Skip to main content

Account

Manage user, organization & RBAC in Suger Console.

Signup & Login

  1. Suger use Auth0 as the authentication & authorization provider. Both Sign in and Sign up share the same entry https://console.suger.io/login.

  2. Suger supports sso with Google, Microsoft and Okta (available upon request).

Organization

  1. All Suger resources are organized & managed under organization. Each user must belong to at least one organization.

  2. When you sign up for Suger for the first time, you will be prompted to create a new organization. However, please note that your organization will require approval from Suger in order to become active. To initiate the approval process for your newly created organization, please get in touch with Suger Support.

  3. The user who creates the organization has the ADMIN role as default. It is allowed to add new users, edit user role or delete the users. There are 3 predefined standard roles: ADMIN, EDITOR & VIEWER. Their permission scope is defined below:

    User RoleRBAC Permissions
    ADMINFull access, including management of users, organizations, API Client & Webhook.
    EDITORFull access, but excluding the access to management of users, organizations, API Client & Webhook.
    VIEWERCan only access Suger services with read access, no permission to create/edit/delete any resources
    tip
    • The email domain of the organization inherits from the user who created it.
    • For security purpose, only the users who has the same email domain as the organization can be added to that organization.

Custom Role with Granular Permissions

Custom roles offer precise control over permissions, allowing you to go beyond the limitations of predefined standard roles, which may be overly broad. This flexibility enables assigning specific permissions at a more granular level.

Create Custom Role

  1. Navigate to the settings page of your organization.
  2. Locate the Roles section under the Organization & Users tab.
  3. Click the Add Custom Role button.
  4. Fill in the name and description fields.
  5. Set permissions according to your specific requirements.

Assign Custom Role to User

Once custom roles are created, you can apply them during the creation or modification of a user.

  1. Visit the settings page of your organization.
  2. Find the Users section under the Organization & Users tab.
  3. Add a new user by clicking the Add User button or edit an existing user by clicking the edit button in each user row.
  4. Set the role field in the Add User/Edit User dialog to the desired custom role.

Edit Custom Role

  1. Visit the settings page of your organization.

  2. Locate the Roles section under the Organization & Users tab.

  3. Click the edit button in each custom role row.

  4. Modify the name, description, and permissions as needed.

Use Okta as Identity Provider

Suger supports Okta as an identity provider. You can use Okta to manage users and their access to Suger.

Create an OpenID Connect app integration

Follow these steps to create an OpenID Connect(OIDC) app integration. This app serves as the Okta SSO provider for Suger.

  1. In your Okta Admin Console, go to Applications -> Applications. Click Create App Integration.

  2. Select OIDC as the Sign-in method, and Web application as the Application type:

  3. Set the following parameters, then click Save.:

  • App integration name: Suger

  • Sign-in redirect URIs: Contact Suger support (support@suger.io) for the redirect URI.

  • Sign-out redirect URIs: https://console.suger.io/login.

  • Trusted Origins: https://console.suger.io

  1. Open the App. Go to General - General Settings - Edit, then click Save:

  • Login initiated by: Either Okta or App

  • Application visibility: Display application icon to users

  • Login flow: Redirect to app to initiate login (OIDC Compliant)

  • Initiate login URI: https://console.suger.io/login/okta

  1. Send the Client ID and Client Secret that Okta generated to Suger support.

Create an SCIM app integration

SCIM (System for Cross-domain Identity Management) is a set of application-level protocols to securely manage and communicate user data across multiple domains. You can create a SCIM integration in Okta to manage users's access and roles in Suger.

  1. Ask Suger support to get SCIM endpoint URL and Bearer token.

  2. Follow the steps in this Doc to create a SCIM integration app. It should look like:

  3. Create a custom attribute for Okta user.

  • Data type: string

  • Display name: Suger Role

  • Variable name: sugerRole

  • Attribute members: The role values should be ADMIN, EDITOR, VIEWER for the standard roles. You can also add your the custom roles (role names are case sensitive).

  1. Create a custom attribute for SCIM app user:

  • Data type: string

  • Display name: Suger Role

  • Variable name: sugerRole

  • External name: roles.^[type=='SUGER_ROLE'].value

  • External namespace: urn:ietf:params:scim:schemas:core:2.0:User

  1. Configure field mapping from Okta user to SCIM app user:

  2. Verify the Suger Role Attribute Mapping: Set a Suger Role for a Okta user. Open the SCIM app, go to the Provisioning tab and scroll down to Suger Role field and click "edit" icon, the field should be present:

Manage Users Access

Set the user's Suger Role in the Okta user profile. When the role is updated, it will be synced to Suger in real time.

warning
  • To grant a user access to Suger, you must assign them to both the OIDC app and the SCIM app via the end-user dashboard.
  • To revoke access, remove the user assignments from both apps.