****************************************************************************************************

** Please consult the One Model team before enabling this new Feature **

****************************************************************************************************

One Model has a sophisticated and flexible role based security framework and added a lot of automation to enable customers to leverage this to drive the adoption of data driven decision making in a secure, scalable way.

We previously delivered a capability to automatically assign user roles as part of the Single-Sign-On process and this guide walks through how you can do something similar, but do it via a simpler .csv based file upload mechanism.

Quick overview of how it works

  1. Customers can upload a .csv file that contains all of the details needed to create or modify users in One Model. This can include all users, or just a sub-set of users.

  2. Within the .csv file customer defined roles can be included for users. Examples of roles could be Executive, HRBP, LineManager etc. Customer admins manage the mapping of their company defined roles to One Model Application Access and Data Access Roles in the One Model Company admin page.

  3. When the user logs into One Model, the application automatically assigns the associated Application Access Roles and Data Access Roles for that user based on their company defined role mapping in the previously uploaded .csv file.

Step By Step Guide

Configure your company instance to enable user file uploads

  1. To enable the user file upload capability, go to the Company Admin page and navigate to the “User Upload Options” section.

    NB: enabling this new feature will override other setting you may have previously setup for automatically assigning a default role for users created via SSO, so the SSO based role creation will no longer apply deferring to this new file based process.

  2. Select the key identifier for users logging into One Model for your company, i.e. Email Address or PersonID. This will enable the appropriate link for the uploaded user data to the rest of your company configuration in One Model.
    NB: for Customers using SSO, this setting should be the same option set in the "SAML 2 Integration" settings for "NameID Type". This is usually "Email" in both cases.

  3. To link your company defined roles included in the user upload file to One Model roles, the roles need to be mapped. You can use the table in this section to create these mappings. To configure the mapping between Customer Roles and One Model roles click the ‘Create New’ link or the ‘Edit’ link to modify an existing mapping. Then enter the name of the Customer Role that will be included in the upload file and check the One Model Application Access and Data Access Roles to be associated with this Company defined role. Some notes on this:

  • A user can have multiple Company Roles in the upload file

  • A Company Role can have multiple Application Access Roles and Multiple Data Access Roles.

  • If a user is assigned a company role that is not defined in the mapping table that role will be populated in the table awaiting mapping, but the user will not have any One Model permissions until that mapping has been performed.

Enabling the User Uploads Feature for a Role

  1. Given the high level of impact this capability can have for user access to the One Model platform, uploading users is controlled via an Application Access Role permission. To enable this for a user you will need to check the option for “CanUploadBulkUserFile” in the relevant Application Access Role.

  2. With this permission enabled, the User Uploads page can be accessed from a link that will become available within the User management page per the screenshot below.

Definition of the .csv file format

1. We have included an option to download a .csv file template on the User Uploads page that has an example of the expected file format.

Below is an example of this file in Windows Notepad:

2. The names and order of the column headings needs to match the specification format exactly, i.e. First Name,Last Name,Email,PersonId,Allow Sso SignIn,Allow Local Sign In,Auto Assign Roles On Login,Roles

3. The first row of the file must include the column headers in the same order as the example file.

4. The data rows in the file need to be comma separated.

5. The last column of data needs to be defined in “quotes” to allow for cases where you want to assign multiple roles per user. Do not use quotes for anything else in the data or header row.

6. The following fields are case sensitive:

  • First Name

  • Last Name

  • Email

  • Roles

7. Each user should only have one row within the file.

8. Email address and PersonID cannot have duplicate entries across any rows of the file.

9. Values in the .csv file map to the User screen as follows:

NB: The field currently called “Use Sso Assigned Roles” applies to either the SSO based automated role assignment, OR the File Upload Role Assignment. This will be renamed in the future to be more generic, but today we are leveraging the same switch. It is also important to note that a company can use only one approach to automated role assignment, either SSO, or File Upload and not a combination of the two.

Uploading the .csv file

  1. On the User Uploads screen, press the Upload button and browse for and select your .csv file.

  2. On upload we will perform some initial file validation according to the requirements listed in the previous section.

  3. Once successfully uploaded you will see a new row appear in the table with the file name and the status of “Uploaded”.

  4. The next step is to Verify the file by pressing the Verify button on the right side of the screen.

  5. The verification step will check the uploaded file against the users already stored within One Model and you will be able to see in the table how many new users will be created, or existing users will be modified by the uploaded file. You can click each of these numbers and download a .csv file to check the details to cross check the changes before they are processed. If there are errors detected these will be viewable in the error column with an error reason.

  6. At this stage you could make changes to your .csv file and upload a new version and go through the verify step again.

  7. Once you are happy with your verified file you can then process the upload by pressing the Process button on the right of the screen.

  8. Depending on how many users are to be processed this step may take some time. The status on the page will continue to display as “Processing” even if you leave the page, or logout and log back in the status will be maintained. This will also be the case if another user enters the page, they will be able to see if someone else has already started processing an upload. While the processing is running, you will be able to see new users appearing in the Users screen and you can check how far you are through the upload process by using the “Export Users and Roles” option.

  9. Once the upload processing is complete you might also like to review the role mapping table in the Company Admin page in case there are new Company Roles within the file that require mapping to One Model roles.

  10. It is important to note that while users are created immediately as a part of this process their roles are assigned dynamically at the time that they next login to One Model.

Did this answer your question?