This article targets BRYTER admins. You need to have admin rights to see the features documented here.
For each environment, you separately manage your end user accounts. You can manage which end users have an account in the client environment and you can assign end users to groups to enable authors to more efficiently define access rights to their applications. End users can authenticate via username and password or through different identity providers.
Authentication management
To manage how end users authenticate to your client environment, go the admin console’s Environments section and select the Configure button next to your client environment’s name. Then, scroll down to Authentication management.
By default, the authentication type Username and password is activated with the toggle Visible at login. While this authentication type is activated, you can add end users manually in the END USERS tab (see below). If you disable the authentication type, you cannot add end users manually, and existing end users will not be able to log in with a password anymore.
Additionally, you also can add identity providers (see below). This will enable end users to automatically get access via single sign-on (SSO), using their Microsoft account, their Okta account, or similar.
Make sure at least one authentication type is activated so that end users can authenticate. Both authentication types can be combined and then all authentication types will be displayed to the end user at login.
End user login
In order to properly login to the client environment, end users need to open a resource in the client environment. This could be the environment’s portal, a published application or a module end user interface. Make sure to share a link to one of the environment’s resources with them.
❗ To avoid unintended behavior, you should not manage end users at the tenant level if you also manage them in a client environment. By default, all end users managed at tenant level will have access to the content of all client environments, if not restricted by the use of application roles.
Authentication with username and password
You can enable end users to authenticate with username and password. If you do so, you need to add end users to a client environment manually. To speed things up, you can also import multiple end users from a table (which can be generated with Microsoft Excel). You can assign end users to groups so that authors can assign end user access rights to their application more efficiently.
To add end users to a client environment:
-
Open the Environments section.
-
Locate the respective client environment and select Configure.
-
Several tabs will now be displayed. Open the second tab END USERS.
-
Use the jump mark end users or scroll down to select New user.
-
On the New user modal, enter the their first name, last name, and email address. The email address also will be used as the username.
-
Now you can either
-
set a temporary password and share the login credentials with a temporary password with the end users (they will have to set a new password when they login with the temporary password for the first time), or
-
leave the field blank and they will immediately receive an invitation link by email.
-
You can also enter a temporary password to send the invitation link from the end user overview at a later time. Invitation links in emails are valid for 3 days – the link then expires and a new link must be sent.
-
-
Select Create user.
❗Note that the end user will only be created in this client environment. They only have access to the content of this client environment. They cannot log in as authors and create new applications.
If you disable the authentication type Username and password, you will not be able to send invitations.
You can import multiple end users into a client environment at once. To do so,
-
Open the Environments section.
-
Locate the respective client environment and select Configure.
-
Open the second tab END USERS.
-
Use the jump mark end users or scroll down to the end user list.
-
Select CSV template to download it.
-
Add to this file all the end users you want to import. You can use Microsoft Excel for this. For the upload to work, each entry must be filled in for each end user. Save your amended file in a .csv format.
-
Select Import users and upload the filled .csv file.
-
The following happens after a successful import:
- Users are automatically created with an ACTIVE state.
- No invitation link will be sent to end users as part of this bulk upload; you need to share the login credentials (including the temporary password) with the end users or send an invitation link.
- Users are required to change their password when they connect for the first time.
❗ Note that the end user will only be created in this client environment. They only have access to the content of this client environment. They cannot log in as authors and create new applications.
After creation, you can also edit an end users data. To do so,
-
Open the Environments section.
-
Locate the respective client environment and click on Configure.
-
Open the second tab END USERS.
-
Use the jump mark end users or scroll down to the end user list.
-
Locate the respective end user and select Edit.
-
Change one or more entries and select Save changes.
❗ Note that updating the email address does not automatically send an invitation link to the end user; it only means that they can no longer log in with the old email address. You should send a new invitation link or otherwise inform the end user to log in with the updated email address.
Once you have created end user accounts in a client environment, you can create groups and assign end users as group members within this client environment. This is useful if you want to enable authors to restrict access to applications or application components to a specific group of end users. As an example, you can assign members of your client’s legal department to the group Legal department, and then an application’s author can assign access to specific application components to all members of the Legal department group. Learn more here.
To create groups and assign end users to them,
-
Open the Environments section.
-
Locate the respective client environment and click on Configure.
-
Open the second tab END USERS.
-
Select New group.
-
Enter a group name and select Create group.
-
On the Manage members modal, enter the email address of the end user who should become a group member.
❗ Note that end users must already exist in your end user list on that particular client environment before they can be added to the group. -
Select Add member.
-
Repeat steps 6 and 7 until you have added all group members. Then select Done.
You also can add or remove group members by selecting Manage members in the group list.
Authentication with Single Sign-on
By default, authentication is set to Username and password. However, you can add one or many identity providers. An identity provider enables your client’s end users to access BRYTER resources with the default authentication they are using at the client company, e.g., their Microsoft account or their Okta account (single sign-on).
To add an identity provider,
-
Open the Environments section.
-
Locate the respective client environment and select Configure.
-
Stay on the first tab GENERAL.
-
Scroll down to the Authentication management section. Select New identity provider.
-
Enter a display name and select Create identity provider.
-
The new identity provider is displayed. You can complete its details by selecting Edit. Editing your identity provider is very similar to configuring SSO at tenant level, so you can use the documentation here. If you have no knowledge of this process, please contact your technical administrator for assistance.
Once you have setup login via identity provider, your end users will be provisioned automatically once they login with the identity provider for the first time.
Their data like first name, last name and email address will be taken over from the identity provider and will be updated automatically each time they login via their identity provider.
You can configure within your identity provider which users should have access to the BRYTER platform. Please refer to your identity providers manual to understand how you can grant or restrict access.
You can also delete an identity provider. If you delete it, end user will no longer be able to log in via this deleted identity provider. However, if the authentication type Username and password is activated, end users still can click the Forgot password button on the login form, set one and regain access.
To delete an identity provider,
- Select the Edit button of your identity provider in the list on the GENERAL tab of your client environment’s configuration.
- Scroll down and select Delete.
- Select Confirm.
To create a user group and assign end users to it, you can proceed as described here.
Additionally, once a group is created, you can configure the groups claim in your identity provider to enable automatic group assignments whenever an end user logs in.