Marigold ID Administration Guide
Overview
There are two types of client admin roles in Marigold ID (CID):
-
Organization Admin: Admin of an organization who can manage access to all the business units (BU)
-
Business Unit Admin (BU Admin): Admin of one or more business units
The users with these admin permissions are provided access to the Marigold ID Administration workspace .
User Group for Non-SSO Organization
User Group was introduced in Marigold ID to support more robust relationships between users and permissions, allowing the admin to quickly grant application access to new users.
1. Create a User Group and Define Group Application Access in Marigold ID
Pre-requisite: The User Group Feature must be enabled by your Marigold representative to utilize this functionality.
Create a User Group
1. Go to Marigold ID Administration (only available for Org and BU admins), then User Groups. This page lists all user groups created for your organization.
2. Click “New Group” and the modal below will be displayed.
3. Fill in a Group Name and click “Save Group”.
Note: Please leave the “IDP Identified” field empty.
4. The newly created user group will be listed on the listing page. Click on the user group created above to define the user group access.
5. Click “Add Business Units” and select the desired business unit for the user group.
6. Then, select the application to assign to the user group and click “Add Business Units” to save.
7. Optional Step:
a) To add Organization Admin access, toggle on “Assign organization admin to group users.
b) To add BU Admin access, toggle on “Assign BU admin at the BU listing table.
Note: Upon completion of the above steps, any users added to this user group will be granted access to the selected application as defined above.
Other Settings
User Group List Management:
-
By default, all organization will be set to “Assign User Group upon first login”.
-
Org admin can update it to “Always Sync User Group upon login”.
Note:
The setting above applies to Organization that uses SSO. Please disregard this if your organization is not using SSO.
-
Assign User Group upon First Login: User groups will be assigned to SSO users whose organizations have enabled the user group feature, based on customGroups, during their first login (user creation).
-
Always Sync User Group upon Login: User groups will be synchronized for SSO users whose organizations have enabled the user group feature, based on customGroups, during each SSO login.
2. Add Users to User Group
On the User Group List, select a user group and click “Options > Add Users”.
Select user(s) to add to the user group, then click “Add Users”
3. View Users in a User Group
To view users in a user group, on the user group list, click a user group, (for example “Campaign Admin” as shown below).
When the user group is opened, click Users to see the user list.
4. Other Settings
4.1 Delete a User Group
To delete a user group, on the User Group Listing page, select the user groups to delete, then click “Options > Delete Group”.
Note: When a user group is deleted, all users and access associated with that user group will be removed.
4.2 Delete a user from a User Group
To delete a user from a user group, go to the user group (see section 3), and select the users to be removed from the group, then click “Options > Remove From Group”.
5. Product Specific User Group Mapping
Engage+ and Loyalty support user group mapping from Marigold ID, enabling admins to quickly set up new users with a set of Engage+ and Loyalty permissions.
5.1 Engage+
When a user group is created in Marigold ID for an organization and its business units and is assigned the Engage+ application, the user group can then be mapped to an Engage+ access group.
To add user group mapping in Engage+, please follow the steps below.
|
See the example and steps to map a Marigold ID user group to an Engage+ access. Pre-condition: A user group is created in Marigold ID and the user group is assigned to a BU with Engage+ Application in Marigold ID. Scenario: A user group called “engage-plus-ny5-admin” was created with the following settings. We want to map this user group to the “Administrator User Group” in Engage+ so that users can be granted administrator access in Engage+.
In Engage+, go to “Account Security”, and click “Marigold ID Group Mapping” to open the Group Mapping modal.
Select the Marigold ID user group, then an Engage+ Access Group.
Click “ + ” to add, and Save to save the mapping.
Note. If there are multiple user groups created in Marigold ID, they can be mapped following the steps above, on the same modal. When the configurations above are saved in the modal, a user added from Marigold ID and assigned to this user group through the Marigold ID app will automatically be granted administrator access in Engage+ in the BU. Please see the User Group Sync Preference below to learn how the role sync works.
Sync only during new user creation:
|
5.2 Loyalty
The configuration and steps will be updated and published soon.
User Group and SSO Custom Group Mapping for Azure
SSO Custom Groups Mapping to User Group
SSO Custom Group is a feature that enables client to assign groups to users from their own IDP/Portal and then relay this group to Marigold ID. From Marigold ID, the matching group will be used for the equivalent assignment to grant certain accesses based on the configuration.
[Client’s IDP] Configuring Custom Group in Azure IDP
Navigate to Azure Groups and click create group.
2. Criteria for Group name creation
-
Lower Case.
-
Replace space with dash(“-”).
-
For Example:
group name should be "org-admin"
Assign user to group created above
3. Assign group created to the Enterprise Application
4. Create the Custom Group claim
Claims Required (on top of existing group)
-
firstName → user.givenname
-
lastName → user.surname
-
email → user.mail
-
Unique User Identifier → user.userprincipalname
-
customGroups (group claims)
Claims Requirements
1. please remove the namespace for the claims
CustomGroups Claims Requirements
-
“Group associated” select Groups assigned to the application
-
“Source attribute” select Cloud-only group display names
-
“Name” should be customGroups
[Marigold ID] Configuring Custom Group according to Client IDP in Marigold ID
Pre-requisite:
-
The User Group Feature must be enabled by your Marigold representative to utilize this functionality.
-
When the feature is enabled, an Organization Admin will be able to perform the steps below in setting up user groups and defining user group mapping between Marigold ID and other products.
Create a User Group
1. Go to Marigold ID Administration (only available for Org and BU admins), then User Groups. This page lists all user groups created for your organization.
2. Click “New Group” and the modal below will be displayed.
3. Fill in a Group Name and click “Save Group”.
Note:
-
The MID Group Name must match the group name in your IdP.
-
Please leave the “IDP Identified” field empty.
4. The newly created user group will be listed on the listing page. Click on the user group created above to define the user group access.
5. Click “Add Business Units” and select the desired business unit for the user group.
6. Then, select the application to assign to the user group and click “Add Business Units” to save.
7. Optional Step:
a) To add Organization Admin access, toggle on “Assign organization admin to group users”.
b) To add BU Admin access, toggle on “Assign BU admin” at the BU listing table.
Note: Upon completion of the above steps, any users added to this user group will be granted access to the selected application as defined above.
Other Setting: User Group List Management
Assign User Group upon First Login: User groups will be assigned to SSO users whose organizations have enabled the user group feature, based on customGroups, during their first login (user creation).
Always Sync User Group upon Login: User groups will be synchronized for SSO users whose organizations have enabled the user group feature, based on customGroups, during each SSO login.
The default setting is "Assign User Group upon first login." However, we recommend setting it to "Always Sync User Group upon login" to ensure user access is always updated in Marigold ID each time they log in.
Product Specific User Group Mapping
Engage+ and Loyalty support user group mapping from Marigold ID, enabling admins to quickly set up new users with a set of Engage+ and Loyalty permissions.
Engage+
When a user group is created in Marigold ID for an organization, and its business unit is assigned the Engage+ application, the user group can then be mapped to an Engage+ access group.
See the example and steps to map a Marigold ID user group to an Engage+ access.
Pre-condition: A user group is created in Marigold ID and the user group is assigned to a BU with Engage+ Application in Marigold ID.
Scenario: A user group called “engage-plus-ny5-admin” was created with the following settings. We want to map this user group to the “Administrator User Group” in Engage+ so that users can be granted administrator access in Engage+.
In Engage+, go to “Account Security”, and click “Marigold ID Group Mapping” to open the Group Mapping modal.
Select the Marigold ID user group, then an Engage+ Access Group.
Click “ + ” to add, and Save to save the mapping.
Note. If there are multiple user groups created in Marigold ID, they can be mapped following the steps above, on the same modal.
When the configurations above are saved in the modal, a user added from Marigold ID and assigned to this user group through the Marigold ID app will automatically be granted administrator access in Engage+ in the BU.
Please see the User Group Sync Preference below to learn how the role sync works.
Sync only during new user creation:
-
Marigold ID user groups assigned to new users (invited from Marigold ID) will be synced to Engage+ when the users switch applications from Marigold ID to Engage+.
-
Existing users' Marigold ID group(s) will not be synced.
Sync every time switches application to Engage+
-
This is the default setting.
-
Marigold ID user groups assigned to new and existing users will be synced to Engage+ every time the users switch applications from Marigold ID to Engage+.
-
The group sync for existing users will not overwrite their existing access in Engage+; however, any new access groups added will be appended.
Loyalty
The configuration and steps will be updated and published soon.
Switching to Marigold ID Administration Workspace
Users with admin permissions can access the Marigold Administration workspace directly or by clicking on the System Administration option available in the drop-down box from the user icon at the right side of the User Workspace.