This article provides an overview of Zuora OneID, including the key features and concepts, such as organization, tenant, user, user role, and user group.
This feature is in the Early Adopter phase. We are actively soliciting feedback from a small set of early adopters before releasing it to all customers. To join this early adopter program, submit a request at Zuora Global Support and sign the EA agreement form with the Zuora OneID option selected to enable the feature.
Zuora OneID, hosted on one.zuora.com, is a centralized user and role management module that helps you manage user account provisioning across Zuora tenants in your organization.
Zuora OneID provides simplicity and flexibility in user and role management. In OneID, you use user roles to manage and customize the permissions for each permission group in your Zuora tenants. You can combine user roles across the permission groups as a user group, and assign these combined user roles to users instead of separate roles for each permission group.
After you add a user to a user group, this user obtains all permissions and gains access to the corresponding Zuora tenants. Then, this user can use OneID as a single entry point to access each Zuora tenant with one click.
For more information about how to get started, see Get started with OneID.
- Unified and simplified user management experience: Organization administrators can centrally manage user access to different Zuora tenants. It only takes a few clicks to define user roles for a tenant and add the user roles to user groups as needed.
- Single access point to all tenants: Users can access different Zuora tenants from a single entry point with a single credential, reducing password fatigue caused by the need to manage multiple credentials.
- Improved extensibility: It enables manual auditing and merging data from identity providers (IdPs) to meet regulatory requirements.
- Strong security: It enhances the security in user management by preventing the situation of assigning users higher permission than they need due to manual user provision.
Organization and tenants
An organization refers to a company contracted with Zuora. A tenant refers to a Zuora tenant in any environment or type. Typically, an organization owns multiple tenants for different purposes, such as development, testing, and production.
A OneID user refers to a user account in OneID. A user represents a person with a specific identity (for example, administrator, developer, operator, and so on) in your organization.
There are two user types in OneID: Organization Admin and Standard User.
Organization admins have access to the OneID Admin Console, where they can create or edit users, user roles, and user groups for your organization. In addition, organization admins can perform any actions that standard users can do, such as link tenant users, and access Zuora tenants with OneID.
The capabilities of an organization admin are as follows:
Standard users use OneID as a single entry point to access Zuora tenants.
The capabilities of a standard user are as follows:
Distinguish OneID users from tenant users
Tenant users refer to users created in Zuora tenants. Similar to OneID users, a tenant user represents a specific identity in your Zuora tenant.
To access a Zuora tenant with OneID, you need to link a tenant user in that tenant to your OneID user. Then, you can access the tenant on your OneID portal.
The following table shows examples of common identities in OneID and your Zuora tenants, and the relationships between these identities.
|Employee||Responsibility||Identity (user type) in OneID||Identity in Zuora tenants|
|Employee A||Running your organization||Organization admin||Administrator|
|Employee B||Managing user accounts in OneID||Organization admin||N/A|
|Employee C||Managing user accounts in your Zuora tenants||Standard user||Administrator|
|Employee D||Managing transaction data in your Zuora tenants||Standard user||Operator|
|Employee E||Developing transaction system for your organization||Standard user||Developer|
In this example, the only task for employee B is managing user accounts in OneID; this employee does not need to log in to your Zuora tenants. So the identity of this employee in OneID is organization admin, and there is no corresponding tenant user in your Zuora tenants.
However, employee C, who manages tenant user accounts, is a standard user in OneID, and an administrator in your Zuorate tenants.
For more information, see Access Zuora tenants with OneID and Link tenant users to OneID.
OneID user roles
A OneID user role represents a user identity with permissions for Zuora products in a specific Zuora tenant.
A OneID user role consists of a group of tenant user roles in a Zuora tenant. This group of tenant user roles defines permissions for Zuora products such as Zuora Platform, Billing, Payments, Finance, Commerce, Reporting, and Insight. You can customize user roles in OneID to meet your business needs.
The following table shows three examples of OneID user roles and subordinate tenant user roles in a specific Zuora tenant:
- User Role A: an administrator user role of this Zuora tenant
- User Role B: a standard user role of this Zuora tenant
- User Role C: a customized user role of this Zuora tenant
|Zuora product||User Role A||User Role B||User Role C|
|Zuora Platform||Administrator||Standard User||Customized Platform User|
|Billing||Zuora Billing Standard User||Zuora Billing Standard User||Zuora Billing Standard User|
|Payments||Zuora Payments Standard User||Zuora Payments Standard User||Zuora Payments Standard User|
|Finance||Zuora Finance Administrator||Zuora Finance Standard User||Zuora Finance Administrator|
|Commerce||Zuora Commerce Admin User||Zuora Commerce Standard User||Zuora Commerce Standard User|
|Reporting||Zuora Reporting Administrator||Zuora Reporting Standard User||Zuora Reporting Standard User|
|Insight||Zuora Insights Administrator||Zuora Insights Standard User||Zuora Insights Standard User|
For more information, see Manage user roles in OneID.
Distinguish OneID user roles from tenant user roles
Tenant user roles are user roles created in a Zuora tenant. A tenant user role defines permission for a specific Zuora product. In contrast, a OneID user role contains a set of tenant user roles, which includes permissions for all Zuora products in that tenant.
In the above example, User Roles A, B, and C are of OneID. Zuora Billing Standard User, Zuora Payments Standard User, and Zuora Commerce Admin User are tenant user roles.
For more information about tenant user roles and permissions in Zuora tenants, see User roles.
OneID user groups
A OneID user group contains a group of Zuora tenants and the corresponding OneID user roles.
You can add a user to one or multiple user groups. The first group a user is added to has the highest priority by default. The administrator can adjust the priority manually.
If a specific tenant is defined in multiple groups which contain the same user, the user inherits user roles and permissions from the highest-priority group.
If a specific tenant is not defined in the highest-priority group, but defined in a user group with a lower priority, the user inherits user roles and permissions from the lower-priority group.
The following table shows two examples of user groups and subordinate user roles:
|OneID user group||OneID user role||User group priority|
|Group 1: Billing Manager||
|Group 2: Billing User||
In this example, if a user is added to both Group 1 and Group 2 (Group 1 has a higher priority), this user gets the following user roles:
- Billing Manager Role for Prod Tenant
Because both groups contain a user role for Prod Tenant, the user inherits this user role from a higher-priority group (Group 1).
- Billing User Role for SBX Tenant
Because only Group 2 contains a user role for SBX Tenant, the user inherits this user role from a lower-priority user group (Group 2).
For more information, see Manage user groups in OneID.