Adding, Revoking, & Auto-Provisioning Access

Within your Transcend instance, you can manually add new users from within the platform. To do this:

  1. Navigate to the Administration page > Users tab in your desired Transcend instance

  2. Click the "+" button (located next to the search box on the right side)

  3. In the Add User modal, provide the details in the form, including:

    • email

      Important: If you plan to utilize SSO in the future, please ensure the email address used during this step is the same email address associated with their SSO account

    • whether an email notification should be sent upon account creation
    • user's full name
    • determination of whether they will be an administrator for the instance
    • any team(s) the user may be part of; and
    • any additional scopes (not already covered by their assigned team(s)) the user should have
  4. When finished, click the "Add User" button at the bottom of the modal. A "Successfully added!" confirmation message should be displayed below the button, and you may now close the modal.

  5. Confirm the new user is listed in the Users table.

If you need to revoke access of a user in your Transcend instance, you can click the trash icon next to the selected user on the Administration → Users tab. If you are using Single Sign On, the easiest way to revoke access is to deactivate the user within your single sign on provider. This will prevent the user from having the ability to log in to Transcend.

If you have a need to programmatically remove a user from Transcend, you can leverage the EU Hosting GraphQL API or US Hosting GraphQL API with the following mutation:

mutation {
  removeUser(input: { email: "INSERT_EMAIL@transcend.io" }) {
    clientMutationId
  }
}

As a CURL, this would be the following for EU hosting (default hosting option):

curl 'https://api.transcend.io/graphql' -H 'Authentication: Bearer INSERT_API_KEY' -H 'Content-Type: application/json' -H 'Accept: application/json' --data-binary '{"query":"mutation {\n  removeUser(input: { email: \"INSERT_EMAIL@transcend.io\" }) {\n    clientMutationId\n  }\n}\n"}'

or the following for US hosting option:

curl 'https://api.us.transcend.io/graphql' -H 'Authentication: Bearer INSERT_API_KEY' -H 'Content-Type: application/json' -H 'Accept: application/json' --data-binary '{"query":"mutation {\n  removeUser(input: { email: \"INSERT_EMAIL@transcend.io\" }) {\n    clientMutationId\n  }\n}\n"}'

in the commands above, please replace:

  • INSERT_API_KEY: a Transcend API key with the scope Manage Access Controls
  • INSERT_EMAIL@transcend.io: the email address of the user to remove

In addition to the above sections that walk through some more manual methods of adding / removing access, Transcend also offers the ability to auto-provision your users.

When one of your employees logs into Transcend for the first time using their SSO login, if you expose some certain attributes to Transcend, the employee will be assigned to the Transcend team when their account is created, thus giving them a specific set of scopes by default.

You can enable the following SSO attribute mappings

AttributeTranscend Mapping
Employee Details.Titletitle
Employee Details.Departmentdepartment

In addition to mapping SSO attributes to a "Team" on Transcend, you can map SSO groups (AKA Okta Groups) to do the same. For organizations that already have groups set up, this is often the preferred method. For those without groups, attribute mapping is the preferred mapping. You must configure user access to the group within your SSO provider, and then map the group name to the Transcend team as shown in the image below. (Below, we are mapping the SSO group named "Engineering" to a Transcend team named "Developers").

You can make changes to the mapping between your SSO provider and Transcend Teams on the Teams → tab under Administration.

Map SSO Group to Transcend Team.

When a user is just in time provisioned and their SSO attributes do not map them to a team, the default behavior is that the user will have no scopes applied to them. If you want to set a default set of scopes for newly provisioned users, you can set a "Default Team" under Administration → Single Sign On. This team will be assigned to users that have no other teams provisioned to them. The newly created user will inherit the scopes of that team.

SSO Default Team.

In some situations, it makes sense to have multiple Transcend accounts for different business units within a larger organization. For example, there may be some parent company operating over multiple child companies with independent brands and data sharing practices.

It is possible to configure a single SSO group that does just-in-time provisioning across multiple Transcend instances. This is done by:

  1. Follow the instructions in the section above to map an SSO group or department to a team in the parent Transcend instance where your SSO settings were configured.
  2. For each Transcend instance that you want to provision access to, switch into that Transcend instance and select the team created in (1) as the "Linked Team from Parent Account"
Parent Team Linking