Go to Dutch version of this article
Besides the definition of users on Invantive Cloud it is also possible to give implementation and support consultants temporary access to an Invantive Cloud environment.
In the past consultants worked with Invantive Cloud with often a separate e-mail address per customer, or a complex procedure to change from customer to customer with the same login code. This made it difficult to work smoothly for multiple customers. Besides being impractical, it is also expensive: every change between environments involves time from consultant, customer and support.
With delegation on Invantive Cloud these disadvantages disappear while risk mitigating security measures are enforced through the automation of the process.
Delegation
Each environment is permanently linked to an organization and contains for example databases, users and applications. Within the multiple tenant (“multi-tenant”) architecture, each environment is shielded from other environments.
With the new feature delegation it is possible to grant third parties temporary access to your own environment. These third parties then log on to Invantive Cloud with their own account, but can switch to environments to which they have been granted rights through delegation.
In this topic you will learn how delegation works on Invantive Cloud.
Workflow
The workflow for delegation consists of the following steps:
- The consultant creates an account on Invantive Cloud through Signup.
- Most consultants use a free consultancy subscription for this.
- The organization has already set up an environment through a subscription.
Delegation
Delegation is granted based on email addresses in the “New Delegation” screen, available through the “Licensing” group from the left-side menu:
The “Delegations” screen is only accessible by superusers of an organization.
The third party must register or have already registered on Invantive Cloud under this email address. When the delegation is registered, an invitation to subscribe is also sent to the specified email address.
A delegation has a standard duration of one week. After the delegation period ends, the third party can no longer switch to the organization. However, the third party can then switch to other organizations for which a delegation has been issued and back to their own organization. The duration of a delegation can be varied.
The maximum duration of delegation is twelve months from the date of entry. Delegation to service accounts is not possible; delegation can only be made to personal accounts.
Changing Organization
A user who has received delegation will see a drop-down list at the top of the screen:
In this case the user is a member of its own organization (the so-called “real party”) Invantive BV. This can be recognized by the little building icon without the arrow. In addition, the user has been given access to “The company being helped”.
By choosing another organization than the user’s own, the user works as if a member of the other organization, as long as the user does not change it again and the delegation doesn’t expire. The active party is called the “effective party”.
Frequently switching between organizations can be confusing and lead to usage errors. Therefore a clear bar is always shown at the top of the screen when another organization is used via delegation:
Immediately after switching, a notification is also shown that a different organization has been chosen, as visible in the green block in the image above. The new organization will immediately become effective, both through Invantive Cloud as through Invantive Bridge Online and Invantive App Online.
All superusers of the effective organization will receive an email when switching to and from the organization by delegation.
Access to Data.
A user who is granted access to an organization via access also has access to an organization’s data that is stored encrypted, just like a regular user of the organization. Think of tokens needed to open an environment, but also to data from caches.
Subscription Fees
Third party usage via delegation is charged to the effective organization as if it were activity by a regular user.
PowerBI Service and other Services
It is not recommended to build automatic processing that uses a consultancy account based on delegation. At least error messages can occur because the consultant no longer has the delegation active; in a worst case scenario, a data breach can occur between two customers of a consultant.
Therefore, never use a consultant’s account to have Power BI reports refreshed, for example. Preferably use a service account for refreshing. A service account has few rights in the screens, but works fine for updating reports.