SBS accounts and account users

An SBS account isolates all the apps, tenants, and service access keys of an organization under the same umbrella. Also, it is the billing point for usage of SBS.

Each time you sign in to the SBS Console, you are prompted to choose the SBS account that you would like to work with. This is your current working account and its name and ID are displayed at all times in the top application bar, for example:

Current SBS Account

If you are the first user to set up SBS for your organization, you must create an SBS account before you can start creating your organization’s apps, tenants and access keys. You can later invite other users in your organization to this account.

Creating SBS accounts

To create an SBS account:

Sign in to the SBS Console. The account selection page is loaded.
Click Create SBS Account and fill in all the mandatory fields (underlined in orange color).

You can update the account information later, from the Account Settings page (accessible from the navigation menu on the left-hand side).

You may create multiple accounts if necessary. This could be useful, for example, if you would like to maintain separate data (such as apps, tenants, and service access keys) for development and production. Multiple accounts could also be useful if your organization has several subsidiaries for which you would like to keep billing and data separately.

Switching accounts

As an SBS Console user, you may have access to multiple SBS accounts. These could be accounts created by you or by someone else in your organization.

When you are signed into the SBS Console, you can work with only one SBS account at a time. If you have access to multiple SBS accounts, you can switch between them as follows:

Click the user profile icon in the top-right corner of the page.
Click Switch Account.
Click the account that which you would like to switch to (the first column of the grid).

Switch accounts

Account users

An SBS account may be managed by multiple users.

Whenever you create a new account, the identity with which you are signed in becomes the root user for the account. As an account’s root user, you can invite several other users to the account. These could be people in your organization that are entitled to view or create SBS data, including sensitive data such as service access keys.

When inviting other users to the SBS account, the root user determines the permissions that the new users will have. For example, you can invite users that will only be able to view and query existing data, without any rights to modify it. The permissions of non-root account users may be subsequently updated or their account removed completely.

Invite account users

You can invite other users (for example, people in your organization) to view or manage the current SBS account. This works as follows:

First, you define the permissions of the new account user and send an invitation email.
The invited user accepts the invitation from their inbox by clicking a link.
The link redirects the user to the SBS Console, where the user can sign in (or sign up if they haven’t used the SBS Console before).
After signing in or signing up, the invited user is able to view and work with the SBS Account where they have been invited.

To invite an user to the current SBS Account:

Sign in to the SBS Console.
If necessary, switch to the account where you would like to add the user. Remember that the current SBS account (name and ID) is displayed at all times in the top application bar.
Click Account Users in the navigation menu on the left-hand side.
Click Invite Account User. A dialog box pops up.
Enter the user’s email address.
Optionally, enter a text for the invitation message.
Under Scope, enter the extent of permissions (scope) that should be available to the newly created user. For example, to grant the user read-only rights to the SBS account, choose account-api:query:*. For details, see Scope editor.
Click Send invitation.

The user’s invitation is now displayed in the list of accounts with an “Invitation pending” status. This status signifies that the user must first accept the invitation from their email inbox before they get access to the SBS account.

Account invitation pending

If necessary, you can remove pending invitations by clicking Remove . If you do this, the user will no longer be able to fulfill the invitation sent by email and thus will not get access to the SBS account.

GraphQL

To invite account users through GraphQL, take the following steps:

Sign in to the SBS Console.
If necessary, switch to the account where you would like to add the user. Remember that the current SBS account (name and ID) is displayed at all times in the top application bar.
Switch to the GraphQL interface.
Run the following mutation:

mutation inviteAccountUser($input:InviteAccountUserInput!) {
  inviteAccountUser(input:$input) {
        id
        provider
        email
        scope
  }
}

In the Variables section, make sure to replace the example email below with the actual email of the person you want to add:

{
  "input": {
    "email": "THE_INVITED_EMAIL",
    "scope": "account-api:query:*"
  }
}

In the mutation above, the scope parameter is set to account-api:query:*, which means that the invited user will have permissions only to query the SBS account data but not modify it. You can subsequently modify the user’s permissions to be as broad or as fine-grained as required, as further described under Update permissions.

To query pending account user invitations, run the accountUserInvitations query. To remove a pending invitation, run the removeAccountUserInvitation mutation.

View account users

You can view the account users linked to a particular SBS account as follows:

If you haven’t done that already, sign in to the SBS Console and switch to the account of interest.
Click Account Users in the navigation menu on the left-hand side.

A user may have access to multiple SBS accounts. The list includes only account users linked to the account that you are currently working with (the one displayed in the application bar)

GraphQL

If you prefer to use GraphQL, run the following query in the GraphQL tab:

query accountUsers {
  accountUsers {
    id
    name
    email
    picture
    provider
    scope
    isRoot
    createdAt
  }
}

To run this query, you must either be logged into a root user account, or be an account user with permissions to run this query.

Update permissions

You can update the permissions (scope) of an existing account user as follows:

Sign in to the SBS Console.
Switch to the account of interest.
Click Account Users in the navigation menu on the left-hand side.
Click the account user whose permissions you would like to change.
Click the Edit button next to Scope. A dialog box opens.
In the Scope field, enter the extent of permissions (scope) that should be available to the newly created user. For details, see Scope editor. Note that, if you leave the scope empty, the user will be granted full access to the Account API (and implicitly to all the actions available in the SBS Console).

Notes

A user may have access to multiple SBS accounts. Updating the account user’s permissions takes effect only for the account that you are currently working with (the one displayed in the application bar)
The permissions of a root account user cannot be overwritten.

GraphQL

If you prefer to use GraphQL, run the updateAccountUser mutation from the GraphQL tab. Essentially, this mutation takes as input the ID of the account user to be updated and a scope parameter.

The code listing below is an example of updating the user permissions so that they can run any query of the Account API but only the createTenant and updateTenant mutations.

mutation updateAccountUser($id:ID!, $input:UpdateAccountUserInput!) {
  updateAccountUser(id:$id, input:$input) {
    id   
    email   
    scope
  }
}

In the Variables section, make sure to replace the ID of the account user as required:

{
  "id": "YOUR_ACCOUNT_USER_ID",
  "input": {
    "scope": "account-api:query:* account-api:mutation:createTenant account-api:mutation:updateTenant"
  }
}

Remove account users

You can delete account users as follows:

Sign in to the SBS Console.
Switch to the account of interest.
Click Account Users in the navigation menu on the left-hand side.
Click Delete next to the account user you would like to delete, and confirm your action when prompted.

Notes

A user may have access to multiple SBS accounts. Removing the user takes effect only for the account that you are currently working with (the one displayed in the application bar).
The root account user cannot be removed.

GraphQL

If you prefer to delete account users through GraphQL, run:

mutation removeAccountUser($id:ID!) {
  removeAccountUser(id:$id) {
    id   
    email   
    scope
  }
}

In the Variables section, make sure to replace the ID of the account user as required:

{
  "id": "YOUR_ACCOUNT_USER_ID"
}

Web UI and GraphQL interfaces Restrict access to services

SBS accounts and account users

Creating SBS accounts

Switching accounts

Account users

Invite account users

GraphQL

View account users

GraphQL

Update permissions

GraphQL

Remove account users

GraphQL

Read more