Managing Access and Users

m3ter supports two types of user for your Organization:

  • Users. Represent the people you’ll grant access to your Organization.

  • Service Users. Intended to represent automated processes that you want to grant direct API access to your Organization. You'll want to set up Service Users for integrations of your 3rd-party systems with the m3ter service.

Using Permission Policies, you can then control what Users and Service Users can do when they have gained access. See Creating and Managing Permission Policies.

You can also make a request to grant m3ter Support access to your Organization for a specified period.

This topic explains how to manage the people and processes you grant access to your Organization in m3ter:

Important: Mixed Permission Policies - deny permissions take precedence! Care is needed if you set up a User's access with more than one Permission Policy applied to the User. For example, you might assign the Administrator Permission Policy directly to a User at the level of their individual permissions. But if you then add them to a User Group to which a more restrictive Permission Policy has been applied - say one that denies all members of the group access to any Meters - then the more restrictive permissions imposed by the User Group Meter Access Denied policy takes precedence over the more permissive Administrator policy.

Managing Users and Adding Permission Policies

You can view Users and modify their access to your Organization.

Viewing Users

To view Users:

1. Select Settings>Access. The Access page opens with the Users tab selected. Any existing Users in your Organization are listed. A User Details panel is shown on the right of the page.

2. Select a User if you want to view their details. The User details panel is populated for the selected User.

Tip: Users Missing? When you open the Users page, you should see all the Users you asked m3ter to set up for your Organization. If any are missing, please contact m3ter Support.

Adding Permission Policies to Users

Two types of Permission Policy are available for controlling User access to your Organization:

  • Managed. System generated Permission Policies. Two Managed Permission Policies are currently available to assign to your Users, Service Users, or User Groups:

    • Administrator. Read and write permissions. Can submit API calls.

    • ReadOnly. Read permissions only. Cannot submit API calls.

    • Note: You cannot edit Managed Permission Policies.

  • Custom. Permission Policies you create for your own Organization:

    • You can use the m3ter Permission framework to create and configure Custom Permission Policies to impose precise levels of access on individual Users and User Groups.

Warning: Working with Permission Policies? Before creating Custom Permission Policies to control Users access to your Organization, we recommend that you review the following topic in this section on Understanding, Creating, and Managing Permission Policies.

To add and manage Permission Policies for a User:

1. On the Settings>Access>Users tab, select the User you want to assign a Permission Policy to. The page adjusts to show the details panel for the selected User. Any Permission Policies assigned to the Service User are listed.

2. If you want to add a Permission Policy to the User, select Edit permissions. The page adjusts to show any Permission Policies assigned to the User.

3. Select Add Permission Policy. The page adjusts.

4. In the Add Permission Policy drop-down list, select the Permission Policy and select the Add Permission Policy. The selected Permission Policy is added to the User and is now shown in the Permission Policies list for the User.

5. From the Permission Policies list for a User, you can delete a Permission Policy assigned to the User.

Creating and Configuring Service Users

Service Users represent the automated process you want to grant access to your Organization. When you create a Service User you can:

  • Add Permission Policies to the Service User to control what they can do when they gain access to your Organization.

  • Generate Access Keys for the Service User, which you can use to perform service authentication with the m3ter service. When you have authenticated the Service User, you can then can obtain a Bearer Token for use in API calls made to the service by the Service User. For more details, see Service Authentication.

Creating Service Users

To create and edit Service Users:

1. Select Settings>Access. The Access page opens with the Users tab selected.

2. Select the Service Users tab. Existing Service Users in your Organization are listed.

3. Select Create Service User. The Create page opens.

4. Enter a Name for the new Service User.

5. If you want to generate an access key for the new Service User, leave the Generate access key switch enabled, which is the default setting.

  • Note that you can create the new Service User without generating an access key - simply disable the switch - and you can edit and generate an access key later. See the section below.

6. If you want to assign Permission Policies to the new Service User, use the Permission Policies drop-down list to select them - the list will contain both the Managed and any Custom Permission Policies that exist in your Organization.

  • Note that you can create the new Service User without assigning any Permission Policies - simple leave the Permission Policies drop-down empty - and you can edit and assign them later. See the section below.

7. Select Create Service User. The new Service User is created and a Generate Access Key popup appears, which shows:

  • Organization ID

  • Access Key ID

  • API Secret

You can copy each of these string values directly to your clipboard.

Important! When you generate an access key for a Service User, you need to keep a record of the Api Secret before you close the popup, because this will only be shown once.

8. On the Generate Access Key popup, select Close. You are returned to the details page for the new Service User:

In this example, we've generated an access key and assigned a Permission Policy to the new Service User when creating it.

Adding Permission Policies to Service Users

Two Managed Permission Policies are currently available to assign to your Service Users:

  • Administrator. Read and write permissions. Can submit API calls.

  • ReadOnly. Read permissions only. Cannot submit API calls.

You cannot edit Managed Permission Policies.

You can also assign any Custom Permission Policies you've created to Service Users.

Warning: Working with Permission Policies? Before creating Custom Permission Policies to control Users access to your Organization, we recommend that you review the following topic in this section on Understanding, Creating, and Managing Permission Policies.

To add and manage Permission Policies for a Service User:

1. On the Settings>Access>Service Users tab, select the NAME text of the Service User. The details page for the Service User opens. Any Permission Policies assigned to the Service User are listed in the Permission Policies panel.

2. Select Add Permission Policy. The page adjusts.

3. Using the Add Permission Policy drop-down, select the Permission Policy you want to assign from the drop-down list.

4. Select Add Permission Policy. You are returned to the details page where the selected Permission Policy is now listed in the Permission Policies panel.

5. If you want additional Permission Policies to the Service User, repeat steps 2 to 4.

Important! You must add the Administrator Permission Policy to a Service User to allow the user to make API calls to the service.

6. If you want to delete a Permission Policy from a Service User, select the Delete button. You are asked to confirm the delete action.

Generating Access Keys for Service Users

You can generate access keys for Service Users at any time.

To add and manage Access Keys for Service Users:

1. On the Settings>Access>Service Users tab, select the NAME text of the Service User. The details page for the Service User opens. Any access keys generated for the Service User are listed in the Access Keys panel.

2. Select Generate Access Key. A Generate Access Key popup appears, which shows:

  • Organization ID

  • Access Key ID

  • API Secret

You can copy each of these string values directly to your clipboard.

Important! When you generate an access key for a Service User, you need to keep a record of the Api Secret before you close the popup, because this will only be shown once.

3. On the Generate Access Key popup, select Close. You are returned to the details page where the access key is listed as ACTIVE on the Access Keys panel.

You can now use the Access Key id and Api Secret to authenticate the Service User to m3ter using the Basic Authentication method and obtain a Bearer Token for making subsequent API calls. See Service Authentication.

4. If you want to generate additional access keys, you can repeat steps 2 to 3. If you generate additional keys, you should take care to mark the old ones as Inactive - those for which you cannot remember or find the Api Secret or those no longer required due to rotation.

Tip: Rotating Access Keys? Note that you can only create up to two Access Keys at a time - if you want to maintain continual rotation of your Service User Access Keys, after creating two you must first inactivate and remove one to create a new one.

Managing Service Users

To manage Service Users:

1. Select Settings>Access. The Access page opens with the Users tab selected.

2. Select the Service Users tab. The page adjusts and list the Service Users in your Organization.

3. If you want to edit a Service User, select the Edit icon:

The Edit page opens.

4. Make your editing changes and select Update Service User.

5. If you want to delete a Service User, select the Delete icon:

A confirmation dialog appears.

6. Select Yes to continue and delete the Service User.

Creating and Managing User Groups

You can create User Groups and add Permission Policies to them. User Groups are very useful for controlling access to your Organization when you want to set up a number of people with the same Permission Policies to control their access. For example, you might have a Billing Operations team and you want to restrict the access of all members of this team to performing certain billing operations when working in your Organization. You can then:

  • Create a Permission Policy which allows the required range of Billing resource access.

  • Create a new Billing User Group and add this Permission Policy to it.

  • Add each team member to the Billing User Group.

  • Refrain from assigning any Permission Policies at the level of each individual team member.

To create a User Group:

1. Select Settings>Access. The Access page opens with the Users tab selected.

2. Select the User Groups tab.

3. Select Create User Group. The Create page opens.

4. Enter a Name for the new User Group.

5. Select Create User Group. You are returned to the User Groups tab where the new User Group is listed.

6. If you want to change the name of the User Group, select Edit, make your changes, and select Update User Group.

To add Permission Policies to a User Group:

1. Select Settings>Access. The Access page opens with the Users tab selected.

2. Select the User Groups tab. Select the hotlink NAME text of the User Group you want to add Permission Policies to. The User Group details page opens.

3. On the Permission Policies panel, select Add Permission Policy. The page adjusts.

4. Use the Add Permission Policy drop-down to select the policy you want to add.

5. Select the Add Permission Policy button.

6. You are returned to the User Group details page where you'll see a message confirming that the policy has been successfully applied to the User Group and it will be listed on the Permission Policies panel.

7. If you want to add another Permission Policy to the User Group, repeat steps 3. to 6.

To add Users to a User Group:

1. Select Settings>Access. The Access page opens with the Users tab selected.

2. Select the User you want to add to a User Group.

3. In the User details panel on the right, select Edit user access.

4. The User details page opens.

5. On the User Groups panel, select Add to User Group. The page adjusts.

6. Use the Add to User Group drop-down to select the User Group you want to add the user to and then select the Add to User Group button. You are returned to the User details page and the User Group to which you've added the User to is listed on the User Groups panel.

Making Request to Grant m3ter Support Access

You can make a request to grant m3ter Support time-bound access to your Organization. You'll likely want to do this to allow Support to respond to a request you've made to them for help in resolving an issue encountered in your Organization.

Note: Support Terms? When you grant m3ter Support access to your Organization, their activity in your Organization will be conducted fully in accordance with our Support Terms.

To make a request to grant m3ter Support access to Organization:

1. Select Settings>Access. The Access page opens with the Users tab selected.

2. Select the Support Access tab. On the Support Access Request panel, you can enter a date for when you want access to your Organization by m3ter Support to end.

3. Under Support access end date, use the calendar pop-up to select the access end date.

4. On the Permission Policies panel, select Add Permission Policy. The pages adjusts allowing you to select the level of access.

5. Use the drop-down list to select the Permission Policy you want to assign to m3ter Support and select Add Permission Policy. You are returned to the Support Access tab and the Permission Policies panel now shows the Permission for Support access.

6. Select Grant support access. You should receive a message to confirm Support access has been granted up to the selected end date. The page adjusts and shows Support access as ACTIVE with the Support access end date:

In this example:

  • Support access will end at midnight on March 4th, 2023.

  • Support has been granted Administrator access until that point in time.

7. If you want update the Support access you've granted - maybe because the issue you made a request to Support about has now been resolved and you want to close-off access, you can:

  • Reset the Support access end date to tomorrow's date and select Update support access to end access as soon as possible. Note that when you grant Support access, it must be for at least the remainder of the current day.

  • Under Permission Policies, delete any Permission Policies you've added for the access.

Viewing Permission Policies

To view Permissions Policies in your Organization:

1. Select Settings>Access. The Users page opens.

2. Select the Permission Policies tab. Any existing Managed or Custom Permission Policies are listed.

Next: Understanding, Creating, and Managing Permission Policies