Tenant administration

This guide provides guidance and recommendations on how to set up Spark user groups, users, and API keys.

• This content mainly relates to the pages Manage users and Authorization - API keys.

• Please read our Get started in 5 minutes page before using this guide.

Relevant Spark terminology

• First check if your tenant has been set up as a Private tenant. This is denoted in the User menu.

  • In a Shared tenant, all users have access to all folders and services within a tenant.

  • In a Private tenant, users have restricted access to folders and services:

• After an Excel file has been uploaded to Spark and the logic is converted to code, it is referred to as a service.

• Folders are used to organize multiple services together.

• User permissions can be applied to the folder level.

Add customized user groups

An organization may contain different teams who should have separate access to services in Spark. Some examples could include:

• Finance team and marketing team manage calculation and logic.

• American and Canadian branches of an organization.

• A research team working on a sensitive project.

• An audit team that needs only read permissions.

If your tenant has been set up as a Private tenant, separate user groups can be created to separate access different groups of users.

1. Follow the steps in Add user groups to create the relevant user groups representative of the organization. Custom user groups must begin with user:. Examples could include: user:audit, user:canada, user:finance.

Add tenant administrators

You will likely need to have multiple tenant administrators who can also manage Active services, Authorization - API keys, User groups, andUsers.

1. Follow the steps in Add users and create an account for the other tenant administrators.

   • These accounts should be created with membership in user:pf and tenant-admin user groups.

   • If this is a Private tenant, it is recommended that all tenant-admins are also added to the supervisor:pf user group. This enables tenant-admins to see all the folders within your tenant. This is not enabled by default.

Add supervisor users

There may be a need for intermediate-level users who don't have tenant administrator privileges but can manage all folders on a tenant. In this case, supervisor users can be created. This could for example be where an IT team is responsible for account administration and a team leader needs to be able to manage different folders in Spark.

1. Follow the steps in Add users and create an account for supervisors.

   • These accounts should be created with membership in user:pf and supervisor:pf user groups.

Add additional users

1. Follow the steps in Add users and create an accounts for Spark users.

   • All users must be members of user:pf to login to Spark.

   • If this is a Private tenant, users can also be assigned to the user groups added earlier.

2. Tell teams about this user guide and Coherent Academy!

Add folders with specific permissions

1. If user groups have been created in the previous step, it may help to initialize working folders for the organization with different permissions.

2. Follow the steps in Add a new folder to create additional folders.

3. Follow the steps in Set permissions on folders via API to add the customized team groups and the appropriate permissions.

   • For example, this could be a Finance projections folder with permissions assigned to user:finance users.

   • Only add user:pf to a folder in a Private tenant if all users should be able to access this folder.

Add API keys for calling Spark APIs

API Keys can be used to integrate with the Execute API and other management APIs in Permissions - Features permissions.

• In Spark, you must create an API key group first.

• API key groups can contain multiple API key instances.

  • A key instance would correspond to an API key that is used for authentication.

  • Multiple key instances are useful for managing key rotation, where the to-be-deactivated, expiring key and the next API key have an overlap for continuity.

• An API key group represents the combined access rights of multiple user groups.

Follow the steps in Add API key groups to create the first API key group.

1. If this is a Shared tenant, we recommend making the initial API key one that can access all Spark services. Do so by assigning the user group user:pf to the API key group.

2. If this is a Private tenant, then assign the appropriate user groups created earlier.