Roles and access for agency users
Roles and access for agency users
While registering, agencies provide details for an administrator, general users, and if purchasing public cloud services (SaaS), three types of approvers. To manage access and identity, agencies select from three types of login authentication.
Required roles and authenticating access
Your agency needs to decide before registering who will be the general users and who will be your agency administrator. If you want to purchase public cloud services (SaaS) through Marketplace you will also have to decide who will be your three approvers.
You also need to decide what type of login authentication you will use, and whether or not to link your Marketplace account to your agency's identity management system.
Roles
There are five types of roles that your agency needs to consider and assign when you are joining Marketplace.
Agency administrator
The agency administrator (of which there can be more than one) has the following functions:
- create users and assign roles
- assign SAML/LDAP protocols
- import users
- list and manage agency transactions
- manage payments, if your agency is purchasing online services via Marketplace.
Note that a specialist billing and payment administrator role will be added to Marketplace in the near future. Their functions will be then be removed from the main agency administrator role.
General users
There is no limit to the number of general users you agency can have on Marketplace.
General users on Marketplace can:
- authenticate their own login
- browse suppliers' offerings
- compare suppliers' offerings
- request services and products from suppliers
- review requests
- manage their own subscriptions to services that purchased online through Marketplace.
Approvers
All agencies buying public cloud services (SaaS) will need the following three approvers.
If you have more than one of each type of approver, they are each allocated a primary, secondary or tertiary role. The secondary and tertiary approvers will only be called upon if the previous approver has not approved (or declined) a request for approval within 24 hours of notification.
Security approvers
Security approvers are the first of three approver roles for your agency on Marketplace. You must have at least one security approver, and you can have up to three.
Security approvers can:
- review requests
- review related security artefacts
- approve or decline requests
- edit (or overwrite) the agency's unique reference fields (such as PO number) for allocation and reconciliation purposes.
Business approvers
Business approvers are the second of the three approver roles for your agency on Marketplace. You must have at least one business approver, and you can have up to three.
Business approvers can:
- review requests
- approve or decline requests
- edit (or overwrite) the agency unique reference fields (such as PO number) for allocation and reconciliation purposes.
Finance approvers
Finance approvers are the third type of approver role. If your agency wants to subscribe online to cloud services through Marketplace, you will need finance approvers. If your agency will not be buying services online, you will not need finance approvers.
Agencies buying subscription services must have at least one finance approver, and can have up to three. The finance approver can:
- review requests
- approve or reject requests, and if approved, provides the authorisation for Marketplace to direct debit the agency when purchasing services online
- edit (or overwrite) the agency unique reference fields (such as PO number) for allocation and reconciliation purposes.
Identity and access management
There are currently three types of authentication available through the Marketplace portal. Your agency must decide on one method during registration.
If your agency uses Microsoft Azure Active Directory, you can authenticate at login by setting up:
- SAML protocols, or
- LDAP protocols.
Otherwise, you will need to use the Marketplace email authentication facility.
Contact the Marketplace team for technical guidance to support your chosen method of authentication. The configuration of this facility may require help from the Marketplace team while we are building up our knowledge of active directories
Marketplace does not yet cater for collecting a user's organisational group within their agency, such as division, business unit, or project team. This will be possible in future.