Getting Started
Authentication & Access Management
Learn about login methods, user roles, and security best practices in WoPora.
Authentication & Access Management
WoPora provides secure authentication methods and granular role-based access control to protect your workforce data.
Login Methods
For Dashboard Users (Admin, Manager, Supervisor, Accounts)
Google OAuth (recommended)
- Single-click login with your Google account
- No password to manage
- Fast and mobile-friendly
- Automatic sign-out after period of inactivity
Email & Password
- Traditional username/password login
- Secure password hashing
- Email recovery for forgotten passwords
- Password reset links expire after 48 hours
For Staff (Portal & Kiosk)
Google OAuth (recommended)
- Fast single-click sign-in
- Works on mobile, tablet, and kiosk
- Ideal for field staff who need quick access
- Staff access the portal at
/staff
Email & Password
- Alternative if staff don't have Google accounts
- Same security as dashboard users
Kiosk PIN
- Short numeric code for shared kiosk devices
- Used in addition to account-based login
- Prevents unauthorized access on public devices
User Roles
WoPora implements granular permissions based on user roles:
Admin
- Access --- Full organisation scope
- Responsibilities --- Configuration, payroll, settings, user management
- Dashboard --- Full back-office including Settings, Payroll, Compliance
Manager
- Access --- Assigned locations (or all if unrestricted)
- Responsibilities --- Scheduling, timesheet approvals, labour cost analysis, staff oversight
- Dashboard --- Operational menus, analytics, user management
Supervisor
- Access --- Assigned locations; often narrower scope than managers
- Responsibilities --- Day-to-day roster execution, team oversight, attendance monitoring
- Dashboard --- Operational menus (scheduling, timesheet, unavailability)
Accounts
- Access --- Pay-oriented data where granted
- Responsibilities --- Review pay runs, export payroll data
- Dashboard --- Payroll menus (pay runs, exports), financial exports
Staff
- Access --- Own data only (timesheet, roster, leave)
- Responsibilities --- Enter hours, request leave, view roster
- Interface --- Staff Portal (
/staff), not the admin dashboard
Granular Rights
Beyond roles, administrators can attach specific rights to users:
- Add/edit/delete staff
- View or export timesheets
- Manage locations
- Manage teams
Use these to apply the principle of least privilege --- grant only the permissions each person needs to do their job.
Location Scope
When a manager or supervisor views the dashboard:
- A location scope filter appears (e.g., "All", "Sydney", "Melbourne")
- They see only data for their assigned locations
- Admins see the entire organisation
- Staff see only their own information
Best Practices
For Administrators
User Management
- -�� Invite users with only the role they need
- -�� Attach rights sparingly (principle of least privilege)
- -�� Offboard users immediately on departure --- don't wait for end of month
- -�� Review dashboard users quarterly --- remove unused accounts
Security
- -�� Rotate API keys used by integrations quarterly
- -�� Review audit logs monthly for suspicious changes
- -�� Decommission lost or retired kiosk devices promptly
- -�� Monitor failed login attempts if available
Authentication
- -�� Use Google OAuth --- reduces password management burden
- -�� Encourage staff to use Google OAuth for portal access
- -�� Communicate login method clearly (e.g., staff may not know about
/staffURL)
For Managers
Team Oversight
- -�� Confirm your location scope is set to the site(s) you manage
- -�� If numbers look "empty" or "wrong", check your scope filter first
For Staff
Kiosk Security
- -�� Keep your PIN confidential --- never share with coworkers
- -�� Don't leave the kiosk unattended while logged in
- -�� Alert a supervisor if you forget your PIN or suspect someone else used it
Portal Access
- -�� Use Google OAuth for quick, secure login
- -�� Don't share your password with anyone
- -�� Use a secure password if you choose email/password login
Biometric & Location
- -�� Enable face verification if your organisation uses it (helps prevent buddy punches)
- -�� Allow location services (GPS) when clocking in at site
Multi-Organisation Access
If you manage multiple organisations, WoPora tracks which ones you belong to:
- Sign in with your account
- You'll see a "Select Organisation" dropdown
- Choose the organisation you want to work in
- All data displayed is scoped to that organisation
Switch organisations using the dropdown in the dashboard header.
Audit Logging
WoPora logs all significant actions for compliance and security:
What Gets Logged
- -�� User login (successful and failed attempts)
- -�� Timesheet submissions and approvals
- -�� Payroll changes and exports
- -�� Role or permission changes
- -�� Settings modifications
- -�� All administrative actions
Who Can Access Logs
- Admins --- Full organisation audit logs (
/dashboard/admin/audit-logs) - Logs are timestamped and identify who made the change
- Logs are retained per your data retention policy
Password Recovery
If you forget your password:
- Click "Forgot password?" on the login page
- Enter your email address
- Check your email for a recovery link (expires in 48 hours)
- Click the link and set a new password
- New password takes effect immediately --- sign in with your new credentials
Coming Soon
The following authentication methods are in development:
- Outlook/Microsoft OAuth --- Enterprise SSO for Microsoft 365 organisations (Q4 2026)
- Apple Sign-In --- OAuth via Apple accounts (Q4 2026)
- SAML/Enterprise SSO --- Full-featured single sign-on for large deployments (Q4 2026+)
- Two-Factor Authentication (2FA) --- Additional security layer (Q4 2026+)
Need help with access issues?
If a user can't sign in or you need to reset permissions, contact your organisation's administrator or support team.