Imagine giving your clients the ability to view specific components in Lifecycle Insights without making them internal contacts. Client users can be configured as external users so they are not displayed as internal contacts within Our Contacts in Recommendations and Our Attendees in the Business Reviews. Both of these list contacts that are found in User Manager (or in other words - contacts that can log into LCI).
Step 1: Setting Up Security Groups for External Users
To start, you'll need to create a new security group to limit external users’ access to their specific company. This step ensures that these users have restricted permissions, protecting your internal settings and data.
-
Navigate to Account Settings: In the Lifecycle Insights platform, go to the main navigation menu, and under Administration, select Account Settings. Click the Security Groups tile.
-
Create a Security Group: You can copy an existing security group or click the Add New button to create a fresh one. This flexibility allows you to set up new groups quickly or build on existing configurations.
-
Name Your Security Group: Assign a descriptive name to your new or copied security group. This name should indicate the group’s purpose, such as the specific client or type of access being granted.
-
Configure Security Settings:
-
Access Restrictions: Make sure that Notifications, Onboarding, Edit Tenant Default Dashboard, Data Sync Manager, and Can Edit Security Group Dashboards are unchecked. These permissions should not be granted to external users.
-
Impersonation Setting: Set the impersonation option to "No, Do NOT Allow members of this group to impersonate." This prevents external users from accessing other profiles, enhancing security.
-
Access Restrictions: Make sure that Notifications, Onboarding, Edit Tenant Default Dashboard, Data Sync Manager, and Can Edit Security Group Dashboards are unchecked. These permissions should not be granted to external users.
-
Assign Companies: Use the drop-down selector to select the appropriate company for this security group. This step ensures that the external users are linked only to their respective companies, preventing access to other areas.
-
Define Access Permissions: In the impersonations table, you can specify which areas external users can access or view. Permissions can be set as read-only or read/write based on the needs of the client.
Once your security group is set up, you can easily replicate its settings for other companies by copying the group, simplifying the configuration process for multiple clients.
Recommended Restrictions for External Users:
-
- Administration: No access should be granted to account or site settings, as these impact global settings across your organization.
- Integrations: Prevent external users from accessing or modifying integration settings, as this could disrupt data connections.
- Data Manager: External users should not have permission to add data to the system, preserving data integrity.
- Help/Support: External users should contact your organization directly for support, as they will not be able to access internal help resources.
Step 2: Adding and Managing External Users
Once the security group is set up, you can add external users to it. External users won’t appear in Our Contacts in Recommendations or Our Attendees in Business Reviews, ensuring that your internal contacts list remains accurate. Additionally, external users are restricted from viewing Business Review Standards or any listed Scores derived from these standards, and the help widget is disabled for them.
Adding External Users:
- At the top of the User Manager screen, click on Add User Access > Add New External User.
- In the Add External User pop-up modal, enter the user’s details.
- First Name, Last Name, and Email.
- Select the appropriate Security Group for this user to manage their access levels.
- For accounts utilizing Single Sign-On (SSO), Force SSO can be applied to external users. Learn more about the SSO enforcement here.
- Click Click to Add and Send User Invitation Email. Once created, the user will appear in the User Manager list.
- You can also view the user’s MFA (Multi-Factor Authentication) status here. Find more details on enabling MFA.
Step 3: Securing External User Accounts with Single Sign-On (SSO)
You can enhance security by linking Google or Microsoft accounts for Single Sign-On (SSO) access, offering convenience and advanced protection.
Forced SSO, applied on a per-user basis for external users, disables login/password and MFA options, requiring them to sign in exclusively using their Google or Microsoft account via Single Sign-On (SSO).
Setting Up SSO Enforcement for External Users
Step 1: Access User Manager
- Navigate to the vCIO menu and select Account Settings under the Administration section.
- Open User Manager by clicking on the corresponding tile.
- View the list of external users, which includes a Force SSO column displaying the SSO status for each user.
Step 2: Add and Enforce Forced SSO on a Per-User Basis
To enable or modify SSO enforcement for existing external users:
- Filter the user list in User Manager to display external users only.
- Select the external user you want to edit and click on their name.
- In the Edit External User window:
- Select the Force SSO box to enforce SSO for the selected external user.
- Click Save to apply the changes.
SSO sign-in enforcement for External Users: External users attempting to sign in with a username and password will see an error message informing them that SSO login is required. This ensures that external users can only access Lifecycle Insights via the secure SSO option.
Modifying an Existing External User
To edit an external user's details, click on the external user’s name in the User Manager list. These settings are essential for keeping your platform secure and functional for external clients.
- Update any necessary information and click Save.
- To delete an external user, click Delete.