System enforces file size (max 5MB) and type restrictions (JPEG, PNG) for profile pictures with clear error messages
  • Bulk import duplicates: When importing multiple users via CSV, system skips duplicate emails and reports them in summary without failing entire import
  • Organiser viewing sponsor list: Organisers only see sponsors they created, not sponsors created by other organisers, ensuring data isolation

Requirements

Functional Requirements

User Account Creation (P1)

  • FR-001: Administrators MUST be able to create organiser accounts with required fields: name, email, job title, and company
  • FR-002: Organisers MUST be able to create sponsor accounts with required fields: name, email, job title, and company
  • FR-003: System MUST validate email addresses for correct format and prevent duplicate email addresses across all user types
  • FR-004: System MUST generate secure, unique invitation links for new users with 7-day expiration
  • FR-005: System MUST send invitation emails automatically upon account creation with secure setup links
  • FR-006: System MUST require email verification when users change their email address in profile settings

User Invitation System (P1)

  • FR-007: Invitation links MUST expire after 7 days for security
  • FR-008: Invitation links MUST be single-use and cannot be reused after account setup completion
  • FR-009: System MUST allow admins and organisers to resend invitations, generating new secure links when requested
  • FR-010: Users MUST be able to set their initial password through the invitation setup flow, subject to password complexity requirements (8+ characters, uppercase, lowercase, number)
  • FR-011: System MUST display clear error messages when invitation links are expired, invalid, or already used
  • FR-012: System MUST track invitation status: pending, accepted, expired for administrative visibility

User Profile Management (P1)

  • FR-013: Users MUST be able to view their complete profile information including personal details, contact information, and role
  • FR-014: Users MUST be able to update their own profile information including name, job title, phone number, and profile picture
  • FR-015: System MUST validate profile picture uploads for file type (JPEG, PNG), size (max 5MB), and dimensions
  • FR-016: Users MUST be able to view their role (admin, organiser, sponsor) in their profile
  • FR-017: System MUST send email notifications when critical profile changes occur (email address change, password change)
  • FR-018: System MUST maintain change history for profile updates for audit purposes

User Access Control (P1)

  • FR-019: System MUST implement role-based access control with three distinct roles: Administrator, Organiser, Sponsor
  • FR-020: Administrators MUST have full platform access including all user management functions
  • FR-021: Organisers MUST only be able to manage sponsor accounts they created
  • FR-022: System MUST enforce access controls at the API level, preventing unauthorized access regardless of UI manipulation
  • FR-023: Sponsors MUST have accounts ready for future assignment to events and stands (assignment handled in Event Management spec)

Account Status Management (P2)

  • FR-024: Administrators MUST be able to activate, deactivate, and reactivate user accounts
  • FR-025: Organisers MUST be able to deactivate and reactivate sponsor accounts they created
  • FR-026: System MUST immediately revoke all active sessions when a user account is deactivated
  • FR-027: Deactivated users MUST be prevented from logging in with clear status messaging
  • FR-028: System MUST preserve all user data when accounts are deactivated to allow reactivation
  • FR-029: System MUST notify users via email when their account status changes (deactivated, reactivated)

Bulk Operations (P2)

  • FR-030: Organisers MUST be able to import multiple sponsor accounts via CSV file upload
  • FR-031: System MUST validate CSV data for required fields, format correctness, and duplicate detection
  • FR-032: System MUST provide detailed error reporting for bulk import failures with row numbers and specific validation issues
  • FR-033: System MUST generate summary reports after bulk operations showing successful creations, failures, and skipped duplicates
  • FR-034: Organisers MUST be able to resend invitations to multiple users in bulk operation
  • FR-035: Administrators MUST be able to export user data to CSV format for reporting and backup purposes
  • FR-036: System MUST provide a downloadable CSV template with correct column headers and example data for bulk user import operations

Audit and Activity Tracking (P3)

  • FR-037: System MUST log all user account creation, modification, and deactivation events with timestamp and acting user
  • FR-038: System MUST log all authentication events including successful and failed login attempts
  • FR-039: Administrators MUST be able to view comprehensive audit logs filtered by date range, user, or action type
  • FR-040: System MUST retain audit logs for minimum 12 months for compliance and security investigation
  • FR-041: Audit logs MUST be exportable for external compliance reporting and security analysis

Non-Functional Requirements

  • NFR-001: User account creation operations MUST complete within 2 seconds excluding email delivery
  • NFR-002: Profile updates MUST save within 1 second with immediate UI feedback
  • NFR-003: User lists MUST load and display within 2 seconds for lists up to 1000 users
  • NFR-004: System MUST support 100 concurrent user management operations without performance degradation
  • NFR-005: Bulk import operations MUST process at least 100 records per second
  • NFR-006: Email invitations MUST be queued and delivered within 2 minutes of account creation
  • NFR-007: Profile picture uploads MUST complete within 5 seconds for files up to 5MB

Key Entities

  • User: Represents an individual with access to the platform. Attributes include name (first, last), email (unique), job title, company, phone number, profile picture URL, role (admin, organiser, sponsor), account status (pending, active, deactivated), invitation status, created date, last login date, created by (for organisers/sponsors). Relationships to created users (for admins/organisers) and audit trail. Note: Sponsor assignment to stands/events will be handled in Event Management specification.

  • Invitation: Represents a secure setup link sent to new users. Attributes include unique secure token, target user reference, inviting user reference, creation timestamp, expiration timestamp (7 days), status (pending, accepted, expired, revoked), email sent status. Relationship to user account and inviting user.

  • Profile: Represents user profile information and preferences. Attributes include user reference, personal details, contact information, profile picture, timezone preference, notification preferences, last updated timestamp, change history. Relationship to user account.

  • User Activity Log: Represents audit trail of user actions. Attributes include user reference, action type (create, update, delete, login, logout, deactivate), affected entity type and ID, timestamp, IP address, user agent, previous values (for updates), new values. Relationship to user account and affected entities.

  • Role: Represents user access level and permissions. Attributes include role type (admin, organiser, sponsor), permission set, description. Defines what actions users can perform and what data they can access.

Success Criteria

Measurable Outcomes

  • SC-001: Administrators can create organiser accounts and organisers can create sponsor accounts in under 30 seconds per account including email invitation delivery
  • SC-002: 95% of invited users successfully complete account setup within 7-day invitation period
  • SC-003: Users can update their profile information in under 1 minute with immediate confirmation feedback
  • SC-004: Bulk import operations process at least 100 sponsor accounts in under 2 minutes with complete error reporting
  • SC-005: System handles 500 total users (admins, organisers, sponsors) without performance degradation
  • SC-006: Zero unauthorized access incidents due to proper role-based access control enforcement
  • SC-007: Invitation email delivery success rate exceeds 99% with delivery within 2 minutes
  • SC-008: Users find their profile and update functions on first attempt without support assistance
  • SC-009: Account deactivation takes effect immediately with all active sessions revoked within 5 seconds
  • SC-010: Organiser can view accurate list of all sponsors they created with current status in under 2 seconds