Having Service Providers on one side and Customers on the other side basically implies two classes of Users: one class representing the Service Provider, the other class representing Customers.
These classes of Users will have different Roles indicating their type of business. Roles basically contain a set of Permissions, and they link these Permissions to one or more Users on one hand, and to one or more Customers on the other hand. Therefore Customers are the smallest entity that Permissions can be assigned to. In addition there are also Permissions that are not based on a certain Customer, but assigned to all Customers in a Avantra environment, like the Permission to define a Monitoring Parameter Set.
|Permissions are inherited automatically in case a Customer hierarchy is defined. Permissions assigned to the Root Customer are inherited from all Customers.|
In addition to linking Roles directly to Users, they can also be linked to Groups of Users. In other words Avantra uses a role-based access control scheme.
If you do not want to assign a User to a Customer using Roles, you can assign it directly. In this case permissions will be assigned by means of a Permission Set. A Permission Set basically is a Role that implicitly contains the Customer the User is assigned directly to. Permission Sets allow the Service Provider to delegate User Management to their Customers.
User Authentication is based on User IDs and passwords, and a Password Policy can be enforced. This policy may define a minimum password length, an expiration period, a minimum number of special characters and so on.