IAM Module

The ACE IAM module allows management of users and their roles in your ACE tenant.

Concepts

Tenants

A tenant is your environment. All resources created by you or by users within your tenant are stored within the scope of your tenant and can not be accessed by users from other tenants. Each tenant has a readable name, which is used to log in your ACE environment. By request, this name can be changed. Each tenant also has a system name, which can not be changed. Calls to other ACE modules require this system name to determine the resources that are scoped to your Tenant.

Users

The default ACE user has a username in the form of an email address, a userID and a password. This is the bare-bones instance of a user. When an admin is certain the email address of the user is correct, it can be marked as verified. By default, a user has no roles and thus can not perform any actions on ACE. If you are offboarding a user or in case of emergency, a user account can be disabled. The user will be logged out of ACE immediatly and will not be able to log back in until the account is enabled again.

Roles

ACE roles are predefined and are not customizable. Multiple roles can be assigned to users. All modules within ACE require users to have a specific role. Each role has a description what a user can do with this role in in your tenant. For example, the userAdmin role allows users to perform create, update and deletion of users. While the userViewer role only allows users to retrieve information on users.

Multi-factor authentication

Currently, ACE supports multi-factor authentication via phone number. We strongly recommend users to enable MFA. In order to enable MFA, a user must have a valid phone number where they can receive their second factor notification on. Once MFA for a user is enabled, the user is automatically logged out of ACE and must reauthenticate with their second factor.

Google log-in

Each ACE tenant comes pre-configured with a Google log-in provider. This allows users with a Google account to authenticate to their ACE tenant. ACE IAM matches accounts based on email address. This means that in order for a user to log in with their Google account to their ACE account, their email address must match.

Guides

In order to create, edit or delete users, the UserAdmin role is required in ACE. The UserViewer allows users to view all users within your ACE tenant.

Creating a new user

  • In your ACE environment, use the left menu to go to Users.
  • Click CREATE USER in the lop left
  • Fill out the form with the correct information. Note: If you want users to be able to use their Google login, make sure the email address matches
  • Make sure to enter a valid phone number. This can be used for MFA to increase account security.
  • Create a strong password for the user. We enforce at least 6 characters.
  • Roles can not be assigned when creating a new user.
  • Click SUBMIT to create the user.

Assigning roles to a user

  • In your ACE environment, use the left menu to go to Users.
  • Find the user you want to edit in the list and click EDIT.
  • In the form, select any role you wish to assign to the user.
  • Click SUBMIT to save any changes.

It might take some time for these changes to take effect. To speed up the proces, a user can log out and back in.

Enabling Multi Factor Authentication for a user

In order to enable Multi Factor Authentication for a user, the user must have a valid phone number set up. Enabling MFA will fail if the phone number is not set up.

  • In your ACE environment, use the left menu to go to Users.
  • Find the user you want to edit in the list and click EDIT.
  • Toggle Multi factor authentication to the right

Multi Factor for the user is enabled immediatly. There is no need to submit the form.

Disabling a user

A disabled user is not able to authenticate to ACE. This can be useful when a user is being offboarded from your ACE tenant, suspisious activity has occurred or you are onboarding a large number of users and want to gradually enable them.

  • In your ACE environment, use the left menu to go to Users.
  • Find the user you want to edit in the list and click EDIT or CREATE USER.
  • Toggle Disable to the right
  • Click SUBMIT to save any changes.