HomeEngagementContentDiscoveryOther resources
Guides

Unified user management overview

Suggest Edits

👍

Welcome note

Unified login is in the process of being applied to all users throughout September 2025.

Access the pre-existing documentation here: Administration.

Managing users across separate systems creates fragmented visibility, duplicate work, and compliance challenges. Unified user management consolidates all user administration into a single interface—giving you complete control over who has access to what across all Bloomreach products and regions.

This system serves as the single source of truth for user lifecycle management and role assignments. You can manage users individually or in bulk, while user information remains region-specific for legal compliance.

Terminology

Understanding these terms helps you navigate the unified administration structure and make informed decisions about user access.

Organizational structure

Administration

The user interface for managing administration roles and permissions across all products.

Auth0

The external authentication provider currently used by Discovery. Auth0 remains involved during the upgrade transition and for existing users linked to Discovery organizations.

Cloud organization

Your company's top-level container representing your entire Bloomreach relationship. One cloud organization can contain multiple workspaces in different regions. User management aspects like user exports, invites, user groups, and identity domains are managed at this level.

Workspace

A container within your cloud organization tied to a single geographic/regulatory region. Multiple Engagement projects and Discovery accounts can link to a single workspace. Access control features like IP filtering and MFA are managed at the workspace level.

Account

A container used to segment business units. A Bloomreach customer can have multiple accounts under a single workspace. This concept exists in both Discovery and Engagement.

  • Admins can assign users, user groups, roles, and custom roles to accounts
  • Engagement admins (Bloomreach personnel) can create, edit, or delete accounts
  • Discovery admins can't create, edit, or delete accounts (only Bloomreach can)

Environment (Discovery only)

A container within accounts. Every Discovery account has at least one environment for staging and may have additional environments for production or development.

  • Admins can't create, edit, or delete environments (only Bloomreach can)
  • Admins can assign users, user groups, roles, and custom roles to environments
  • The Engagement equivalent is Project Type Categorizer

Project (Engagement only)

Used to differentiate between businesses. Each project has its own project token (ID) for event tracking. Projects are independent—each has different customers, events, analyses, and campaigns. Each project has separate access management.

Site and site groups (Discovery only)

A site can be standalone or parented by a site group. Admins can assign users, user groups, roles, and custom roles to sites. A site contains one or more catalogs. A site group defines a group of sites under an account.

Access control

User

An individual identity within the unified platform. Users are linked to resources and can be managed individually or in bulk.

Roles and permissions

Roles define a set of permissions assignable to users and user groups with a defined scope. Managed by both Bloomreach and clients. Permissions are the specific actions users can perform—these are grouped within roles and cannot be managed separately.

User groups

Allow managing users in bulk and assigning permissions to entire groups. Changes to user group membership automatically update permissions.

Role assignment

The process of linking users or user groups to roles.

Scope

The level at which a role or permission applies: an account, a project, a group of projects, or custom scopes defined by groups/tags/labels.

Custom permission scope

The ability to use groups, tags, or labels to virtually connect projects specifically for access management purposes.

Regional data storage

User information (email, name, phone number for Multi-factor authentication) is stored regionally to comply with legal requirements, even though management is centralized.

Security and authentication

Single sign-on (SSO)

An authentication method that allows users to log in once to access multiple applications across the platform.

Multi-factor authentication (MFA)

An additional security measure that requires users to provide two or more verification factors to gain access.

Identity domain

Defines authentication options (SSO, passwords) for users, managed at the regional login service level.

Audit log

A system that tracks user management actions and other activities for compliance and security monitoring.

Organizational structure

Here's the example of how the organizational hierarchy works:

Cloud Organization
├── Billing & Contract Info & Users
├── Workspace - EU
│   ├── Engagement
│   │   ├── Project 1
│   │   └── Project 2
│   ├── Data hub
│   │   └── Project
│   └── Discovery
│       ├── Account-Env 1
│       └── Account-Env 2
└── Workspace - US
    ├── Engagement
    │   ├── Project 1
    │   └── Project 2
    ├── Discovery
    │   ├── Account-Env 1
    │   └── Account-Env 2
    └── Data hub
        └── Project

Understanding the hierarchy

Each level serves a specific purpose in organizing your Bloomreach relationship and controlling access.

Cloud organization level

Your entire Bloomreach relationship lives here. This is where you manage organization-wide settings like user exports, invitations, and user groups.

Workspace level

Workspaces separate your data by region (EU, US, etc.) for compliance. Each workspace can contain Engagement projects, Discovery accounts, and Data hub projects. Security settings like IP filtering apply at this level.

Account level

Within each product area, accounts help you organize by business unit, brand, or use case. This is where most day-to-day user access management happens.

Project/environment/site level

The most granular level where actual work happens—individual Engagement projects, Discovery environments and sites, or Data hub projects.

Next steps

Ready to start managing users? See Unified user management: Common tasks for step-by-step instructions on:

  • Adding new users
  • Managing user access
  • Exporting user lists
  • Creating custom roles

Updated about 7 hours ago