Multi-accounts

Since April 2023 users and managers can have access to multiple accounts with the same user and credentials, without re-authentication.

This functionality has been designed, developed and tested in accordance with our cybersecurity rules to ensure the independence and hermeticity of each account.

Principles of the multi-accounts feature

  • A user's role and permissions will be exactly the same on all accounts to which they have access.

For example, a manager will has a manager role on all accounts, a user with read only access on sources and datapusher role will has read only access on sources and datapusher role on all accounts. For the moment it is not possible to have the role manager on one account and the role user on another. This could be an evolution of the product.

  • Access to multiple accounts is only possible in the same environment.

For example, a user on Opinum Saas can have access to multiple accounts in this environnement, but can't have access with the same user to accounts On prem environnement. Users Data Bases are dedicated for each environnements, this rule will remain by architecture design.

Request access

The first request for access to a second account must be made through Opinum support portal: https://help.opinum.com/tickets.

Once a manager of an account has access to a second account, he can give access to this second account to the users of the first account, according to the security rules described on this page.

Security rules

Independence of accounts

Even if users have access to multiple accounts, each account remain independant and hermetic. That is to say that nothing can be shared between accounts (data, Master Data, external services connections, reports, triggers, webhooks etc. ).

Important

The Master Data file stays unique for one account. Even if a user has access to several accounts, all the permissions an only be given by a different master data account by account.

Users management

A manager can manage users and give access to another account according to thoses rules:

  • A manager can only give access to an account to which he already has access
  • A manager can only modify rights of users who have access to the same accounts as him, or have fewer accounts than him.
  • A manager cannot modify a user who has access to at least one account to which the manager does not have access.
  • To impersonate a user, a manager must be connected on the same account that this user.
Tip

Learn more about Impersonate.

Connection to accounts

Users who have access to multiple accounts can log in from one to another without having to re-authenticate.

When a user is authenticated on an account, the user still remains 'available' on others account. Thus, for example it is now possible share a dashboard with someone that's currently logged on another account.

All users having access on multiple accounts can see a new drop down in the header.  The user changing account must not re-authenticate, no login page is displayed.

The user is logged on the previously logged on account.

When connecting, the user can provide the account on which he wants to connect, to avoid being connected by default to the last tenant to which they connected.

An "acr_values" parameter has been added to the authentication request. In this parameter the user will be able to add the value of the accountID of the account on which he wants to connect. In return the bearer token will be contextualised in the requested account.

The user can use several bearer tokens in parallel and thus be connected to several tenants in parallel.

The "acr_values" parameter being added in the authentication request, it is available for all users having access to the API.

Give access to a new account to a user

To give access to a new account to a user, first the manager must connect on the account. Then go in the settings menu in the Users page. Find the user in the list and click on it, the User page opens.

In the user page, click on the Accounts tab and click on the Add account button. A panel opens with the list of accounts the manager has access to. Select the account and click on the Save button. Then give access to the users to sites and sources as usual. The permissions of the users wil be the same on all accounts.

Tip

Learn more about users management.