Enterprise Administration
- Enterprise Administration: The Enterprise Administration feature enables the Account Administrators in an organization to manage users, groups and accounts for their lines of business. Account administrators can manage users and multiple accounts from a centralized location. This includes organizing multiple accounts into sub-accounts, control sharing abilities between users and accounts, and configure self-service branding capabilities across all accounts. This feature leverages the following items:
- Roles and Permissions — When a user is added to an account, the Account Administrator assigns them a role with an associated set of permissions that determine the actions available to the user. Roles make it easy to manage the access rights of a large number of users without having to change permission options on an account-by-account basis. The following default roles are available within every account (each with its associated set of permissions): Administrator, Manager and Sender. These default roles are not customizable, and they cannot be deleted. Account Administrators can nonetheless: (1) create customized roles, assigning a customized set of permissions to each one; (2) make a customized role available within specified accounts or sub-accounts.
- Sub-accounts — The sub-accounts feature enables an organization to create child accounts within the organization's master account. For example, an organization might want to create child accounts on the basis of its departments, geographical locations, or lines of business. Accounts can be created on three levels (parent > child > grandchild), enabling an organization to manage many account types under its master account.
- Branding: Account Administrators can re-brand parts of the Signer Experience for signers such as logos and color schemes.
Please contact our Support Team to configure Enterprise Administration for your accounts. The configuration options include: (1) activating roles and permissions for specific accounts; (2) activating the sub-accounts feature; (3) converting an existing account into a sub-account under an existing master account.
The rest of this page discusses:
Changing Accounts
To change the account that you're working within:
- Click the Accounts icon on the Navigation Bar.
- Select the account or sub-account to which you'd like to switch.
Sub-Account Features
The following table lists some of the sub-account features that can be configured via Enterprise Administration. This list is currently incomplete, but it will gradually be made complete.
| Feature | Description |
|---|---|
| Specify a language for each sub-account |
Enables a OneSpan Sign BackOffice administrator to specify a different language for each sub-account. This feature works as follows:
|
| Account owners can create sub-accounts | Enables account owners to use the API to create and edit sub-accounts one level beneath their account. This includes the ability to specify each sub-account’s language. |
| Add the same user to multiple sub-accounts | Note: If a Manager adds an existing user in one sub-account to another sub-account, the Manager must have the User Management permission in both sub-accounts. |
| Specify a different API and Callback for each sub-account |
This feature is subject to the following limitations:
|
| Add new roles and permissions at each account level |
Note that :
|
| Authorize SSO |
Authorizes senders to assign SSO (Single Sign-On) authentication to users in sub-accounts. The following rules apply when SSO is used via Enterprise Administration:
The following examples create a user in various circumstances. Example 1: New User – Not a Sub-account – Existing Process Enter Account UID: gPCmnJDcogYF Example 2: New User – Sub-account – Single Role – Single Account account ZABLAmXNEcI6 [[email protected]] role member type Regular Example 3: New User – Sub-account – Multiple Roles – Multiple Accounts subaccounts - { "userType":"Regular", "phone":"5149147978", "subaccounts": [ {"accountUid":"VXungYOf8tM8", "roles":["member"]}, {"accountUid":"n5RHIbdfkpIP", "roles":["manager"]}] } |
| Authorize the Print Driver | Authorizes users in sub-accounts to install the OneSpan Sign Print Driver on their machines. |
| Authorize CMK - External (HYOK) |
Authorizes an account's data to be encrypted with an External CMK that is used only for that account (CMK = Customer Master Key). This key is stored in the customer's Amazon account (HYOK = Hold Your Own Key). A Private CMK can be enabled only at the root level from OneSpan Sign BackOffice, and applies to all subsequent sub-accounts. To say more about a specific customer's request for a Private CMK, we would need to know its exact use case. |
| Integration/API support |
Various API calls are supported for sub-accounts. To view them, click the down arrows in the Roles and SubAccounts rows on the following page: https://community.onespan.com/products/onespan-sign/sandbox#/ |
| Customize inherited account settings |
By working with our Support Team, you can customize the settings that sub-accounts will inherit from a parent account. Note: As the next table records, the Time Zone setting cannot be inherited by sub-accounts. |
Sub-Account Limitations
Sub-accounts are subject to the following limitations:
| Limitation | Description |
|---|---|
| Production Accounts | Once a sub-account has been enabled in Production, it cannot be disabled. |
| OneSpan Sign Connectors | Sub-accounts are not supported for OneSpan Sign connectors. |
| Client Apps | An integrated customer using Client Apps cannot use sub-accounts. Sub-accounts do not work with Client Apps. |
| Consolidated Reports | Downloading a single consolidated report for all sub-accounts is not supported. |
| Account Owners | If sub-accounts are enabled, the concept of an Account Owner no longer applies. Instead, the former Account Owner becomes the Admin of the root account, with permission to manage the sub-accounts' users. |
| Deleting a user from a sub-account deletes them from an entire sub-account tree | If a user belongs to multiple sub-accounts in a sub-account tree, deleting the user from one sub-account will delete them from the entire tree. The user will no longer appear in any of that tree's sub-accounts. |
| Inherited root account settings |
Sub-accounts do not inherit the following root account setting:
|
| Merging enabled sub-accounts with other sub-accounts | The system does not support merging an account with enabled sub-accounts into an account without enabled sub-accounts. It can only convert an account without enabled sub-accounts into a sub-account of a different root account/account tree. |
| Moving users | The system does not support moving users from one sub-account to a sub-account of a different tree. |