Skip to end of metadata
Go to start of metadata

Introduction

The Organizations page of the Management Console provides the ability to define and manage who can participate in integration projects. Jitterbit Harmony supports the ability for a user to have multiple roles in multiple organizations.

Once your Jitterbit organization is created, only Administrators will be able to access it until they follow the instructions below to add each member to your organization and define their permissions with roles.

TIP: After you set up members and roles for your organization, you will also need to grant those roles access to your environment. For more information, see Environments.

To access the Organizations page, log in to the Jitterbit Harmony Portal, then click the orange hamburger menu in the top left:

From the menu, hover over Management Console and select Organizations:

NOTE: Make sure you are accessing the desired organization. In the top navigation bar, use the dropdown that appears between your name and Help to switch between organizations.

Managing Organizations

Administrators for each organization manage the information, preferences, and policies that apply across the entire organization.

View Organizations

The top section of the Organizations page contains a table that shows all the organizations that you have access to:

Initially you will have access to two organizations:

  • Company Organization: Identified in the table by the name of your company, this is the organization that will be used to create and manage your company's integration projects.
  • Data Loader Organization: Identified in the table by your email address, this organization will be used if you are loading data into Salesforce via the Salesforce Bulk API.

Additional organizations will be available to select only if you have been given access by an Administrator within that organization.

  • Example 1: You are consulting as an integration specialist for multiple companies. Each of the organizations could give you access to assist in their integrations.
  • Example 2: The corporate structure of your company includes divisions that are separate legal entities. In that case you could be an employee of one entity and working on integrations within multiple divisions. An Administrator for each division could give you access to their separate organization to assist with the division's integration projects.

Only the organization that is currently selected in the top navigation bar of the Harmony Portal will appear enabled for editing. This is to help prevent Administrators of multiple orgs from unintentionally editing or adding members to the wrong org.

If you have Administrator permissions for other orgs, use the dropdown that appears between your name and Help to switch between organizations and enable that organization for editing. The table will be refreshed to switch to the selected org:

Any other organizations of which you are a member but do not have Administrator permissions will always show as disabled, as there is nothing you have permission to change.

You can also sort the table by clicking on any of the column headers.

Edit Organizations

On the far right of each row of the organizations table are the available Actions for Admins:

Choose Edit Organization to update basic information about your organization (name, address, time zone):

Choose Edit Organization Policies to enable/disable or specify the following settings. Each configurable field or action is explained below.

Settings that do not apply to organizations using SSO are noted. Members who are on the Bypass SSO list will be subject to the org policies for any other non-SSO-enabled orgs of which they are a member.

  • Password Require special character(s): Require at least one special character per Harmony password for each registered user within the organization. This setting does not apply to SSO orgs.
  • User password expires in: Require the organization's registered users to change passwords every X number of days. This setting does not apply to SSO orgs.
  • Disable user accounts in: Disable any account registering no activity within X number of days. This setting applies to both Harmony and SSO orgs.
  • Password history: Require users with forgotten password to identify the last X number of used passwords. This setting does not apply to SSO orgs.
  • Two-Factor Authentication (TFA): Require two-factor authentication (TFA). All of the organization's members will be required to enter a verification code sent by Jitterbit (in addition to their username and password) when they sign in. They will be required to reverify their devices every X number of days. This setting does not apply to SSO orgs.
  • TFA on each login: Require two-factor authentication on every login as opposed to every X number of days. This setting does not apply to SSO orgs.
  • Enable remote Agent configuration: Enable remote agent configuration (via the Management Console from the Agents > Agent Groups page).
  • Member's domains: Restrict access to the following domains. Separate multiple domains using commas or semicolons.
  • Enable SSO: Enable SSO for all members of the org, except for those included under Bypass SSO. More information about SSO options is provided under Enable SSO.

    NOTE: Configuring and enabling SSO is a two-step process:

    1. Configure SSO: First, select SAML 2.0 or OAuth 2.0 to open a new screen to configure SSO. Click Save within this popout to save the configuration but not yet enable SSO. 
    2. Enable SSO: Next, make sure the appropriate configuration for SAML 2.0 or OAuth 2.0 is selected and click Save within the Edit Organization Policies screen to enable SSO using your configured settings.
  • Bypass SSO: Bypass the SSO settings for users added within the popout screen. The Bypass SSO list applies only when SSO is enabled; however, you can still manage your Bypass SSO list when SSO is disabled, for example to prepare for enabling SSO. More information about exempting users from SSO is provided under Bypass SSO.

    NOTE: When you make changes to the Bypass SSO list and click Save within this popout, the changes will be saved regardless of if you Save or Cancel out of the Edit Organization Policies screen.
  • Enable Whitelist IP Range: Require the user to log in only from the specified IP range (note, this applies to all client systems, websites, and Studio).
  • Save/Cancel: Choose Save to save any changes to the organization policies, or Cancel to close without saving. The Save button will be disabled unless changes have been made, with the exception of the Bypass SSO list (see note above).

Enable SSO

Under Edit Organization Policies, the Enable SSO option presents a dropdown with three selections:

  • None: This option is enabled by default, meaning organizations are configured to use Harmony credentials by default.
  • SAML 2.0: Choose SAML 2.0 if you want to configure SSO using SAML 2.0. Jitterbit currently supports SAML 2.0 for Salesforce and Okta. In addition, you may configure SSO with another SAML 2.0 Identify Provider by exploring the proper configuration on your own.
  • OAuth 2.0: Choose OAuth 2.0 if you want to configure SSO using OAuth 2.0. Jitterbit currently supports OAuth 2.0 for Autodesk and Google.

To configure SSO, under the Enable SSO dropdown select either the SAML 2.0 or OAuth 2.0 option to open the Edit Organization SSO Provider Info screen. If you already have SAML 2.0 or OAuth 2.0 selected, you can also click the Edit button to the right to return to the configuration screen. More information is provided below for SAML 2.0 and OAuth 2.0 configuration. Once you have configured and tested your configuration, click Save within this popout to save the configuration but not yet enable SSO. 

After SSO is configured, to enable SSO using your configured settings, under the Enable SSO dropdown make sure the appropriate configuration for SAML 2.0 or OAuth 2.0 is selected. Then click Save within the Edit Organization Policies screen. The newly configured SSO settings will take effect upon next login.

After SSO is enabled, if you then want to disable SSO, under the Enable SSO dropdown change the selection to None. In this case, users who already have Harmony credentials will again be able to use them for this organization. Users without Harmony credentials (that is, those whose only org was the SSO org) will not be able to access the org.

SAML 2.0

The Edit Organization SSO Provider Info screen for SAML provides the following configurable fields or actions. An example is provided below, followed by an explanation of each item.

  • Identity Provider Metadata: This field should contain the XML metadata obtained directly from the Identity Provider (that is, Salesforce or Okta).

    TIP: To generate the appropriate Identity Provider XML metadata file, see Configuring SSO with Salesforce or Configuring SSO with Okta.
  • Harmony Client: Jitterbit supports SSO for two Harmony clients (Service Providers). The two clients are provided by default in the configuration and cannot be edited.

    1. WMC: This selection applies to the Harmony Portal (including Cloud Studio, API Manager, Citizen Integrator, Management Console).

      NOTE: Although the user interface refers to WMC, the former name for the Management Console, when you select WMC as the Harmony client, this configuration applies to all of the web-based products accessible via the Harmony Portal, including Cloud Studio, API Manager, Citizen Integrator, and Management Console.
    2. Studio: This selection applies to Design Studio versions 8.24 and later.

    WARNING: Both WMC and Studio must be configured for SSO when SSO is enabled. If either client is configured improperly, you will not be able to test the configuration successfully or save the SSO settings.
  • ACS URL: This field is the URL associated with the Harmony client. It is provided by default in the configuration depending on the Harmony client and cannot be edited.
  • Service Provider Metadata: This field should contain the XML metadata from the Service Provider. You will need to create the metadata manually, replacing information specific to the Identify Provider.

    TIP: To manually construct the appropriate Service Provider XML metadata file, see Configuring SSO with Salesforce or Configuring SSO with Okta.
  • Test Configuration: After you have configured all of the above fields, you must test the end-to-end connections to make sure they are working. Upon clicking this link, a new browser screen will open, displaying the native login interface for the Identity Provider. Enter/verify your credentials for the Identify Provider as normal, and accept prompts to allow access to the Jitterbit client.
    • If SSO is configured properly, you will be redirected to the Management Console with a message indicating success.
    • If SSO is not configured properly, you will be redirected to the Management Console with an error message providing more information about the specific error.

      CAUTION: Be careful about how many times you test configuration within a given timeframe. Continuous unsuccessful test attempts may lock out your Identity Provider account.
  • Save/Cancel: Save will be disabled until Test Configuration is performed successfully for all Harmony clients. Choose Save to save the configured SSO settings, or Cancel to close without saving. Once you have configured and saved a SAML 2.0 configuration, the newly configured SSO policies will take effect upon next login.

OAuth 2.0

The Edit Organization SSO Provider Info screen for OAuth provides the following configurable fields or actions. An example is provided below, followed by explanation of each item.

  • OAuth Provider: Use the dropdown to select your OAuth Identity Provider. Currently, Jitterbit supports OAuth for Autodesk and Google.

  • Harmony Client: Jitterbit supports SSO for two Harmony clients (Service Providers). The two clients are provided by default in the configuration and cannot be edited.

    1. WMC: This selection applies to the Harmony Portal (including Cloud Studio, API Manager, Citizen Integrator, Management Console).

      NOTE: Although the user interface refers to WMC, the former name for the Management Console, when you select WMC as the Harmony client, this configuration applies to all of the web-based products accessible via the Harmony Portal, including the Cloud Studio, API Manager, Citizen Integrator, and Management Console.
    2. Studio: This selection applies to Design Studio versions 8.24 and later.
    WARNING: Both WMC and Studio must be configured for SSO when SSO is enabled. If either client is configured improperly, you will not be able to test the configuration successfully or save the SSO settings.
  • Redirect URL: This field is the URL associated with the Harmony client. It is provided by default in the configuration depending on the Harmony client and cannot be edited.
  • Client Id: This field should contain the Client Id obtained from the Identity Provider following the instructions for Google or Autodesk.

  • Client Secret: This field should contain the Client Secret obtained from the Identity Provider following the instructions for Google or Autodesk.
  • Test Configuration: After you have configured all of the above fields, you must test the end-to-end connections to make sure they are working. Upon clicking this link, a new browser screen will open, displaying the native login interface for the Identity Provider. Enter/verify your credentials for the Identify Provider as normal, and accept prompts to allow access to the Jitterbit client.
    • If SSO is configured properly, you will be redirected to the Management Console with a message indicating success.
    • If SSO is not configured properly, you will be redirected to the Management Console with an error message providing more information about the specific error.

      CAUTION: Be careful about how many times you test configuration within a given timeframe. Continuous unsuccessful test attempts may lock out your identity provider account.
  • Save/Cancel: Save will be disabled until Test Configuration is performed successfully for all Harmony clients. Choose Save to save the configured SSO settings, or Cancel to close without saving. Once you have configured and saved an OAuth 2.0 configuration, the newly configured SSO policies will take effect upon next login.

Bypass SSO

Under Edit Organization Policies, the Bypass SSO option allows you to bypass SSO settings for specific users who are members of organizations that have SSO enabled. Instead, these users will authenticate with their Harmony credentials.

TIP: The Bypass SSO list applies only when SSO is enabled; however, you can still manage your Bypass SSO list when SSO is disabled, for example to prepare for enabling SSO.

In cases where members of your org are members of other enterprise organizations as well, you are required to add users to the Bypass SSO list or remove them as a member of the organization before SSO can be enabled. If they are added to the Bypass SSO list, these users will be subject to the org policies for any other non-SSO-enabled orgs of which they are a member. For example:

  • Mary is an org Admin for Bird Feathers Inc. and has SSO for Salesforce enabled on her org. She wants to invite Garrett, a member of another org, Birds & Bugs, which doesn't have SSO enabled. Mary needs to add Garrett to the Bypass SSO list for Bird Feathers Inc. before she can add him under the Members tab, since Garrett is already a member of another enterprise organization. Garrett will receive an invitation to use his existing Harmony credentials to access Mary's org. Garrett's password policies will be controlled by Birds & Bugs only.
  • Chris is a contractor for Bird Feathers Inc. and does not have a Salesforce account. Mary wants to invite Chris to her SSO-enabled org, but wants him to use Harmony credentials. Mary needs to add Chris to the Bypass SSO list before she can add him under the Members tab. Chris will then receive an invitation to register with Harmony credentials.

After adding new users to the Bypass SSO list, you must add them as a member under the Members tab for your org if they are not already listed.

NOTE: If using SSO, a Harmony user can be a member of only one SSO-enabled org using SSO credentials, OR, a Harmony user can be a member of multiple bypassed SSO orgs and multiple non-SSO orgs using Harmony credentials. See Use SSO or Harmony Credentials for more information.

Click the popout icon  to open the Bypass SSO User Info screen.

  • Email: Enter the email address of the user you would like to exempt from SSO. This may be an email associated with an existing Harmony user or new Harmony user who has not yet been invited. 

    CAUTION: Do not add users belonging to another SSO-enabled organization. You will not be able to add these to your org under the Members tab.
  • +Add User: Click this link to add the email address to the Bypass SSO list, and open an additional row where you can enter another email.
  • Action: After you have added a user, actions you can take for that user are located to the right of the email. Choose Delete to remove the row from the list.

    WARNING: Deleting a user from the Bypass SSO list will also remove the user as a member of your organization. If you want this person to have access using SSO, you will need to re-add the user as a member of your organization after removing them from the Bypass SSO list.

  • Save/Cancel: Choose Save to save the Bypass SSO list, or Cancel to close without saving. 

    TIP: If you have added users, don't forget to invite them to your org under the Members tab (see Manage SSO Org Members).
    NOTE: When you make changes to the Bypass SSO list and click Save within this popout, the changes will be saved regardless of if you Save or Cancel out of the Edit Organization Policies screen.

Managing Roles and Permissions

Administrators define the permissions across an organization's integration projects by assigning roles with specified permissions. Each role contains a set of permissions that specify what actions are available to all users that are members of the role. 

View Roles and Permissions

The bottom section of the Organizations page contains two tabs: Roles and Members. Select the Roles tab to display the list of existing roles.

Jitterbit provides the organization with two roles by default: Administrator and User. The Administrator role cannot be deleted and requires at least one person to be a member. 

View the Permissions column for the permissions assigned to each role. There are three permission levels available:

  • Admin: This permission level grants privileges that provide access to all features and functions available in the Management Console as well as access to all assets belonging to the organization. Those with Admin permissions can also create customized roles, manage the membership of those roles, and set up the access control privileges for each role within each environment.
  • Read: This permission level is the default level, which provides the least amount of privileges and allows access to the organization.

  • Agent Install: This permission level grants elevated privileges, but for agent installation purposes only. Roles with the Agent Install permission must also be assigned Write access within the environment for this permission to work (see Grant Role Access to the Environment under Environments). This type of permission may be useful if you want certain members to install the agent, but do not want those individuals to have administrative privileges or be able to view, modify, or run operations outside of the specific environment to which they have been granted Write access. Note that after the agent has been successfully installed, it will continue to function and be able to be upgraded going forward even if the role or particular user with Agent Install permissions is removed or disabled. 

  • API Consumer: This permission level grants privileges that provide access to the public facing developer Portal in API Manager. A user assigned a role with only the ApiConsumer permission is restricted to only accessing the API Manager Portal, accessing the API documentation, and executing the APIs. 

    NOTE: External API App developers will need to be members of a role which is assigned the ApiConsumer permission.  Follow the steps in the next section to Add the role and assign the ApiConsumer permission, providing developers access to the APIs available within the Portal, access to view API Logs, and view Analytics. In addition, the role needs to be assigned View Logs and Read permissions in the environment hosting the public facing developer Portal. See the steps in the Environments page to assign the role to the environment and assign the View Logs and Read permissions. 

Add, Edit, or Remove Roles

TIP: After you have created a new role, you will also need to provide the role with access to a specific environment. Here you can further limit the role's access levels per environment. Instructions for this are provided on the Environments page.
  • Add: Click the  button, then type in a name for your new role and click Save. The new role will automatically appear as a new row under roles. The new role will have Read permissions by default.
  • Edit: In the Permission column, use the dropdown to edit the permissions for new or existing roles.

  • Remove, Deactivate/Activate, or Rename: In the Action column, use the dropdown to remove, deactivate/activate, or rename a role. The option Activate Role will appear only if the role is currently set to inactive; likewise, Deactivate Role will appear only if the role is active.

Add or Remove Members

Members must be assigned to roles in order to be assigned the role permissions. While you can manage all members from the Members tab, there are also some member management activities you can perform from within the Roles tab. For a full explanation of members refer to the next section.

  • Add Member to Role: On the role row, click the Action dropdown and choose Add Member to add a member directly to a role. In the popup, enter the email address of the member and click Save. The member will also be automatically updated in the Members tab. See additional information under the Managing Members section below.

  • Remove/Deactivate Members from a Role: On the role row, click on the Organiations - Arrow Out to the left of the role to view the members of the role: 

     

    The individual members of the role are now expanded, with an additional set of actions that have become available on each member row. On the member row, you can remove or deactivate the individual member directly.

    WARNING: If the member is assigned to only one role, the member will be removed from the role, AND the member will be removed from the organization. If the member is assigned to more than one role, the member will be removed from the selected role, but will remain a member in any other roles they are assigned to.
    TIP: It is recommended to have more than one member assigned to the Administrator role in case the original Administrator is no longer available. If you are unable to access an account with Administrator permissions, see Getting Support.

Managing Members

The members tab shows all members within your organization, their assigned roles, and current status. Those with an Administrator role can add new users as members and assign the previously defined roles within this tab.

View All Members and Roles

The bottom section of the Organizations page contains two tabs: Roles and Members. Select the Members tab to display the list of existing members. You can expand each member to view the roles associated with each member.

Add or Remove Members from Roles

Members of an organization must be assigned to one or more predefined roles. That is, when a new member is created, they must be assigned to a role; it is not possible to have a member without any roles. To remove a member from the organization, remove them from all roles. See Managing Roles and Permissions for more information about predefined roles.

  • Add New Member to Role: Click the button to add a member to your organization. In the popup, enter an email address and specify the predefined role, then click Save. The next actions will depend on whether a user is new or already registered with Harmony, if your organization has SSO enabled, whether a user already has an SSO-enabled org, and whether a user is on a Bypass SSO list.

    NOTE: For organizations that have SSO enabled, take note when adding members:

    • Email addresses must match the usernames of your SSO Identity Provider. If a member's SSO username is not in email format or does not match the email you've provided under your org's Members list, this user will not be able to log in to Harmony with SSO. This is required for authentication purposes.
    • A Harmony user can be a member of only one SSO-enabled org using SSO credentials, OR, a Harmony user can be a member of multiple bypassed SSO orgs and multiple non-SSO orgs using Harmony credentials. See Use SSO or Harmony Credentials for more information.
    • New Harmony Users: Users that are not yet registered in Harmony will receive an email with further instructions and a link to log in to Jitterbit depending on SSO settings:
      • If the org has SSO enabled, and the user being invited is not on the Bypass SSO list, the user will be able to authenticate with SSO and access the organization. 
      • If the org does not have SSO enabled or the user has already been added to the Bypass SSO list, the user will need to access the link and complete registration with Jitterbit prior to accessing the organization with Harmony credentials.

    • Existing Harmony Users: Users that are already registered in Harmony as members of another organization will be able to added as follows and receive an email with further instructions depending on SSO settings:
      • If the org has SSO enabled, and the user is not on the Bypass SSO list for that org, and the user is not a member of any other enterprise organization, the user will be able to authenticate with SSO and access the organization.

      • If the org has SSO enabled, and the user is already added to the Bypass SSO list for that org, then the user will be able to access the organization using their Harmony credentials.

      • If the org does not have SSO enabled, then the user will be able to access the organization using their Harmony credentials.
    TIP: The Invitation Status of new members with Harmony credentials is set to "Pending" until Jitterbit registration is completed. Members using SSO are already activated users.
    • Add Existing Member to Role: On the member row, click the Action dropdown to add a role.
    • Remove/Deactivate Members from a Role: On the member row, click on the  to the left of the member to view the assigned roles.
      The roles are now expanded, with an additional set of actions that have become available on each role row. Here you can remove or deactivate the role.

      WARNING: You must remove the member from each role in order to remove the member from the organization.

On This Page

Last updated:  May 22, 2019