Unified user management

👍

Welcome note

Unified login is in the process of being applied to all users throughout September 2025.

Access the pre-existing documentation here: Administration.

Intro

Unified user management is a key component of integrating all Bloomreach products (including Engagement, Discovery, and Clarity) under one common platform. The main goal of Unified user management is consolidating the management of users and their access rights across all Bloomreach products and regions. In the long term, Bloomreach aims to provide a unified infrastructure and single point of management for users, especially large, multi-geo, and multi-brand organizations.

Unified user management serves as the single source of truth for the user lifecycle (CRUD operations - Create, Read, Update, Delete) and role assignments. Power users gain centralized visibility and control over who has access to what resources, effectively simplifying workflows and access management. The system supports managing users individually or in bulk, utilizing user groups, and assigning permissions with defined scopes. While management is centralized, user information like email, name, and phone number for Multi-Factor Authentication is intended to be kept region-specific to comply with legal requirements.

Terminology

  • Admin Panel: The user interface is designed to manage Administration roles and permissions.
  • Auth0: The external authentication and user identity provider currently used by Discovery. While the goal is to use one authentication, Auth0 remains involved (especially during the upgrade transition and for the existing users linked to Discovery organizations).
  • Cloud Organization/Organization: A global resource representing a single Bloomreach client or company within the unified platform. It can contain multiple Workspaces in different regions. One Cloud organization can have one or more Workspaces. User management aspects like user exports, invites, user groups, and identity domains are intended to be managed at the Cloud Organization level.
  • Workspace: A container within the Cloud Organization that holds a unique subset of client data and is tied to a single geographic/regulatory region. Multiple Engagement Projects and Discovery Accounts can be linked to a single Workspace. Access control features like IP filtering and MFA are intended to be managed at the Workspace level.
  • Account: Accounts are typically used to segment a client's business unit isolation. A Bloomreach customer can have one or more accounts under a single workspace. This concept exists in both Discovery and Engagement, and the only change is in the organization structure and hierarchy.
    • Access control within the new structure involves assigning Users, User Groups, Roles, and Custom Roles to Accounts. Admins can assign access at the Account level. Engagement Admins can Create, Edit, or Delete Accounts (Engagement Admins are Bloomreach personnel, not Account Admin roles). However, Discovery Admins cannot Create, Edit, or Delete an Account (this can only be done by Bloomreach).
  • Environment: Accounts contain Environments. Every Discovery Account always has at least one Environment for staging purposes and may have an additional Environment for production purposes. Other types, like "dev", are also mentioned.
    • Admins cannot Create, Edit, or Delete an Environment (only Bloomreach can). Access control allows Admins to Assign Users, User Groups, Roles, and Custom Roles to an Environment. This is an existing concept in Discovery only (the equivalent feature in Engagement is Project Type Categorizer).
  • Project: This is an existing concept in Engagement only. Projects in Bloomreach Engagement are used to differentiate between businesses. Each project has its own project token (ID) that is used when setting event tracking on the website or in mobile apps. Projects are independent of one another; each one has different customers and events, their own independent analyses, or campaigns. An example would be a company having multiple projects for different countries under the same account. Each project has separate access management.
  • Site and Site groups : This is a Discovery-only feature. Within the Discovery structure, a Site can be a standalone entity or parented by a Site Group. Admins _can _assign Users, User Groups, Roles, and Custom Roles to a Site. A Site contains one or more catalogs associated with it. A Site group defines a group of sites under an Account.
  • User: Represents an abstract concept of a user identity within the Unified platform or application. Users are linked to resources and can be managed individually or in bulk.
  • Roles and Permissions: Roles define a set of permissions. They are assignable to users and user groups, and can have a defined scope. This is managed by both Bloomreach and its Clients. Permissions are the specific actions users are allowed to perform. These backend permissions are grouped and are implicitly part of roles. This cannot be managed by Bloomreach or its Clients.
  • User Groups: Allows for managing users in bulk and assigning permissions to the entire group. Changes to user group membership automatically update permissions.
  • Role Assignment: The process of linking users or user groups to roles.
  • Scope: The level at which a role or permission applies, such as an Account, a Project, a group of projects, or potentially custom scopes defined by groups/tags/labels.
  • Custom Permission Scope: The ability to use groups, tags, or labels to virtually connect projects specifically for the purpose of access management.
  • Identity Domain: Related to the regional login service setup, defining authentication options (SSO, passwords) for users.
  • Single Sign-On (SSO): An authentication method supported across platforms, allowing users to log in once to access multiple applications.
  • Multi-Factor Authentication (MFA): An additional security measure supported for user access.
  • Audit Log: A system to track user management actions and other functionalities.
  • Regional Data Storage: The principle that user information (like email, name, phone for MFA) should be kept regionally to comply with legal requirements, even though management is centralized.

Organizational structure and hierarchy diagram

Common Admin Panel actions

Here are tutorials for popular actions available from the Admin Panel.

How to add a new user

  1. Log in and navigate to Admin Panel > Users > Add users, and follow the dialog instructions. Then select the Application to which you want to add the user:

  1. For each user in any application, you need to fill in email and permissions including the application, scope (workspace/project in case of Engagement,

Admin Panel flow

  1. Add the user email and select Admin Panel as the application:
  1. As part of the scope, select the relevant user roles you want to attach to this user. The user roles are automatically filtered based on the Organization permissions you have.
  1. Select an expiration date if you want a temporary user for a fixed time. Review the details then click Add user.

User management

Log in and navigate to Admin Panel > Users. Here you can see all the users depending on the permissions assigned to you by the organization. In this screen, you can view all users, filter and find users, and perform operations (Edit, Block, Delete, Export).

Other common operations

  • Block/unblock user: This option will immediately block or unblock the user from preventing or accessing the organization.
  • Terminate user session: This will end the active user session and force the log-out immediately.
  • Enforce password reset: This will force the user to set new password in the next login session
  • Mark as external user: This will exempt the user from organization-level security measures, such as SSO authentication and allow independent logging. This action cannot be undone.
  • Add permission: This is similar to the "Add User > Add Permission" step of adding a new user, in which additional permissions are added to an existing user.
  • Resend invitation: This will resend an invitation and expire any previous pending invitations.
  • Remove permissions: Removes all permissions for the user in the current scope. This will not delete the user from the organization.
  • Delete user: This will permanently remove and revoke any access to all Bloomreach services. This is available only for Organization administrators.

On the left side of the screen, users can perform find operations based on multiple filter options. The status of the user is indicated by the corresponding icon:

The Multi-Factor Authentication status icon represents three values:

How to export users

In the top right corner of the user list screen, click on the three dots to see the Export Users option, then follow the dialog to import the user lists.

How to set a Custom role

Unified user management supports Engagement. Read more here: Custom role.

📘

Note

The functionality is the same, however the navigation is different.

  1. Navigate to Organization > Administration > Users > Roles
  2. In the top right corner, click "+Create custom role"
  3. Select "+Add inherited role"