User Management Best Practices
Follow these best practices to streamline user management and permission assignment for Embedded Partners.
Implementing the right strategy allows you to maintain a scalable and seamless user experience while efficiently managing access control. Proper user management is essential for keeping operations smooth and ensuring the right people have access to the right data at the right time.
Define and prioritize key user requirements
Identify the specific user management and permission requirements that align with your team and business’ technical capabilities and security needs. This process ensures that you select the most effective method based on the operational priorities of your team. Choose between the following approaches:
- API: This approach is recommended when you need real-time updates and have the technical expertise to manage APIs.
- Security file: This approach is recommended if ease of implementation and simplicity are more important than real-time updates.
The following table summarizes and compares the approaches:
|
Criteria |
API |
Security File |
|---|---|---|
|
Applicability |
Applies to more technically proficient teams |
Applies to less technically adept operations teams |
| Implementation effort | Higher effort due to technical barriers | Less effort to implement |
|
Real-time updates |
Updates are registered instantly |
Data refreshes (typically daily) |
|
Technical requirements |
Requires API knowledge and integration |
Requires email as a data attribute |
|
Flexibility |
More flexible with instant updates |
Less flexible with delayed updates |
|
Ease of use for operations team |
Requires technical involvement |
Easier for less technical teams |
|
Research and Development (R&D) involvement |
Requires R&D for future updates |
Minimal |
|
Support for failures and deviations |
Potentially higher complexity in support |
More stable with regular data refreshes |
Discuss the user management approach early in the implementation, after initial data discoveries and onboarding. This is part of the scope definition process as it will determine what work needs to be done during the initial implementation and ongoing maintenance. By clearly defining and prioritizing your needs, you can avoid unnecessary complexity and ensure a scalable solution.
Optimize the user creation process based on technical capacity
Select a method for user creation that matches your technical proficiency. For teams with technical expertise, API-driven user management offers flexibility and real-time updates, albeit with a higher setup effort. For less technical teams, auto-provisioning with a security file allows user creation through automated processes that don’t require deep technical skills.
- API: This method provides instant updates and is highly flexible but requires API integration and technical know-how, making it more suitable for advanced teams.
- Security file: Users are automatically created when user data is received. This method is simple to implement and requires minimal technical resources but depends on data refresh cycles.
Evaluate the need for real-time updates
Ensure your user management strategy accounts for real-time operations and expected updates. APIs enable instant permission assignment, making it ideal for environments where users frequently change roles or where updates are mission-critical. While, security file-based systems depend on data refreshes, making them less ideal for time-sensitive scenarios but easier for day-to-day operations.
- API: Changes are applied instantly, ensuring real-time management of users and permissions. This makes the API approach preferable in fast-paced environments where immediate updates are necessary.
- Security file: Updates are applied during scheduled data refreshes, typically once a day. While this approach minimizes complexity, it can introduce delays in reflecting new users or permissions.
Incorporate flexibility based on workflow needs
Consider the flexibility and ongoing maintenance requirements of each approach. Security file solutions offer a more stable process with fewer technical hurdles, while APIs provide the flexibility to make on-the-fly updates but require greater maintenance and R&D involvement.
- API: Greater flexibility for creating, updating, and managing users, but require ongoing R&D support and technical expertise.
- Security file: Ideal for teams that need a stable, low-maintenance solution for managing users, but updates are limited to data refresh intervals.
Collaborate closely with your Operations and R&D teams
Work closely with your Operations and R&D teams to ensure the user management strategy aligns with your long-term goals. Engage in discussions to assess how each approach will impact future updates and ongoing management, particularly if technical resources are limited. Regular collaboration can help you identify potential pitfalls and ensure that your chosen method is sustainable in the long run.
- API: Requires more technical input from R&D, especially for creating custom workflows for user management and ensuring seamless integration with your system.
- Security file: Easier for Operations teams to manage with minimal R&D involvement, but future updates and changes will depend on data refreshes.
Ensure long-term sustainability
Evaluate the long-term sustainability of the user management approach. If real-time updates are critical, an API-based approach will offer the flexibility needed for dynamic environments, though it comes with higher resource demands. If stability and ease of use are more important, the security file approach will provide a simpler, more reliable path, but with limited flexibility.
Choosing the right user management strategy affects the overall efficiency of the system. For partners that do not use APIs, updates can be delayed, as they depend on daily data refreshes to register changes. For those needing immediate changes to user roles and permissions, APIs allow for faster updates but require technical investment. By selecting the approach that best matches your team's capabilities and requirements, you can optimize both implementation and ongoing user management.
For more information about the APIs, see Users API and Permissions API.
User Management Automation
System administrators have several options for managing users, including individual management through the UI, or automated processes for simplified, scaled management. User management can be automated via:
- the Users API
- Security Files and Auto Provisioning
Before you begin, the following must be true:
- The user should have an understanding of User Management workflow within the Visier platform.
- The user creation process assumes that permissions have been created beforehand. To know how to assign permissions and best practices, see Permission Management.
Users API
The Users API is the preferred method for automating user management due to its ability to facilitate secure, scalable, and customizable applications for user data and permissions. For more information, see Users API. Before automating using the API, we recommend that partners:
- Maintain a centralized list of active users and their permissions to serve as the definitive reference point for API interactions. Partners control the frequency of these API calls.
- Use event-based triggers to ensure that Visier's user permissions are always synchronized with the latest information.
To validate the integration, you can retrieve a list of Visier users and their information, then compare it against your internal system's records. Advantages of validation include:
- Real-time management that enables quick and efficient administration of user accounts, data, and access permissions in real-time.
- Historical tracking and auditing able to retrieve a list of users and permissions at any given point in time, allowing for accurate tracking and auditing of user activity within the system.
- Streamlined permission changes that eliminate the need for a full data load to modify a user's permissions.
Security Files & Auto Provisioning
User creation is handled through auto provisioning and data access is determined based on attributes sent in a security file. Before a user first logs into the app, their security status is sent to Visier. These values are included in security files on a per-analytic tenant basis and used to determine the user group to which the user belongs.
The user group then assigns one to many permissions to the user, controlling their access to data and content. For more information, see Set Up Dynamic Security Using Security Files.
Note: Note: Security Files can be sent to Visier and loaded just like any other data file. It is important to note that Visier takes the most recent security file value to determine what user group a user is assigned to.
Auto provisioning
Visier supports auto-provisioning users by matching the email address provided in the SAML assertion to the records present in Visier. Auto-provisioning allows the creation of new users at the moment they access Visier, provided that their email has a valid domain for their solution. For more information, see Auto Provisioning.
You can enable auto provisioning after SSO is enabled and disable at anytime. Visier expects 2 SAML assertions to be sent during user auto-provisioning:
- An assertion that creates a user in the Visier database. Visier then redirects the session frame to an IdP URL specified in the Tenant single sign-on room.
- An assertion that logs the user in.
Visier posts a USER_AUTOPROVISION_SUCCESS message to your application window any time a user is auto-provisioned.
Note: Note: If the IdP URL is configured correctly, you should not have to take any action upon receiving this message.
Visier posts a USER_AUTOPROVISION_FAILED message to your application window any time a user fails to auto-provision. After the account is created, Visier checks the assigned user groups to determine what data they can access. If the user is not assigned a User Group, then they will not have access to the data.
In this example, employee 1234 is assigned to the Admin User Group, and employee 5678 is assigned to the Manager User Group.
|
TenantCode |
EffectiveDate |
ExtractionDate |
EmployeeID |
Attribute |
Value |
|---|---|---|---|---|---|
|
WFF~abc~123 |
2023-01-01 |
2023-01-10 |
1234 |
ACCESS PERMISSION |
ADMIN |
|
WFF~abc~123 |
2023-01-01 |
2023-01-10 |
5678 |
ACCESS PERMISSION |
MANAGER |
The security file and attribute value file must have a 1:1 relationship with the employee. Rather than sending an employee with two rows in the security file, send one value and use the application to assign multiple permissions to a given user group.
When you send a user with a value of ADMIN in the security file and a job is triggered (resulting in a successful data version), the user will appear in user groups. To access:
- In a project, on the navigation, click Security > User Groups.
- Check the username in the application matches the value of the Email Address attribute in the employee file, as the username is determined upon creation.
Actions
Although users do not have to be created in advance, the following prerequisites need to be satisfied before a user’s first login:
- The security file must be sent and loaded before the user’s first login. Failure to do so will result in denied access to analytics.
- Users need to be granted access to Visier in your IdP so that the SAML assertion contains the correct user information and tenant code.
Add a User (Auto Provisioning)
To know how to enable auto provisioning to automatically create user accounts for new users who access the solution from your SSO portal.
Assign a User Group
To add a user to a User Group, simply send a record in a new security file with valid security values and effective dates.
Remove a User Group
To remove a user access, send a value of “NO ACCESS” for the user inside the security file. Or, if this is an exit event for that employee, your customer SSO access being taken away would achieve the same result. An example of correct file formatting is below:
|
TenantCode |
EffectiveDate |
ExtractionDate |
EmployeeID |
Attribute |
Value |
|---|---|---|---|---|---|
|
WFF~abc~123 |
2023-01-01 |
2023-01-10 |
1234 |
ACCESS PERMISSION |
NO ACCESS |
|
WFF~abc~123 |
2023-01-01 |
2023-01-10 |
5678 |
ACCESS PERMISSION |
NO ACCESS |
Update a User Group
To modify user security from one user group to another you would send an updated record for that user with a new security value and effective date.
Validation
You can validate your data by retrieving a list of users and their details from Visier and comparing the return to your system of record. This creates users through auto provisioning, eliminating the need to create them in advance, and requiring less development work. A chart comparing API management and security files with auto provisioning is below:
|
Action |
API Approach |
Security File Approach |
|---|---|---|
|
User Creation |
Handled via API |
Handled via auto-provisioning |
|
Security Assignment |
Permission assigned via API |
User Group dynamically assigned via security file |
|
Validation |
Handled via API |
Handled via API |