Last modified: 2023-01-28

Enterprise Administration

  • Enterprise Administration: The Enterprise Administration feature enables the Account Administrators in an organization to manage users, groups and accounts for their lines of business. Account administrators can manage users and multiple accounts from a centralized location. This includes organizing multiple accounts into sub-accounts, control sharing abilities between users and accounts, and configure self-service branding capabilities across all accounts. This feature leverages the following items:
    • Roles and Permissions — When a user is added to an account, the Account Administrator assigns them a role with an associated set of permissions that determine the actions available to the user. Roles make it easy to manage the access rights of a large number of users without having to change permission options on an account-by-account basis. The following default roles are available within every account (each with its associated set of permissions): Administrator, Manager and Sender. These default roles are not customizable, and they cannot be deleted. Account Administrators can nonetheless: (1) create customized roles, assigning a customized set of permissions to each one; (2) make a customized role available within specified accounts or sub-accounts.
    • Sub-accounts — The sub-accounts feature enables an organization to create child accounts within the organization's master account. For example, an organization might want to create child accounts on the basis of its departments, geographical locations, or lines of business. Accounts can be created on three levels (parent > child > grandchild), enabling an organization to manage many account types under its master account.
    • Branding: Account Administrators can re-brand parts of the Signer Experience for signers such as logos and color schemes.
    • Please contact our Support Team to configure Enterprise Administration for your accounts. The configuration options include: (1) activating roles and permissions for specific accounts; (2) activating the sub-accounts feature; (3) converting an existing account into a sub-account under an existing master account.

The rest of this page discusses:

Changing Accounts

To change the account that you're working within:

  1. Click the Accounts icon on the Navigation Bar.
  1. Select the account or sub-account to which you'd like to switch.

Sub-Account Features

The following table lists some of the sub-account features that can be configured via Enterprise Administration. This list is currently incomplete, but it will gradually be made complete.

Feature Description
Specify a language for each sub-account

Enables a OneSpan Sign BackOffice administrator to specify a different language for each sub-account.

This feature works as follows:

  • The User Experience for senders appears in the sub-account’s specified language;

  • A sub-account’s invitation emails are sent in its specified language;

  • If a user moves to another sub-account that has a different specified language, the user's displayed language won’t change;

  • A user’s manual selection of a language overrides the language specified for a sub-account;

  • When a signer manually selects a language within a transaction, that selection applies only within the transaction;

  • The language of a signer who has a sender account cannot be changed. Their language is locked to the one they’re currently using.

Account owners can create sub-accounts Enables account owners to use the API to create and edit sub-accounts one level beneath their account. This includes the ability to specify each sub-account’s language.
Add the same user to multiple sub-accounts Note: If a Manager adds an existing user in one sub-account to another sub-account, the Manager must have the User Management permission in both sub-accounts.
Specify a different API and Callback for each sub-account

This feature is subject to the following limitations:

  • Enabling a user from a sub-account to access the transactions from a different user in a lower sub-account requires the permission Manage users' transactions, templates, layouts (API);

  • If a sub-account doesn’t have specified Callback settings, by default it inherits the Callback settings from its parent account. This default behavior can be disabled only in OneSpan Sign BackOffice.

Add new roles and permissions at each account level

Note that :

  • Roles that apply to all sub-accounts must be created in the top-level account, and are marked with an “Earth” icon;.

  • Roles created in a specific sub-account can be used only within that sub-account;.

  • A user may be granted both types of roles — ones created in the top-level account, and ones created in specific sub-accounts.

Authorize SSO

Authorizes senders to assign SSO (Single Sign-On) authentication to users in sub-accounts.

The following rules apply when SSO is used via Enterprise Administration:

  • When a user is being created for a sub-account, all settings must be configured using Keycloak.

  • A user can be added to any account under one tree, but cannot be added to two different trees.

  • After a user is added to one account, they cannot be added to another account.

  • When a user type is being created via SSO, it can be assigned to multiple sub-accounts in a sub-account tree. After that initial assignment, a user type cannot be assigned to any other account under its sub-account tree.

  • When a sender assigns SSO to a user, they must identify a valid/existing role for the user.

The following examples create a user in various circumstances.

Example 1: New User – Not a Sub-account – Existing Process

Enter Account UID: gPCmnJDcogYF

Example 2: New User – Sub-account – Single Role – Single Account

account ZABLAmXNEcI6 [[email protected]]

role member

type Regular

Example 3: New User – Sub-account – Multiple Roles – Multiple Accounts

subaccounts - { "userType":"Regular", "phone":"5149147978", "subaccounts": [

{"accountUid":"VXungYOf8tM8", "roles":["member"]},

{"accountUid":"n5RHIbdfkpIP", "roles":["manager"]}] }

Authorize the Print Driver Authorizes users in sub-accounts to install the OneSpan Sign Print Driver on their machines.
Authorize CMK - External (HYOK)

Authorizes an account's data to be encrypted with an External CMK that is used only for that account (CMK = Customer Master Key). This key is stored in the customer's Amazon account (HYOK = Hold Your Own Key).

A Private CMK can be enabled only at the root level from OneSpan Sign BackOffice, and applies to all subsequent sub-accounts. To say more about a specific customer's request for a Private CMK, we would need to know its exact use case.

Integration/API support

Various API calls are supported for sub-accounts. To view them, click the down arrows in the Roles and SubAccounts rows on the following page:

Customize inherited account settings

By working with our Support Team, you can customize the settings that sub-accounts will inherit from a parent account. Note: As the next table records, the Time Zone setting cannot be inherited by sub-accounts.

Sub-Account Limitations

Sub-accounts are subject to the following limitations:

Limitation Description
Production Accounts Once a sub-account has been enabled in Production, it cannot be disabled.
OneSpan Sign Connectors Sub-accounts are not supported for OneSpan Sign connectors.
Client Apps An integrated customer using Client Apps cannot use sub-accounts. Sub-accounts do not work with Client Apps.
Consolidated Reports Downloading a single consolidated report for all sub-accounts is not supported.
Account Owners If sub-accounts are enabled, the concept of an Account Owner no longer applies. Instead, the former Account Owner becomes the Admin of the root account, with permission to manage the sub-accounts' users.
Deleting a user from a sub-account deletes them from an entire sub-account tree If a user belongs to multiple sub-accounts in a sub-account tree, deleting the user from one sub-account will delete them from the entire tree. The user will no longer appear in any of that tree's sub-accounts.
Inherited root account settings

Sub-accounts do not inherit the following root account setting:

  • Time Zone

Merging enabled sub-accounts with other sub-accounts The system does not support merging an account with enabled sub-accounts into an account without enabled sub-accounts. It can only convert an account without enabled sub-accounts into a sub-account of a different root account/account tree.
Moving users The system does not support moving users from one sub-account to a sub-account of a different tree.
Was this information helpful?