Organization Settings

Each tenant's data and user accounts are segmented into one or more organizations on the Tetra Data Platform (TDP). User accounts within each organization are configured with specific roles and policies. Users can also be assigned specific data access rules to limit what data within an organization each user can see.

Organization administrators can configure the following actions at the organization level on the Organization Settings page:

Organization administrators can also Create and manage organizations by using the Manage Organizations page.

🚧

IMPORTANT

Data can't be shared across organizations. Each organization's data is only accessible to user accounts within that organization.

Organization Attributes

All TDP organizations have the following attributes:

View and Manage Your Organization Membership

Your user account's organization (for example, TetraScience) displays at the top left of the TDP user interface under ORGANIZATION. If you belong to more than one organization, you can select the organization name to open a search dialog that allows you to search for and switch to the other organizations that you belong to by entering either their orgslug or name.

To view and manage your membership in one or more organizations, see Manage Your Account.

Access Organization Settings

To view your organization's current settings, do the following:

🚧

IMPORTANT

To configure organization settings, you must sign in to the TDP as an Administrator user.

  1. Sign in to the TDP as a user with an Administrator role.
  2. In the left navigation menu, choose Administration. Then, choose Organization Settings. The Organization Settings page appears.

Organization Settings page

📘

NOTE

The organization's name, compliance settings, and slug display at the top of the page. Login Users and Service Users are listed in separate tabs, which include information about their roles, statuses, and JSON Web Tokens (JWTs).

Rename an Organization

To rename an existing organization, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. On the Settings tab, in the ORGANIZATION NAME section, select the Edit button. A Rename Organization dialog appears.
  3. For ORGANIZATION NAME, enter the organization's new name.
  4. Choose Rename.

Configure Default Search Settings for an Organization

To configure default Search settings for your organization, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. On the Settings tab, in the SEARCH section, select the Edit button. An Edit Search dialog appears.
  3. Select default search settings for your organization. For more information, see Filter Options for Search.
  4. Choose Next. A DEFAULT SEARCH COLUMNS pane appears. This pane lets you rename the columns in your default search results or adjust their width, if desired. You can either use and edit any of the default, recommended search columns provided, or select the Use Custom Columns toggle to create your own search result columns, which also provide the ability to hide specific columns.
  5. Choose Finish.

📘

NOTE

When you use recommended columns, the system will automatically generate columns based on the filters you're using. New columns will be automatically added or removed when the filters are changed. You can adjust the order and width of the columns, but you can not add or remove columns. When you use custom columns, you must manually add or remove columns. Columns will remain unchanged when filters are changed. You can specify the text of the column heading as well as modify the columns' order and widths.

Configure Compliance Settings for an Organization

🚧

IMPORTANT

Make sure that you deactivate the Audit Trail for development environments only. If you deactivate the Audit Trail for production environments, you may not be able to satisfy GxP quality guidelines and regulations.

To activate or deactivate Audit Trail settings for an organization, or to require users to enter a reason for changes to your organization's Audit Trail, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. On the Settings tab, in the AUDIT TRAIL section, select the Edit button. An Edit Audit Trail Settings dialog appears.
  3. Configure the following settings:
  4. Choose Save.

For more information, see Compliance Settings.

📘

NOTE

The Audit Trail feature is activated for each organization by default. Requiring a Change Reason for Audit Trail changes is an optional setting that requires a GxP license through TetraScience, and isn't activated by default.

Configure Data Access Rules for an Organization

To provide more control over who has access to specific data sets within a TDP organization, organization administrators can define metadata-driven Data Access Rules through Access Groups. By activating Data Access Rules, organization admins can then configure data access permissions for multiple users through Access Groups based on specific file attributes.

Activate Data Access Rules for an Organization

🚧

IMPORTANT

Data access remains open to all TDP users within an organization until an organization administrator configures Access Groups for that organization. After access groups are activated for an organization, all users within that organization must be assigned to an access group; otherwise, they won’t have access to the TDP.

To activate Data Access Rules for an organization, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. On the Settings tab, in the DATA ACCESS RULES section, select the Edit button. The Edit Data Access Rules Settings dialog appears.
  3. Move the Data Access Rules toggle to the right. Then, choose Save.
  4. Configure Access Groups by following the instructions in Create Access Groups.

Create Access Groups

To create an Access Group and configure Data Access Rules for its members, do the following:

Step 1: Create an Access Group and Configure Its Data Access Rules

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Choose the Access Groups tab. The Access Groups tab appears.
    Access Groups tab
  3. Choose Add Access Group. The Add Access Group dialog appears and displays a Properties section.
    Add Access Group dialog Properties section
  4. For ACCESS GROUP NAME, enter a name for the access group.
  5. For ACCESS GROUP DESCRIPTION, enter a brief description of the access group.
  6. (Optional) To have the new access group activated immediately after it's created, move the ENABLE ACCESS GROUP toggle to the right.
  7. Choose Next. The Data Access Rules section appears.
    Add Access Groups dialog Data Access Rules section
  8. Configure DATA ACCESS RULES for the access group by doing the following:
    • In the AND field, either select the Boolean operator that you want to apply to the data access rule (AND or OR), or choose ALL to grant the access group access to all of the organization's data.

      🚧

      IMPORTANT

      It's recommended that organization administrators do the following:

      • First create an Access Group for your own Administrator account that includes the ALL access rule. This ensures that you aren't locked out of any of your organization's data after Data Access Rules are activated.
      • Add all service tokens that your organization's Agents, Connectors, or applications use to either an access group that includes the ALL access rule or other groups so that they continue to have access to data.
    • In the Select a filter type field, select an attribute filter type for the rule. Two additional fields appear to the right of the filter type.
    • In the is field, select if you want the rule to match the filter value (is), or if you want the rule to exclude group users from viewing files that include the filter value (is not).
    • In the blank field that appears to the right, select a value for the filter.
  9. (Optional) To add more data access rules, select the plus (+) icon. Then, configure the new rule(s) by repeating step 8.
  10. Choose Finish.

Step 2: Add Users to the Access Group

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Choose the Access Groups tab. The Access Groups tab appears and displays the new access group that you created.
  3. Select the new access group. Then, select the Users tab.
  4. Choose Add Users. A list of all of the login users within the organization appears.
  5. Select the check box next to the login users that you want to add to the access group.
  6. Choose Save.

Edit an Access Group

To edit an Access Group and configure Data Access Rules for its members, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Choose the Access Groups tab. Then, in the ACCESS GROUPS section, select the access group that you want to edit.
  3. In the ACTIONS section, choose Edit Access Group. The Edit Access Group dialog appears.
  4. Edit the access group's name and description. Then, choose Next.
  5. Edit the access group's data access rules. For instructions, see step 8 in Create Access Groups.
  6. Choose Finish.

📘

NOTE

Non-admin users can view the Data Access Rules for the Access Groups they belong to under My Account in the TDP user interface.

Delete an Access Group

To delete an Access Group, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Choose the Access Groups tab. Then, in the ACCESS GROUPS section, select the access group that you want to delete.
  3. In the ACTIONS section, choose Delete Access Group. A dialog appears that asks you to confirm that you want to delete the access group.
  4. Choose OK.

Create Custom Roles

By assigning TDP users and groups custom roles that have specific Policies attached to them, you can grant granular permissions based on common user personas and the Functionality access each requires.

To create a custom role, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Choose the Roles tab. The Roles tab appears.

Roles tab

  1. Choose Add Role. The Add Role dialog appears and displays a Properties section.

Add Role dialog

  1. For Role Name, enter a name for the role.

  2. (For tenants with single sign-on configured) For SSO Identity Groups, enter your identity provider groups that you want to assign the custom role to. The SSO Identity Groups field doesn't appear in the dialog if your tenant doesn't have SSO configured. To set up multiple IdPs with custom roles, see Add Multiple IdPs with Custom Roles to the TDP in the TetraConnect Hub. To request access, see Access the TetraConnect Hub.

    📘

    NOTE

    Any user logging in through SSO that belongs to the mapped IdP group will automatically be assigned the custom role you create during their next login. Keep in mind that TDP users authenticated through SSO are managed through your identity provider (IdP), not the TDP. If you're using SSO for authentication, you must manage users through your IdP directly.

  3. For Role Description, enter a brief description of the role.

  4. Choose Next. The Policies section appears.

Add Role Policies section

  1. From the left Policies list, choose one or more policies to assign the role. Permissions for each platform Functionality displays in the right table. For a complete list of policies and their permissions, see Policies.
  2. Choose Finish.

To assign a custom role to a user, see Edit a user role.

Manage User Accounts

🚧

IMPORTANT

If your tenant uses SSO for authentication, keep in mind the following when managing TDP user accounts:

  • TDP users authenticated through SSO are managed through your identity provider (IdP), not the TDP. If you're using SSO for authentication, you must manage users through your IdP directly.
  • If you remove users from your IdP, those users are not removed from the Login Users tab on the Organization Settings page. Deleted IdP users will still appear on the Login Users tab; however, they don't have access to the TDP after you delete them from your IdP.

Organization administrators can manage User accounts through the following actions on the Organization Settings page in the Login Users tab:

Login Users tab

Filter User Accounts

To filter the list of user accounts on the Organization Settings page, you can do any of the following:

  • To search for a specific user, enter their username in the USER column search box.
  • To display users by their role type, select the role type that you want to filter by from the USER ROLE column drop-down list.
  • To display either active or inactive users on the list only, chose either Active or Disabled from the USER STATUS column drop-down list.
  • To display users by their personal JSON Web Token (JWT) status, select the token status that you want to filter by from the TOKEN STATUS column drop-down list.
  • To display users by the date that their personal JWT was created, select the date that you want to filter by from the TOKEN CREATED column drop-down list.
  • To display users by the date their personal JWT expired, select the date that you want to filter by from the TOKEN EXPIRY column drop-down list.

Add a New User

To create a new user within an organization, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. On the Login Users tab, choose Add Login User. The Create Login User dialog appears.
  3. Add the first name, last name, email, and password for the new user. Then, assign an organization role to the user.
  4. Choose Create.

📘

NOTE

As an Administrator, you can allow users to be members of multiple organizations with different permissions. You can also customize access to the TDP for sensitive projects and teams specific to your company. When a user first logs in to the TDP, the user defaults to the organization with the highest level of access. If multiple organizations exist with the same level of access, then their access defaults to one of the listed organizations, based on alphabetical order.

Edit a User Role

To edit a login user's organizational role, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Login Users tab. A list of all of the current organization's login users appears.
  3. Locate the user that you want to edit. Then, on the right of that user's row, select the hamburger menu icon. A menu appears.
  4. Choose Edit User. The Edit Login User dialog appears.
  5. Select an organizational role for the user.
  6. Choose Save.

Deactivate or Delete a User Account

📘

NOTE

You can deactivate a user's account to a particular organization. If the same user has access to multiple organizations, then their access to those other organizations isn't deactivated.

To deactivate or delete a login user's account, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.

  2. Select the Login Users tab. A list of all of the current organization's login users appears.

  3. Locate the user that you want to deactivate or delete. Then, on the right of that user's row, select the hamburger menu icon.

  4. To deactivate the user's account, choose Disable User.

    -or-

    To delete the user's account, choose Delete User.

  5. A warning message appears that asks you to confirm the action. To confirm the action, choose OK.

🚧

IMPORTANT

If you delete a user's account, you can't reactivate it. Instead, you must create a new user account for the user to reactivate them.

Activate a Deactivated User Account

To activate a deactivated login user's account, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Login Users tab. A list of all of the current organization's login users appears.
  3. Locate the user that you want to reactivate. Then, on the right of that user's row, select the hamburger menu icon. A menu appears.
  4. Select Enable User.

Reset User Account Passwords

To request that a login user resets their account password, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Login Users tab. A list of all of the current organization's login users appears.
  3. Locate the user whose password you want to reset. Then, on the right of that user's row, select the hamburger menu icon. A menu appears.
  4. Choose Reset password. A warning message appears that asks you to confirm that you want to send the user an email to reset their TDP password.
  5. Choose OK.

Log Out an Active User

To force an active user to log out, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Login Users tab. A list of all of the current organization's login users appears.
  3. Locate the user that you want to force to log out. Then, on the right of that user's row, select the hamburger menu icon. A menu appears.
  4. Choose Log Out User. A dialog appears asking you to confirm that you want to force the selected login user to log out.
  5. Choose OK.

Manage SQL Access for Login Users

To view and manage SQL credentials for login users, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Login Users tab. A list of all of the current organization's login users appears.
  3. To view the current status of each login user's SQL credentials, review the SQL CREDENTIALS column. Yes indicates that the user has valid SQL credentials. No indicates that the user doesn't have SQL credentials.
  4. To remove a login user's SQL credentials, do the following:
    • Select the hamburger menu icon in the far right of the user's row. A menu appears.
    • Select Revoke SQL Access Creds.

Manage Service Users

Organization administrators can manage Service User accounts (service accounts for applications integrated with the TDP) through the following actions on the Organization Settings page:

Service Users tab

Service Users Tab Fields

The following table describes the fields in the Service Users tab.

FieldDescription
Add Service UserCreate a service user
Hamburger menuEdit User, Disable user, Rotate SQL Access Creds, Revoke SQL Access Creds, Generate Token, Delete User
USERLists the user name (includes a search field)
USER ROLEFilters the list of users to display on the page: Administrator, Member, or Read Only. \n \nNote: Select All (default) to show all user accounts
USER STATUSFilters the list of users to display on the page: Active or Disabled. Select All (default) to show all user accounts.
SQL CREDENTIALSShows if the user has valid SQL credentials (Yes) or not (No).
TOKENDisplays the token generated for the service user (you can copy the token to your clipboard)
TOKEN STATUSFilters the list of users to display on the page: Active, Disabled, Expired or No Token user accounts \n \nNote: Select All (default) to show all user accounts
TOKEN CREATEDShows when the token was created
TOKEN EXPIRYShows the expiration date for the token, if there is one (has a date filter)

Add a Service User

To add a new service user, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Service Users tab. A list of all of the current organization's service users appears.
  3. Choose Add Service User. The Add Service User dialog appears.
  4. For NAME, enter a name for the service user.
  5. For ORGANIZATIONAL ROLE, choose a role for the service user.
  6. For TOKEN EXPIRES, enter the amount of time in days that the service user's access token automatically expires. You can choose any expiration period between 1 and 720 days. An expiration date is required for all access tokens.
  7. Choose Add.

Edit a Service User Role

To edit an existing service user role, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Service Users tab. A list of all of the current organization's service users appears.
  3. Locate the service user that you want to edit. Then, on the right of that service user's row, select the hamburger menu icon. A menu appears.
  4. Choose Edit User. The Edit Service User dialog appears.
  5. Select an organizational role for the service user.
  6. Choose Edit. Then, edit the service user's role.

Deactivate or Delete a Service User

To deactivate or delete a service user account, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.

  2. Select the Service Users tab. A list of all of the current organization's service users appears.

  3. Locate the service user that you want to deactivate or delete. Then, on the right of that user's row, select the hamburger menu icon. A menu appears.

  4. To deactivate the server user's account, choose Disable User.

    -or-

    To delete the service user's account, choose Delete User.

Activate a Service User

To activate a service user account, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Service Users tab. A list of all of the current organization's service users appears.
  3. Locate the service user that you want to activate. Then, on the right of that service user's row, select the hamburger menu icon. A menu appears.
  4. Select Enable User.

Generate a JWT for a Service User

📘

NOTE

You can generate a JWT for a service account, regardless of your TDP user role.

To generate a JSON Web Token (JWT) for a service user account, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Service Users tab. A list of all of the current organization's service users appears.
  3. Locate the service user that you want to generate a JWT for. Then, on the right of that service user's row, select the hamburger menu icon. A menu appears.
  4. Choose Generate Token. The Generate New Token dialog appears.
  5. In the TOKEN EXPIRES field, enter the number of days that you want the token to be valid for (1 to 720 days).
  6. ChooseGenerate token.
  7. Choose Copy Token to copy the token to your clipboard.
  8. Choose OK.

Manage Service User SQL Access

To manage a service user's SQL credentials, do the following:

  1. Open the Organization Settings page as a user with an Administrator role.
  2. Select the Service Users tab. A list of all of the current organization's service users appears.
  3. Locate the service user that you want to manage SQL access for. Then, on the right of that service user's row, select the hamburger menu icon. A menu appears.
  4. Do one of the following:
    • To create SQL credentials for a login user that doesn't have existing SQL credentials, select Generate SQL Access Creds.
    • To rotate a user's SQL credentials, select Rotate SQL Access Creds.
    • To remove a user's SQL credentials, select Revoke SQL Access Creds.

🚧

IMPORTANT

For security reasons, the OAuth 2.0 authentication method introduced in TDP v4.0.0 doesn’t allow the following:

  • Non-expiring Service User tokens are no longer allowed. All access tokens must have an expiration date.
  • Users can no longer copy access tokens from the TDP user interface after a token is generated. Users can now copy access tokens when they’re first generated only.

Create Organization-Level Announcements

📘

NOTE

If you create an ANNOUNCEMENT at the organization level, the message is cascaded to all users across that organization. Announcements are shown one time for each user login.

To create an announcement for all users in your tenant, across all of your organizations, see Create Tenant-Level Announcements.

To create an announcement to display to all users in an organization when they log in, do the following:

  1. Open the Organization Settings page.
  2. In the ANNOUNCEMENT tile, choose Edit. An Edit Announcement dialog appears.
  3. In the Markdown section, enter your message using standard Markdown syntax. A preview of the display message appears in the Preview section.
  4. Choose Save.

Turn Off Organization-Level Announcements

To turn off an organization-level announcement after it's created, do the following:

  1. Open the Organization Settings page.
  2. In the ANNOUNCEMENT tile, choose Edit. An Edit Announcement dialog appears.
  3. In the Markdown section, delete the existing message.
  4. Choose Save. The Announcement tile on the Organization Settings page displays a Disabled button and says No announcement.