Contents

User management with Identity

The good news is there is no change to the way you maintain employees/users once Identity is enabled in T&A, this article just covers some things which may be helpful to know.

Unique email address

Any employee/user that needs to login to the web/mobile app must have a unique email address, so that they can be synced to an Identity SSO account.

New email field on User record

For Users, there is a new field called Email for SSO on the user screen in the web and windows app.

Sync to Identity SSO account

Once an email is updated on a new/existing employee or user there is a background process that will sync the record in T&A to an Identity SSO account, the SSO Account Status will indicate if the sync was successful and the employee/use is able to login.

Don't worry if SSO accounts already exist in Identity because you onboarded Identity in other OneAdvanced product first. T&A will check if the email exists and link to an existing SSO account if one is there for the same email, otherwise a new SSO account is created.

Audit/History

Changes to the employee Email address and User Email for SSO fields are included in the systems standard Audit and History functions.

Access to windows apps.

Supervisors who need to access the windows app will still require a T&A password, they can use an existing password or set a new password for new user records.

Deleting an employee/user

Deleting employee/user will not impact their SSO account, as T&A may not be the only OneAdvanced product using the SSO account. However, you can manage SSO accounts via the Identity Service platform application, should you wish to deactivate the account.

Adding/removing Leave Date

Adding a Leave Date will not impact their SSO account, as T&A may not be the only OneAdvanced product using the SSO account. However, you can manage SSO accounts via the Identity Service platform application, should you wish to deactivate the account.

The employee will still be prevented from accessing the T&A application after the leave date.

If the Leave Date is removed then the employee will be able to access T&A, as long as no changes have been made to their SSO account that would prevent this.

SSO Account Status

In the web app there is a new flag on the Employee Details and Maintain Users screens called SSO Account Status, this will indicate whether the sync between T&A and Identity is pending, successful or failed. The sync can take a few minutes but you do not have have to wait for it to complete as it is a background process you can just continue to use the system.

  • Pending indicates that this record has not yet been processed by the sync process and the user/employee is not able to login yet.
  • Success indicates that the user/employee T&A record has been successfully linked to an SSO account using their email address and they can login to the web app.
  • Failure indicates that the process was not able to sync the T&A record to an SSO account and therefore the user/employee is not able to login. You can click the SSO Account Status field to view the reason the record failed in order to try and correct any data, so that the sync can be attempted again.

Linked user and employee accounts

Once Identity is enabled an employee and user can only be linked once, as they must share the same email address.

As long as a linked employee has a unique email address, the Email for SSO field will be automatically updated by the sync process and both employee and user will be synced to the same SSO Identity account. This means on upgrade the new Email for SSO field on the User record only needs to be populated where the sync cannot identify a unique email.

Switching between an employee and linked supervisor user will be much quicker and easier with Identity enabled, as you will be taken directly to the dashboard view, and will no longer be required to login again.

Was this article useful?

OneAdvanced Identity guidance

OneAdvanced Identity FAQs

Contact