Currently ecflow use a white list file functionality, to control who has access to the server. (see ecFlow White list file).
In a closed system, this provides reasonable security, however, ecFlow is an open-source product and it would be possible for a malicious person to pose as another user to gain access to the server.
Hence version 5.0.0 now optionally also provides password access to the server. (Previously this was available as build option).
For more details see: Black list file (experimental)
User commands
In ecflow 4.X.X user command(i.e. suspend,resume, etc) recorded the user name(UID). Hence it was easy to see who was issuing the commands. i.e. In the log file and node log in the GUI.
This has now been beefed up to also record the machine/hostname from where the user command was issued.