A user account gives an employee in intelliHR access to the intelliHR platform (i.e. allows them to sign in and view their dashboard, and conduct business as usual activities). A person can exist in intelliHR without a user account being assigned to them, however they won’t be able to sign into the platform.
User accounts can be created and managed via intelliHR’s public API.
This article covers:
- What is a User Account in intelliHR?
- Creating a User
- User Synchronisation
- Updating a User
- Key Considerations
- FAQs
What is a User Account in intelliHR?
A user account gives an employee in intelliHR access to the intelliHR platform (i.e. allows them to sign in and view their dashboard, and conduct business as usual activities). A person can exist in intelliHR without a user account being assigned to them, however they won’t be able to sign into the platform.
User accounts also provide the basis for permissions management in intelliHR. Permission Groups allow system administrators to delegate different levels of access in intelliHR to users. A user account usually has a permission groups assigned to them and can be managed by the intelliHR API.
User management refers to the process of creating and updating user accounts within intelliHR. This can be done using our public API to allow for programmatic access to the user management functionality.
User management via the API involves making HTTP requests to the users endpoint. Using users endpoint, you can Create, Find and Update user accounts in intelliHR.
Creating a User
The "create a user" endpoint is an API endpoint that allows a client application to create a new user account within intelliHR. This endpoint is used to register new users and implemented as an HTTP POST request.
The person
object included in this request identifies which person in intelliHR, the user account should be assigned to. While you can include all of the filtering fields in this example, this is not mandatory. It is recommended that you use one unique identified (ID or primaryEmailAddress).
The permissionGroups
object asserts what permissions the user account should be created with. You can adjust different permission groups in your tenant Permission settings. The permissionGroups
ID, can be found in the URL of the relevant permission group.
Settings > Permissions > Edit
Alternatively, you can List All Permission Groups by making a HTTP GET request to the /permission-groups
endpoint.
To create a user account, perform a POST request.
"url": https://api.intellihr.io/v1/users
"method": 'POST'
"headers": {
"Content-Type": 'application/json',
"Accept": 'application/json',
"Authorization": `Bearer ${apikey}`,
"Tenant": tenantname
}
{
"isEnabled": true,
"username": "BruceWayne",
"person": { "id": "8a5f3ea6-ea6b-4425-8a87-3c256bb7b6f9",
"name": "Bruce Wayne",
"primaryEmailAddress": "bruce.wayne@example.com",
"employeeNumber": "00001",
"autoIncrementIntellihrId": "1000"
},
"permissionGroups": [
"fd652f39-db15-4a12-8c71-a48358ee9709"
]
}
User Synchronisation
Many of our customers need to keep their user accounts synchronised between intelliHR and their other systems (i.e. Active Directory, Identity Management Provider). Synchronising intelliHR with your AD / IdP can help streamline the process of granting employees access to the resources they need to do their jobs. Keeping your users accounts in sync ensures that your employees have appropriate level of access to the resources they need.
Accessing Active Users
In order to keep user accounts in sync with intelliHR, you first need to know which users are active. There are two ways you can access active users via the intelliHR API.
List All Users
The "list all users" endpoint allows a client application to retrieve a list of all user accounts within intelliHR. This endpoint is typically used to retrieve a complete list of all users, along with their associated information.
To use the "list all users" endpoint, the client application would make an HTTP GET request to the endpoint URL.
"url": https://api.intellihr.io/v1/users
"method": 'GET'
"headers": {
"Content-Type": 'application/json',
"Accept": 'application/json',
"Authorization": `Bearer ${apikey}`,
"Tenant": tenantname
}
Keep in mind, like all list all endpoints we support, you'll need to account for pagination.
Updating a User
The "PATCH a User by ID" endpoint allows a client application to update an existing user account within intelliHR. This endpoint is typically used to enable or disable existing user accounts.
"url": https://api.intellihr.io/v1/users/{id}
"method": 'PATCH'
"headers": {
"Content-Type": 'application/json',
"Accept": 'application/json',
"Authorization": `Bearer ${apikey}`,
"Tenant": tenantname
}
{
"isEnabled": true,
"username": "BruceWayne"
}
Key Considerations
Timing
Creating a user account via the API will provide that user access to intelliHR so you may want to consider when to automate this activity. Some businesses will want users to login and use intelliHR before their first day of employment, others may wait until a work email is provisioned, others may wait until the user’s first day of employment.
Where an Active Directory handles centralised identity management, this system will usually dictate when a user is created in intelliHR. Keep in mind that when the POST to create a user account is performed, the new user will receive a welcome email.
Standardisation
The username field is the human-friendly username a person will use to access intelliHR - you may want to consider a standardised approach, for example, firstname.lastname or the user’s work email address or some other value that employee will recognise and be expecting to use.
Single Sign On
If you’re building from an Identity Management platform (or similar active-directory service) to intelliHR and intend to have users log in via single sign-on, it’s important to consider which field will be used to match users to your Active Directory / IdM.
When someone attempts to log into intelliHR from a SAML authentication flow, we check the incoming claim attribute NameID and create a session for a matching user account with the following rules. If a match cannot be found the next rule will be evaluated:
- If there is an intelliHR user account with an SSO ID configured that matches the incoming NameID
- If there is an intelliHR user account with a Primary Email Address that matches the incoming NameID
- If there is an intelliHR user account with the Username that matches the incoming NameID
- If there is an intelliHR user account with the Employee Number that matches the incoming NameID
If we cannot find a match for any of these four values, we throw an error for the user.
Once an SSO configuration is enabled, the login page will change allowing users to get redirected back to your identity provider (SP-initiated sign-on) rather than providing the normal username/password login form.
💡 intelliHR doesn’t currently allow SSO ID to set via the API as this is the
‘fallback’ field for SSO matching and must be asserted by a system administrator
from within intelliHR.
It’s important to review your set up to ensure that your automation is asserting the right value for your chosen field above to allow users to be matched for authentication.
Security
Because permissions within intelliHR dictate who and what a user can see, it’s important to carefully review automated permission assignment.
As a general rule, we suggest only automatically assigning the default staff member
permission group where possible and encouraging system administrators to log in to intelliHR to provide elevated permissions manually. This ensures a clear audit trail of who is provisioning elevated permissions and at what time.
Permission checking in platform is performed just-in-time, so if you do need to update a user's permissions in a hurry, this will be reflected in the platform the next time they perform an action in intelliHR.
FAQ's
?Why aren’t all the permissions I see in intelliHR available via the API ?
Some permissions, like system administrator, are not available via the API as they provide complete system access.
?Why can user accounts be enabled and disabled, but not deleted ?
Enabling and disabling user accounts alters access for the user but retains the historical data for the employee. This also allows users to be reactivated later if they rejoin the business.
Users can be manually deleted via the intelliHR platform by an administrator if necessary.
?What’s the use-case for creating a disabled user account ?
Sometimes you’ll want to create a user account and populate it with a work email before you’re ready for the user to log in - this can be useful when users should only be provided access on their first day of employment, or when a user may be provided access to intelliHR after some other system action has been completed.
Tip: For information on creating and managing user accounts via the intelliHR API, contact your friendly intelliHR Integration Team! You can reach them at integrations@intellihr.com