# Users and groups
## benutzer
> **Warning:** This page was automatically generated from the database schema dump and may be incomplete or incorrect.
Master-data table of enaio® user accounts. Holds login credentials (user name, password), profile reference, MFA configuration, external-ID mapping and status information.
### Columns
| Name | Type | Length | Description |
|---|---|---|---|
| [[db-benutzer-field-id]]`id` | `int` | — | User ID (primary key, internal). Often referenced from other tables as `user_id` — see [References from other tables](#references). |
| `supervisor` | `smallint` | — | Supervisor flag (`1` = supervisor with full rights). |
| [[db-benutzer-field-benutzer]]`benutzer` | `nvarchar` | 255 | User name (login ID). Often referenced from other tables as `anleger`, `archivar`, `modifyuser`, `osowner` or `lockuser` — see [References from other tables](#references). |
| `passwort` | `nvarchar` | 255 | Password (hashed). |
| `station` | `nvarchar` | 255 | Assigned station. |
| `logintime` | `int` | — | Time of the last login as a UNIX timestamp (seconds). `NULL` if the user has never logged in. |
| `server_id` | `int` | — | Home server of the user (`0` = no server assigned). Foreign key to [`server.id`](server_cluster_and_configuration.md#database.server). |
| `profil` | `int` | — | `benutzer.id` of the user serving as the **profile user** for this user (reference to [`benutzer.id`](users_and_groups.md#database.benutzer)). Special values: |
| `geaendert` | `int` | — | Modified marker. |
| `flags` | `int` | — | Status flags (bitmask). |
| `name` | `nvarchar` | 255 | Full name (display name). |
| `bemerkung` | `nvarchar` | 248 | Free-text remark. |
| `logincount` | `int` | — | Number of successful logins. |
| `locked` | `int` | — | Lock status of the account (boolean as integer). `0` = unlocked, `1` = locked. |
| `loginstation` | `nvarchar` | 255 | Last login station. |
| [[db-benutzer-field-osguid]]`osguid` | `nvarchar` | 32 | External GUID of the user. Often referenced from other tables as `osuserguid` — see [References from other tables](#references). |
| `osemail` | `nvarchar` | 248 | Email address. |
| `account_type` | `int` | — | Type of the user account: |
| `langid` | `int` | — | Preferred language of the user. Foreign key to [`oslanguages.langid`](dms_object_types_index_fields_and_structures.md#database.oslanguages). `NULL` if no language was selected — in that case the language marked as the active default in [oslanguages](dms_object_types_index_fields_and_structures.md#database.oslanguages) (`active = 2`) applies. |
| `validfrom` | `nvarchar` | 32 | Start of validity of the user account. Date-time format `YYYY/MM/DD HH:MM:SS` (e.g. `2026/05/24 15:36:07`) as text. |
| `validto` | `nvarchar` | 32 | End of validity of the user account. Date-time format `YYYY/MM/DD HH:MM:SS` (e.g. `2026/05/24 15:36:07`) as text. |
| `osdeptguid` | `nvarchar` | 32 | GUID of the assigned department. |
| `pwd_changed` | `int` | — | Timestamp of last password change (UNIX time). |
| `never_expire` | `int` | — | Flag: password does not expire. |
| `changepwd` | `int` | — | Flag: user must change password on next login. |
| `mfauthflag` | `smallint` | — | MFA activation flag. |
| `mfauthsecret` | `nvarchar` | 255 | MFA secret (TOTP seed or similar). |
| `loginname` | `nvarchar` | 255 | Login name (may differ from `benutzer`, e.g. AD login). |
| `externid` | `nvarchar` | 255 | External ID (for SSO / identity-provider mapping). |
### Related tables
* [gruppen](users_and_groups.md#database.gruppen) — the groups users belong to.
* [bgrel](users_and_groups.md#database.bgrel) — user/group mapping (`bgrel.benutzer_id` → `benutzer.id`, `bgrel.osuserguid` → `benutzer.osguid`).
### References from other tables
The user table is referenced across the entire schema — under varying column names and via three different keys. The following conventions occur frequently:
| Key | Typical column names | Examples |
|---|---|---|
| [`benutzer.id`](#db-benutzer-field-id) (`int`) | `user_id`, `benutzer_id`, `anleger_id`, `empfaenger_id`, `lockuser` | [`doclock.user_id`](locks_and_links.md#database.doclock), [`annotations.user_id`](annotations.md#database.annotations), [`bgrel.benutzer_id`](users_and_groups.md#database.bgrel), [`mappe.anleger_id` / `mappe.empfaenger_id`](portfolios_and_document_assignments.md#database.mappe) |
| [`benutzer.osguid`](#db-benutzer-field-osguid) (`nvarchar(32)`) | `osuserguid`, `osowner` | [`bgrel.osuserguid`](users_and_groups.md#database.bgrel), `objectX.osowner` / `stammX.osowner` / `registerX.osowner` (see [Document objects](hierarchical_object_types.md#database.object)). The principal value (`value`) in the `objectXr`/`stammXr`/`registerXr` rights tables can also be a user GUID. |
| [`benutzer.benutzer`](#db-benutzer-field-benutzer) (`nvarchar(255)`, login name) | `anleger`, `archivar`, `modifyuser`, `osowner`, `lockuser` | `objectX.anleger`, `objectX.archivar`, `objectX.modifyuser` (see [Document objects](hierarchical_object_types.md#database.object)); [`mappe.anleger` / `mappe.empfaenger`](portfolios_and_document_assignments.md#database.mappe); [`annotations` via `user_id`](annotations.md#database.annotations) |
> **Note:** The columns `osowner` and `lockuser` appear under both the GUID and the login-name references because they can take on either meaning in different tables or display contexts. The decisive criterion is the column length: `nvarchar(32)` for GUIDs, `nvarchar(255)` for login names, `int` for IDs.
### Usage by Server-API jobs
* [MNG engine (mng)](../mng.md) — manages user accounts.
* [mng.CreateUser](../mng.md#mng.CreateUser), [mng.DeleteUser](../mng.md#mng.DeleteUser), [mng.GetUserList](../mng.md#mng.GetUserList).
* [krn.SessionLogin](../krn.md#krn.SessionLogin) — checks credentials against this table.
## gruppen
> **Warning:** This page was automatically generated from the database schema dump and may be incomplete or incorrect.
Master-data table of enaio® user groups. Groups carry permissions and are linked to users via [bgrel](users_and_groups.md#database.bgrel).
### Columns
| Name | Type | Length | Description |
|---|---|---|---|
| [[db-gruppen-field-id]]`id` | `int` | — | Group ID (primary key, internal). Often referenced from other tables as `gruppen_id` (e.g. [`bgrel.gruppen_id`](users_and_groups.md#database.bgrel), [`ann_groups.gruppen_id`](annotations.md#database.ann_groups)). |
| `name` | `nvarchar` | 255 | Group name. |
| `profil` | `int` | — | ID of the assigned profile. |
| [[db-gruppen-field-osguid]]`osguid` | `nvarchar` | 32 | External GUID of the group. Often referenced from other tables as `osgroupguid` (e.g. [`bgrel.osgroupguid`](users_and_groups.md#database.bgrel)) and used as the principal value in the `objectXr`/`stammXr`/`registerXr` rights tables (`value` column) for group-based permissions. |
| `description` | `nvarchar` | 255 | Description of the group. |
| `osdeptguid` | `nvarchar` | 32 | GUID of the assigned department. |
### Related tables
* [benutzer](users_and_groups.md#database.benutzer) — the users who can belong to a group.
* [bgrel](users_and_groups.md#database.bgrel) — user/group mapping (`bgrel.gruppen_id` → `gruppen.id`, `bgrel.osgroupguid` → `gruppen.osguid`).
* [ann_groups](annotations.md#database.ann_groups) — assignment of annotations to groups (`ann_groups.gruppen_id` → `gruppen.id`).
* [objekte](dms_object_types_index_fields_and_structures.md#database.objekte) — rights clauses per group and object type (`objekte.gruppen_id` → `gruppen.id`).
### Usage by Server-API jobs
* [mng.CreateGroup](../mng.md#mng.CreateGroup), [mng.DeleteGroup](../mng.md#mng.DeleteGroup), [mng.GetGroupList](../mng.md#mng.GetGroupList).
## bgrel
> **Warning:** This page was automatically generated from the database schema dump and may be incomplete or incorrect.
Mapping table between users and groups. One row per membership.
### Columns
| Name | Type | Length | Description |
|---|---|---|---|
| `benutzer_id` | `int` | — | User ID. Foreign key to [`benutzer.id`](users_and_groups.md#database.benutzer). |
| `gruppen_id` | `int` | — | Group ID. Foreign key to [`gruppen.id`](users_and_groups.md#database.gruppen). |
| `osuserguid` | `nvarchar` | 32 | GUID of the user (denormalised). Corresponds to [`benutzer.osguid`](users_and_groups.md#database.benutzer). |
| `osgroupguid` | `nvarchar` | 32 | GUID of the group (denormalised). Corresponds to [`gruppen.osguid`](users_and_groups.md#database.gruppen). |
| `new` | `int` | — | New marker (internal synchronisation). |
### Usage by Server-API jobs
* [mng.AddUserGroupAsc](../mng.md#mng.AddUserGroupAsc), [mng.RemoveUserGroupAsc](../mng.md#mng.RemoveUserGroupAsc) — write/delete entries in this table.
* [mng.GetUserGroups](../mng.md#mng.GetUserGroups), [mng.GetGroupMembers](../mng.md#mng.GetGroupMembers) — read from this table.