Skip to main content
Version: Current

Deep Dive: User Management and Security

Introduction

Effective user management and robust security practices are essential for maintaining control, compliance, and data integrity within Zudello. This guide provides an in-depth look at managing users across Organisations and Teams, configuring granular access controls, integrating with identity providers like Microsoft Entra ID, managing delegation, and implementing security best practices.

Organisation vs. Team Settings

User management in Zudello operates at two levels:

  1. Organisation Level: Managed via Organisation Settings (accessible to Organisation Admins). This is where core user identities, user groups, and global settings are managed.
    • Users: Create/Deactivate user accounts, manage basic profile info (name, email), set Organisation Admin status, manage SSO linking.
    • User Groups: Create and manage Access, Visibility, and Approval groups. Assign Access Permissions to Access Groups.
    • Group Membership: Assign users to specific User Groups within the context of a Team. This links the Organisation-level groups to Team-level access.
    • SSO & User Provisioning: Configure connections to identity providers like Microsoft Entra ID.
  2. Team Level: Managed via Settings within a specific Team (accessible based on Team-level permissions). This is where Team-specific configurations and data access rules are applied.
    • Team Profile: Manage Team name, default currency, etc.
    • Data Permissions: Define rules that filter data visibility (All, Own, Related, Specific). These rules are then linked to Organisation-level Visibility Groups.
    • User Defaults: Configure default coding (Location, Subsidiary) for users within that specific Team.
    • Delegation: Users manage their own delegations per Team via their Profile settings. Admins can manage delegations for others via Organisation Settings > Users > Edit User > Delegation tab.

Understanding this distinction is key: User identity and group definitions are central (Organisation), but the application of permissions and data access often happens within the context of a specific Team.

Managing Users and Team Memberships

  • Creating Users:
    • Manual: Org Admins create users via Organisation Settings > Users > New User. Requires First Name, Last Name, Email. User receives an invite to set password (unless SSO is enforced).
    • User Provisioning (SCIM): Users are automatically created/updated based on membership in a configured group within an identity provider like Microsoft Entra ID. See Microsoft Entra ID User Provisioning.
  • Assigning to Teams: A user must be added as a member of a Team to access it. This is done via Organisation Settings > Users > Edit User > Teams tab OR Organisation Settings > Teams > Edit Team > Users tab.
  • Assigning User Groups (Granting Permissions): To grant a user permissions within a Team, assign them to the relevant User Groups for that Team via Organisation Settings > Group Membership. Select the Team, then the User, then assign the appropriate Access and Visibility groups. See User Groups.
  • Deactivating Users:
    • Manual: Org Admins set user status to Inactive via Organisation Settings > Users.
    • User Provisioning: Removing a user from the configured Entra ID group typically deactivates their Team membership automatically.
    • Deactivated users cannot log in but their historical activity (audit logs, approvals) is retained.

User Groups and Permissions Interaction (Recap)

As detailed in the Permissions Framework Deep Dive:

  1. Access Permissions (what actions a user can perform, e.g., #UPDATE) are assigned to Access Groups at the Organisation level.
  2. Data Permissions (what data a user can see, e.g., "Own Invoices") are defined at the Team level and linked to Visibility Groups at the Organisation level.
  3. Users are assigned to Access and Visibility groups within a specific Team via Group Membership.
  4. A user needs both the necessary Access Permission (from their Access Groups) and the necessary Data Permission (from their Visibility Groups) to interact with a specific record within that Team.

Configuring Data Permissions for Complex Scenarios

Data Permissions offer flexibility beyond simple "All" or "Own".

  • Scenario: Manager Access to Direct Reports' Documents
    • Model: Transaction
    • Field: submitted_by.manager (Requires manager field populated on User profiles)
    • Operator: Own
    • Result: Users in the associated Visibility Group can see transactions submitted by users who list them as their manager.
  • Scenario: Departmental Access (Related)
    • Goal: Allow users to see Suppliers associated with their Department's transactions.
    • Rule 1 (Transactions): Model: Transaction, Field: Department, Operator: Own (or Specific for fixed Dept).
    • Rule 2 (Suppliers): Model: Supplier, Field: transactions.Department, Operator: Related, Related Rule: [Select Rule 1].
    • Result: Users can see Suppliers who have transactions coded to the Department(s) they have access to via Rule 1.
  • Scenario: Project-Based Access
    • Goal: Allow users to see POs and Invoices related to Projects they own.
    • Rule 1 (Projects): Model: Project, Field: owner (or assignees), Operator: Own.
    • Rule 2 (Transactions): Model: Transaction, Field: Project, Operator: Related, Related Rule: [Select Rule 1].
    • Result: Users can see transactions coded to Projects they own/are assigned to.

See Data Permissions Explained.

SSO and User Provisioning (Microsoft Entra ID)

Integrating with an Identity Provider (IdP) like Microsoft Entra ID streamlines user management and enhances security.

  • Single Sign-On (SSO):
    • Allows users to log in to Zudello using their existing Microsoft credentials.
    • Configuration involves registering Zudello as an application in Entra ID and configuring the connection details in Zudello (Org Settings > SSO & User Provisioning).
    • Improves user experience (fewer passwords) and security (leverages Microsoft's authentication policies).
    • See Configure Entra ID Provisioning.
  • User Provisioning (SCIM):
    • Automates the creation, update, and deactivation of users and team memberships in Zudello based on group membership in Entra ID.
    • Requires configuring SCIM provisioning in Entra ID and linking an Entra ID group to Zudello Teams in the Zudello SSO settings.
    • Reduces administrative overhead and ensures access is automatically granted/revoked based on Entra ID group changes.
    • Can sync basic user details (Name, Email) and Manager relationship.
    • See Microsoft Entra ID User Provisioning.

Managing Delegation

Delegation allows users to temporarily assign their approval tasks (and potentially duties) to another user.

  • User Configuration: Users configure their own delegations via Profile > Delegation on a per-team basis. They select the delegate, set start/end dates, and choose options.
  • Admin Configuration: Org Admins can configure delegations for other users via Organisation Settings > Users > Edit User > Delegation tab.
  • Key Options:
    • Delegate: The user receiving the delegated tasks.
    • From/Until Dates: Defines the active period.
    • Delegate existing approval requests: If ON, any requests pending when the delegation starts are also reassigned.
    • Delegate Duties: If ON, the delegate temporarily inherits the delegator's User Group memberships (and thus their Access/Data Permissions) for the specific team while the delegation is active. This is crucial if the delegate wouldn't normally have the required visibility/permissions to action the delegated tasks.
  • How it Works: When an approval step is assigned, the system checks if the assigned user has an active delegation for that team. If so, the approval is automatically reassigned to the delegate. If "Delegate Duties" is ON, the delegate's permissions are temporarily elevated for that team.

See Delegate Approvals Overview, Delegation Not Working Correctly.

Security Best Practices

  • Principle of Least Privilege: Assign users only the permissions and data access absolutely necessary for their role. Avoid overly broad access.
  • Use User Groups: Manage permissions via roles/groups, not individual users.
  • Strong Passwords & MFA: Enforce strong password policies and Multi-Factor Authentication (ideally via SSO integration).
  • Regular Audits: Periodically review user access, group memberships, and permissions. Remove inactive users promptly.
  • SSO/User Provisioning: Implement SSO and SCIM provisioning for centralized identity management and automated access control.
  • Data Permissions: Utilize Data Permissions to restrict visibility to sensitive information based on role or responsibility.
  • Secure API Keys: Protect API keys used for integrations. Use dedicated keys with limited permissions where possible.
  • Monitor Audit Logs: Regularly review audit logs for suspicious activity related to user management or permission changes.

See User Security Best Practices.

Audit Trails

Zudello logs various user management and security-related events:

  • User Creation/Updates/Deactivation: Logged in Organisation audit trails.
  • User Group Creation/Updates/Deletion: Logged in Organisation audit trails.
  • Permission Changes: Changes to permissions within User Groups are logged.
  • Group Membership Changes: Adding/removing users from groups within teams is logged.
  • Login Events: Successful and failed login attempts are logged (accessible via backend/Zitadel).
  • Delegation Changes: Setting/modifying delegations is logged.
  • Impersonation Sessions: Staff impersonation sessions are logged internally.

Accessing these logs typically requires Organisation Admin privileges or specific audit permissions. Reviewing these logs periodically is crucial for security monitoring and compliance.

By leveraging Zudello's comprehensive user management features and adhering to security best practices, organisations can ensure secure, compliant, and efficient access control.