...
There are two possible cases. As an admin you can invite external users, or external users can sign up themselves. In both cases, the Force Verify User setting should be enabled.
Case 1 - Org admin invites an external user
...
with delayed activation
| Info |
|---|
This method ensures that invited users at no point in time have access to the User Panel or AMPI. However, an email must be sent to the new user manually to inform about account creation and password. |
To perform the following steps access to both the Org panel and Admin panel is required.
...
In the Org panel - Invite the user
As an organization admin, go to the Org panel - Users
Select Invite User
Fill in the name and e-mail accordingly
Keep Deactivate Activate User enabled
Disable User Panel Access
Save
At this moment the external new user will receive an automatic e-mail to reset their password.
| Note |
|---|
Revoke AMPI access In most organizations new users will automatically be granted access to AMPI. Therefore, the newly invited external user will also have access to AMPI unless you revoke it immediately following the steps below. You can look up what AMPI default access group is configured for your organization at Home › B3_Organization › Organizations › <YOUR ORGANIZATION> |
| Info |
|---|
In case the checkbox Activate User is deselected when inviting the user, the automatic email to set the password is not sent. Thus the new user is not informed automatically about the new account. To set a password the external service user would have to manually reset the password via “Forgot password”. Most likely, this would have to be communicated separately to the external user. |
In the Admin panel - Revoke AMPI access
...
As an admin panel user, go to Home › Authentication and Authorization › Users
Find and open the user details of the external user you just invited
In the section USER ACCESS GROUPS, remove the access group(s) AMPI User (and AMPI Expert if assigned) by selecting the checkbox DELETE?
And clicking SAVE at the bottom of the screen
As a result of this action, the external user does not have access to AMPI. In fact, the new user now does not have access to any panel, so Service Panel access needs to be granted in the next step.
...
account will be created, but no automatic email is sent to the new user to inform about the account creation. This will give us time to revoke default permissions that may have been provided.
In the Admin panel - Revoke permissions
By default, most organizations will provide both AMPI and User Panel access to newly created users. In this section, we are going to revoke those default permissions for Service users
To revoke permissions…
As an admin, go to the Admin panel
Navigate to Authentication and Authorization › Users
Find and open the user details of the external user you just invited
Under Permissions enabled the Active checkbox to activate the account
To remove the User Panel access go to the USER ACCESS GROUPS section
Select the DELETE? checkbox for any AMPI and/or User Panel permission
Confirm your changes by clicking Save and continue editing at the bottom of the page.
The permissions of the new user are set up correctly now. But the new user cannot log into the platform, yet, because the new account is still missing a password.
This can be solved in two ways
(Preferred) Inform the new user to use the Forgot password? functionality to set a password
...
Or set an initial password for the user manually in the admin panel
Open the Change password form for the newly created user
Enter a secure password and memorize/store it temporarily.
Share the password with the new user via a secure channel and ask the user to change their password upon first login.
E.g. use Bitwarden Send for transmitting the password.
The external Service user can now log into the platform.
Case 2 - Org admin invites an external user with instant activation
| Info |
|---|
This method requires no manual interaction with external service users as they are informed about account creation manually. However, there is a small time window between account creation and revoking of permission where the new user could potentially access User Panel and AMPI. |
To perform the following steps access to both the Org panel and Admin panel is required.
...
In the Org panel - Invite the user
As an organization admin, go to the Org panel - Users
Select Invite User
Fill in the name and e-mail accordingly
Keep Activate User enabled
Save
At this moment the external user will receive an automatic e-mail to reset their password and be able to log into the platform.
In the Admin panel - Revoke permissions
You should revoke UP and AMPI permissions directly after sending the invitation to keep the time window of logging into the platform with additional permissions minimal.
To revoke permissions you can follow the same steps outlined in Case 1 under “In the Admin panel - Revoke permissions”.
To complete the setup for the external service user, Service Panel access needs to be granted. See below
Case 3 - External user signs up
Actions performed by a new external user
...
An external user signs up on the platform
The external user receives an automatic email to set a password
The external user sets a password and needs to wait for activation of the account through an admin
Only after step 3, the user appears in the user list in the org panel and the admin panel.
...
To perform the following steps access to both the Org panel and Admin panel is required.
In the Admin panel - Revoke permissions
To revoke permissions you can follow the same steps outlined in Case 1 under “In the Admin panel - Revoke permissions”
...
In the Org panel - Verify user
As an Org admin verify the new user to grant platform access
The new external user can now log into the platform and does not have access to AMPI or the User Panel.
In fact, the new user now does not have access to any panel, so Service Panel access needs to be granted in the next step.
Providing Service Panel access to new external users
...