Accounts and account users
An account isolates all the apps, tenants, and service access keys of an organization under the same umbrella. Also, the account is the billing point for usage of SBS.
Creating accounts
To create an account:
-
Having signed in to the console, select New Account from the dropdown list in the top-right corner.
-
Enter an account name (for example, “Production”), and then click Add.
Once you created the account, you can proceed to creating your organization’s apps, tenants and security keys for accessing SBS services. Alternatively, you may add other trusted users to your organization’s account and let them perform the required configuration.
You can create multiple accounts if necessary. This could be useful, for example, if you would like to maintain separate data (such as apps, tenants, and service access keys) for development and production. Multiple accounts could also be useful if your organization has several subsidiaries for which you would like to keep billing and data separately.
Switching accounts
You can switch between accounts by selecting the relevant account name from the dropdown list in the top-right corner of the page.
Account users
An SBS account may be managed by multiple users.
Whenever you create a new account, the email with which you logged in becomes the root user for the account. As an account’s root user, you can add several other users to the account. These could be people in your organization that are entitled to view or create SBS data, including sensitive data such as service access keys.
When adding new user accounts, the root user determines the permissions that the new accounts will have. For example, you can add a user account that will only be able to view and query existing data, without any rights to modify it. The permissions of non-root account users may be subsequently updated or their account removed completely.
Account user permissions (scope)
For any account user that you add to the SBS Console, you can define the GUI actions that should be available to the user, as well as the data that should be visible to the user. This is achieved by setting a parameter called scope. You can set the scope when adding a new account user, or when updating an existing one. An account user’s scope has the following characteristics:
- A null or empty scope means the user is granted access to all queries and mutations available in the GraphQL tab of the SBS Console, and implicitly to all the user interface actions available in the SBS Console. Note that all the user interface actions available in the SBS Console are exposed by the Account API.
- If set, the scope must be a string composed of at least one token that takes the form
account-api:query:{query-name}
oraccount-api:mutation:{mutation-name}
. For example, the scopeaccount-api:query:tenants
allows the user to run thetenants
query but denies running any other queries or mutations. - The asterisk character (*) denotes access to all queries (or mutations, as applicable). For example, the scope
account-api:query:*
means that the user has access to all queries of the Account API. Likewise, the scopeaccount-api:mutation:*
means that the user has access to all mutations. - If the scope contains multiple tokens, they must be separated by (i) a space character, if you are using the GraphQL interface, or (ii) a new line, if you are using the WebUI interface. Examples follow in the instructions below.
- The broadest scope is
account-api:query:* account-api:mutation:*
and it means that the user has access to all queries and mutations of the Account API. This is equivalent to not setting the scope at all (see bullet one above).
Add account users
Important
- Currently, only persons with Google or Microsoft email accounts can be added as SBS account users.
- Before adding an account user to the SBS console, first ask the user to sign in to the SBS console once with their Google or Microsoft email account.
After the user has signed in to the SBS console, you can proceed to actually adding them as users of a specific SBS account, as follows:
-
Sign in to the SBS Console.
-
From the accounts list in the top-right corner of the page, select the account to which you would like to add the user.
-
Click the WebUI tab.
-
Click Account Users in the navigation menu on the left-hand side.
-
Click New Account User. A dialog box pops up.
-
Enter the user’s email address. Be aware that this must be either a Google or Microsoft email address and the respective person must have logged into the SBS Console at least once.
-
Under Scope, enter the extent of permissions (scope) that should be available to the newly created user. For details, see Scope editor. Note that, if you leave the scope empty, the user will be granted full access to the Account API (and implicitly to all the actions available in the SBS Console).
-
Click Add.
If you prefer to add account users through GraphQL, take the following steps:
- Sign in to the SBS Console.
- From the accounts list in the top-right corner of the page, select the account to which you would like to add the user.
- Click the GraphQL tab.
- Enter the following mutation:
mutation addAccountUser($input:AddAccountUserInput) {
addAccountUser(input:$input) {
email
scope
}
}
In the Variables section, make sure to replace the example email below with the actual email of the person you want to add:
{
"input": {
"email": "SOME_GOOGLE_EMAIL",
"scope": "account-api:query:*"
}
}
In the mutation above, the scope parameter is set to account-api:query:*
, which means that the account user will have permissions only to query data but not modify it. You can subsequently modify the user’s permissions to be as broad or as fine-grained as required, as further described under Update permissions.
View account users
You can view the account users linked to a particular SBS account as follows:
- If you haven’t done that already, sign in to the SBS Console.
- From the accounts list in the top-right corner of the page, select the account of interest.
- Click the WebUI tab.
- Click Account Users in the navigation menu on the left-hand side.
If you prefer to use GraphQL, run the following query in the GraphQL tab:
query accountUsers {
accountUsers {
id
name
email
picture
provider
scope
isRoot
createdAt
}
}
To run this query, you must either be logged into a root user account, or be an account user with permissions to run this query.
Update permissions
You can update the permissions (scope) of an existing account user as follows:
-
If you haven’t done that already, sign in to the SBS Console.
-
From the accounts list in the top-right corner of the page, select the account of interest.
-
Click the WebUI tab.
-
Click Account Users in the navigation menu on the left-hand side.
-
Click the account user whose permissions you would like to change.
-
Click the Edit button next to Scope. A dialog box opens.
-
In the Scope field, enter the extent of permissions (scope) that should be available to the newly created user. For details, see Scope editor. Note that, if you leave the scope empty, the user will be granted full access to the Account API (and implicitly to all the actions available in the SBS Console).
If you prefer to use GraphQL, run the updateAccountUser
mutation from the GraphQL tab. Essentially, this mutation takes as input the ID of the account user to be updated and a scope
parameter.
The code listing below is an example of updating the user permissions so that they can run any query of the Account API but only the createTenant
and updateTenant
mutations.
mutation updateAccountUser($id:ID!, $input:UpdateAccountUserInput!) {
updateAccountUser(id:$id, input:$input) {
id
email
scope
}
}
In the Variables section, make sure to replace the ID of the account user as required:
{
"id": "YOUR_ACCOUNT_USER_ID",
"input": {
"scope": "account-api:query:* account-api:mutation:createTenant account-api:mutation:updateTenant"
}
}
Notes
- An account user may have access to multiple accounts. Updating the account user’s permissions takes effect only for the account currently selected from the Accounts list in the top-right corner of the page.
- The permissions of a root account user cannot be overwritten.
Remove account users
You can delete portal users as follows:
- If you haven’t done that already, sign in to the SBS Console.
- From the accounts list in the top-right corner of the page, select the account of interest.
- Click the WebUI tab.
- Click Account Users in the navigation menu on the left-hand side.
- Click Delete next to the account user you would like to delete, and confirm your action when prompted.
If you prefer to delete account users through GraphQL, run:
mutation removeAccountUser($id:ID!) {
removeAccountUser(id:$id) {
id
email
scope
}
}
In the Variables section, make sure to replace the ID of the account user as required:
{
"id": "YOUR_ACCOUNT_USER_ID"
}
Notes
- An account user may have access to multiple accounts. Removing the account user takes effect only for the account currently selected from the Accounts list in the top-right corner of the page.
- The root account user cannot be removed.