Account management capabilities
This page explains how you can manage customer identities.
Account management empowers your support team to provide guided help for customers in every aspect of their accounts in a no-code or low-code fashion.
Customer support can quickly resolve issues related to
- personal information (Account attributes)
- authentication (Authenticators)
- identity verification (Identity verification)
Activity logs provide insights into various account events to diagnose setbacks customers ran into. Consent logs help you see on an account basis where you stand with fulfilling compliance requirements.
Customer support can also manage group memberships that control which contents an account has access to.
Account listing
Your support team can start assisting customers in the Account management menu in the Admin Console.
Available accounts will be listed by identity stores. You can switch between identity stores using the drop-down on the left. Once you're in the right identity store, you can find accounts by specific parameters by opening Search on the left.
Account management page
Account search
Your support team can track down accounts by various parameters in an instant using account search. They can also pin search fields to the top of the tab to keep the most frequently used fields close to hand.
You can learn more about search options here.
Account quick actions
Some actions can be accessed on the main tab before taking a deeper dive into account management. Quick actions appear in the list header when one or more accounts are selected.
Account quick actions: Delete, Add to group, Remove from group, Enable, Disable
| Icon | Action |
|---|---|
| Delete | Deletes the selected account(s) from the identity store.  Irreversible action. |
| Add to group | Adds the selected account(s) to a group of choice. Available groups will be listed in a new dialog box. |
| Remove from group | Removes the selected account(s) from a specified group. Available groups will be listed in a new dialog box. |
| Enable | Enables the selected account(s). The account holder can log in and access their data. |
| Disable | Disables the selected account(s). The account holder can't log in to their account and access their data but their identity will continue to be stored. |
Account statuses
Account labels allow you to take a quick glance at the status of an account.
Account statuses: Enabled, Disabled, Verified email, Unverified email, External identity
| Label | Description |
|---|---|
| Enabled | When an account is enabled, the customers can log in and edit the personal information they have access to. |
| Disabled | When an account is disabled, the customer can't log into the account. |
| Verified email | When an email is verified, it can be used for multi-factor authentication and sending notifications to the customer. |
| Unverified email | When an email is not verified yet, it could mean that there was an activation email or invitation sent to the customer that wasn't completed yet. |
| External identity | The customer has registered with an enterprise or social identity. |
Verified email
Verified account email
An email is verified if the registration flow has been successfully completed—including, for example, identity verification—and the account has an authenticator enrolled at the end—either password or MFA. If there is no activation step, then the email gets a verified status in this case.
Account activation If account activation applies, the activation link sent to the provided email address must be confirmed to verify the email address.
Account access
Once you've identified the account you want to edit, click anywhere on the account to jump to the selected identity's profile.
The profile of the account will open.
Account overview panel
Usually, when something's out of sight, it's out of mind. That's why essential customer information and account actions are brought to the fore on account profiles. The information that immediately identifies the account will always be in sight while browsing tabs.
Account overview panel
| Action | Description |
|---|---|
| Download account information | Customer service can download every information related to the account in HTML or JSON formats. |
| Disable/Enable account | Customer service can change the status of the account to disabled or enabled. When an account is disabled, the customer can't log into the account. |
| Delete sessions | Customer service can delete active sessions. When a customer returns to their usual browser, they will be required to re-authenticate. |
| Delete account | Customer service can delete the account from the identity store. Irreversible action. |
Account attributes
Customer service can make changes to an account's basic profile information here.
Attributes can be configured on an identity store basis. Every attribute is available here that's made visible in the Admin Console. Every attribute can be modified where editing in the Admin Console was allowed.
Notification available
Customers can be notified about this type of update. You can check the Customer notifications section for more information about which branding and notification policies can be applied in different scenarios.
Account event logs
While troubleshooting problems for a customer, your service desk can pull up every event log related to the account in the Activity tab:
Account activity logs
For more information, see our detailed description of account event logs.
Groups
Group memberships of an account can be managed here. Every group that the account is a member of is listed.
The account can be added to any group available in the identity store. The account can also be removed from any group.
Removing group memberships will block access for the customer to applications where group restrictions apply.
Roles
The Roles tab contains every role currently assigned to the account.
Multiple roles
An account can take on more than just one type of role.
Cross-organizational permissions
Roles are not restricted to specific organizations: you can grant the same permission to multiple organizations.
Also, an account can have role-based access to any of the organizations living in the identity store. Organizational membership is not required to have permission to a specific organization, only role-pair assignments count.
You can assign a new role with the + Assign role button. A role assignment dialog will open where you can specify the organization and the role you want to assign to the user:
Roles assignment dialog
Authenticators
When customers turn to your service desk in their final effort to recover their accounts, your customer support team is equipped with just the right tools to resolve authentication issues. Customers could be facing a variety of challenges, including a forgotten password, identity verification failure, lost authentication devices, or account lockout from too many login attempts.
Notification available
Customers can be notified about authenticator updates. You can check the Customer notifications section for more information about which branding and notification policies can be applied in different scenarios.
Send password reset email
Customer service can initiate a password reset for an account. The password reset notification will provide the customer with a secure link to self-service reset their password.
Password change
When left with no other option, service desk personnel can opt to change a customer's password directly from the Admin Console.
Add new authentication methods
You can provide customers with secondary authentication methods from the Admin Console. Customer service can also add a new email address or phone number to a customer's account:
Add new authenticator example: new phone number
Delete an authentication method
If customers lose their mobile devices or can't log in to their email accounts, customer service can help with just a few clicks by removing those methods.
Current sessions
Customer service can manage the active sessions that a customer is still logged into across devices.
Available information
- browser type
- geographic location and
- IP address from where the session originated
Sessions can be terminated manually here. In the event of session termination, any access from that browser will cease. If a customer uses that same browser again, they will be required to re-authenticate.
Identity verification
Customer service can manually verify a customer's identity in case the user can't get through the identity verification flow, but your team has ample proof to establish trust in the identity.
- You can start by clicking '+ Manually verify identity'.
A popup opens where you can select an identity verification policy. A policy has to be selected to apply a verification method to the account.
- You can select the identity verification policy that contains the verification method(s) you want to apply to the account.
Revoke verification
Identity verification can also be revoked in case the identity carries a risk. You can revoke a verificaiton by clicking on the icon with the red outline at each entry.
Consents
Here, your team can access the consent history of the account. You can get access to this data from account information download files to satisfy data requests according to your regulatory and privacy standards.
The consent log contains
- the list of consents customers have agreed to,
- the time of the agreement,
- and the time of opt-out for outdated consent versions or manually revoked consents.
Customer notifications
Customer service can notify customers about the changes made to their account, whether it's an update to profile information or enrollment of new authenticators. In every case, a client needs to be selected to send the notification.
Customer notification dialog
Changes take immediate effect.
This guide indicates which support actions notifications are available for.
About clients
Clients provide customer journeys: customers get access to their accounts through them. The policy configurations you apply to applications and/or organizations are implemented by clients. However, configurations apply conditionally to clients: the experience customers will ultimately see on their screens not only depends on what's assigned to the application but on the type of account as well using that client.
Scenario #1 If the customer is part of an organization, then only clients that belong to organizational applications, in general, can be selected. In this case, the customer experience (in this case, branding and notifications) of the client is determined by the organization that the account is part of.
Scenario #2 If the customer is not part of an organization, then only clients that belong to non-organizational applications will be listed. In this case, the branding and the notification policy of the application will apply to the notification.
Updated 20 days ago