This article describes the various options for controlling who can access your AtomSphere account.
The primary method for managing user access to your account is through User Management. Here you create new users and assign roles to control access to various functionality within the application.
To configure User Management, go to Account menu > Setup > User Management.
For more information see Understanding User Management and Custom Roles.
Boomi Support Access
By default accounts permit access by the Dell Boomi support team. Access to your account can be helpful or necessary when working with support to troubleshoot errors and review configuration.
Access is controlled by selecting the role that will be applied to support personnel accessing your account. By default this is the Administrator role but you can choose any standard or custom role available in your account. For example you could select a "read only" role that allows support personnel to "look but not touch" setup within your account. To disable support access entirely, select "--No Access--".
To configure support access, go to Account menu > Setup > Account Information > Support Access Role.
Single Sign On
Requires the Advanced User Security feature.
You can enable Single Sign On (SSO) for your AtomSphere to use an external identity provider to authenticate users. Users must still be configured within AtomSphere's User Management because AtomSphere perform the authorization (what they are allowed to do once in AtomSphere). However upon login, users are first authenticated against an external identity provider of your choosing before accessing AtomSphere.
To enable and configure Single Sign On for your account, go to Account Menu > Setup > SSO Options.
Using SSO can be a convenience to end users who may be accessing AtomSphere from a company portal or another application because they do not have to manually log into AtomSphere and remember AtomSphere credentials. SSO is beneficial to organization administrators by allowing them to manage users' access to AtomSphere from their central identity provider. For example if an employee leaves the company, their access can be terminated from the central identity provider instead of having to remember to remove them from AtomSphere explicitly.
Once SSO is enabled, all users except those with the Administrator role will not be able to log into AtomSphere directly.
Administrators will continue to log into AtomSphere directly.
User roles and authorization are still managed within AtomSphere.
AtomSphere SSO uses SAML 2.0.
There are special considerations for users with access to multiple accounts
See How to Use Single Sign-on for more considerations
SSO is often used to automate the user log in process. With that in mind you can leverage the AtomSphere platform API to programmatically provision and de-provision users.
See Single Sign-On with SAML Authentication for more information.
Account Groups and Child Accounts
Requires the Account Groups feature, typically enabled for partner and parent-child account hierarchies.
Partners with child AtomSphere accounts will additionally use Account Groups to manage user access to child accounts. The Account Groups feature is only enabled in the parent account. You can define any number of Account Groups that represent logical groupings of child accounts. Users are added to an Account Group which grants them access to the child accounts within that group.
It may be helpful to think of it like this: User Management controls access to the parent account. Account Groups control access to all the child accounts.
Account Group users are separate from User Management users. Account Group users do not have exist as User Management users.
To add the same user as both a User management and Account Group user, simply use the same user ID/email.
Roles are assigned per user per Account Group. This means two users in the same group can different roles, or the same user can have different roles in different groups.
As a best practice to facilitate user administration, manage access for your partner users to all child accounts through Account Groups in the parent account. Do not add partner users directly to the individual child accounts through each child account's User Management. However if end customers require access to their individual child account, it is best to manage those customer users with through the child account's User Management.
See Account Groups for more information.