Managing Access and Users
m3ter supports two types of user for your Organization:
Users. Represent the people you’ll grant access to your Organization.
Service Users. Intended to represent automated processes that you want to grant direct API access to your Organization. You'll want to set up Service Users for integrations of your 3rd-party systems with the m3ter platform.
Using Permission Policies, you can then control what Users and Service Users can do when they have gained access. See Understanding, Creating, and Managing Permission Policies.
From the Console Access page, you can:
View the details of Users, deactivate and reactivate them, and manage their access permissions.
Create User Groups and add Permission Policies to them. User Group are very useful for controlling access to your Organization when you want to set up a group of people and apply the same Permission Policies to them.
Invite Users to join your Organization and assign Permission Policies to control their access once they have joined. Invites can be made to either existing m3ter Users or people who are not yet registered with the platform.
Make a request to grant m3ter Support access to your Organization for a specified period.
This topic explains how to manage the people and processes you grant access to your Organization in m3ter:
Create Service Users, configure them to add Permission Policies, and generate Access Keys
Create and Manage User Groups to add Permission Policies to them and assign Users to User Groups
Important!
Mixed Permission Policies - deny permissions take precedence: Care is needed if you set up a User's access with more than one Permission Policy applied to the User. For example, you might assign the Administrator Permission Policy directly to a User at the level of their individual permissions. But if you then add them to a User Group to which a more restrictive Permission Policy has been applied - say one that denies all members of the group access to any Meters - then the more restrictive permissions imposed by the User Group Meter Access Denied policy takes precedence over the more permissive Administrator policy.
Mixed Statement in a Permission Policy - denial takes precedence: If you create a Permissions Policy with multiple statements and two of more of the constituent statements conflict with respect to access to a resource for the given action, denial takes precedence - see Effects and Evaluation Logic for more details.
Managing Users and Adding Permission Policies
You can view Users, deactivate and reactivate them, and modify their access to your Organization.
Viewing User Details
To view Users:
1. Select Settings>Access. The Access page opens with the Users tab selected. Any existing Users in your Organization are listed.
2. Select a User. The User panel is populated for the selected User.
Tip: Users Missing? When you open the Users page, you should see all the Users you asked m3ter to set up for your Organization and any who you've invited and have accepted your invitation. If any are missing, please contact m3ter Support.
3. To view a User's details, select their NAME hotlink text. The User Details page opens:
From the User Details panel, you can manage the User's details:
Status:
Read-off the User's Status - whether ACTIVE or INACTIVE.
Deactivate or Reactivate the User. See below: Deactivating and Reactivating Users.
Permission Policies:
Remove a Policy from the User.
Add a Permission Policy to the User. See below: Adding Permission Policies to Users.
Audit data:
Read-off when the User was Created and Last modified.
Other details:
Read-off the date when the User's access to your Organization will end.
Check the User's email address.
4. Scroll down the page. From the User Group panel, you can add the User to User Groups you've set up for your Organization. See below: Creating and Managing User Groups.
Deactivating and Reactivating Users
To deactivate and reactivate Users:
1. Select Settings>Access. The Access page opens with the Users tab selected. Any existing Users in your Organization are listed.
2. Select the NAME text of the User you want to deactivate or reactivate. The User Details page opens and you can read-off the current Status of the User - either ACTIVE or INACTIVE:
If ACTIVE, a red Deactivate User button shows, which you can use to deactivate the User.
If INACTIVE, a green Activate User button shows, which you can use to reactivate the User.
3. Use these Deactivate/Reactivate buttons appropriately to control the status of the User.
Adding Permission Policies to Users
Two types of Permission Policy are available for controlling User access to your Organization:
Managed. System generated Permission Policies. Two Managed Permission Policies are currently available to assign to your Users, Service Users, or User Groups:
Administrator. Read and write permissions. Can submit API calls.
ReadOnly. Read permissions only. Cannot submit API calls.
Note: You cannot edit Managed Permission Policies.
Custom. Permission Policies you create for your own Organization:
You can use the m3ter Permissions framework to create and configure Custom Permission Policies to impose precise levels of access on individual Users and User Groups.
Warning: Working with Permission Policies? Before creating Custom Permission Policies to control Users access to your Organization, we recommend that you review the Understanding, Creating, and Managing Permission Policies topic in this section.
To add and manage Permission Policies for a User:
1. Select Settings>Access. The Access page opens with the Users tab selected. Any existing Users in your Organization are listed.
2. Select the NAME text of the User whose Permission Policies you want to manage. The User Details page opens.
3. If you want add a Policy to the User, under Permission Policies, select Add Permission Policy. The Users page opens.
4. In the Add Permission Policy drop-down list, select the Permission Policy and select the Add Permission Policy. You are returned to the User Details page and the selected Permission Policy shows in the Permission Policies list for the User.
5. If you want to remove a Permission Policy for a User, select Delete:
A confirmation pop-up appears.
6. Select Yes to confirm the Permission Policy deletion.
Creating and Configuring Service Users
Service Users represent the automated process you want to grant access to your Organization. When you create a Service User you can:
Add Permission Policies to the Service User to control what they can do when they gain access to your Organization.
Generate Access Keys for the Service User, which you can use to perform service authentication with the m3ter platform. When you have authenticated the Service User, you can then can obtain a Bearer Token for use in API calls made to the platform by the Service User. For more details, see Service Authentication.
Creating Service Users
To create a Service User:
1. Select Settings>Access. The Access page opens with the Users tab selected.
2. Select the Service Users tab. Existing Service Users in your Organization are listed.
3. Select Create Service User. The Create page opens.
4. Enter a Name for the new Service User.
5. If you want to generate an access key for the new Service User, leave the Generate access key switch enabled, which is the default setting.
Note that you can create the new Service User without generating an access key - simply disable the switch - and you can edit and generate an access key later. See the section below.
6. If you want to assign Permission Policies to the new Service User, use the Permission Policies drop-down list to select them - the list will contain both the Managed and any Custom Permission Policies that exist in your Organization.
Note that you can create the new Service User without assigning any Permission Policies - simple leave the Permission Policies drop-down empty - and you can edit and assign them later. See the section below.
7. Select Create Service User. The new Service User is created and a Generate Access Key popup appears, which shows:
Organization ID
Access Key ID
API Secret
You can copy each of these string values directly to your clipboard.
Important! When you generate an access key for a Service User, you need to keep a record of the Api Secret before you close the popup, because this will only be shown once.
8. On the Generate Access Key popup, select Close. You are returned to the Service User Details page for the new Service User:
In this example, we've generated an access key and assigned a Permission Policy to the new Service User when creating it.
Adding Permission Policies to Service Users
Two Managed Permission Policies are currently available to assign to your Service Users:
Administrator. Read and write permissions. Can submit API calls.
ReadOnly. Read permissions only. Cannot submit API calls.
You cannot edit Managed Permission Policies.
You can also assign any Custom Permission Policies you've created to Service Users.
Warning: Working with Permission Policies? Before creating Custom Permission Policies to control Users access to your Organization, we recommend that you review the following topic in this section on Understanding, Creating, and Managing Permission Policies.
To add and manage Permission Policies for a Service User:
1. On the Settings>Access>Service Users tab, select the NAME text of the Service User. The details page for the Service User opens. Any Permission Policies assigned to the Service User are listed in the Permission Policies panel.
2. Select Add Permission Policy. The page adjusts.
3. Using the Add Permission Policy drop-down, select the Permission Policy you want to assign from the drop-down list.
4. Select Add Permission Policy. You are returned to the details page where the selected Permission Policy is now listed in the Permission Policies panel.
5. If you want add another Permission Policy to the Service User, repeat steps 2 to 4.
Important! You must add the Administrator Permission Policy to a Service User to allow the user to make API calls to the platform.
6. If you want to delete a Permission Policy from a Service User, select the Delete button. You are asked to confirm the delete action.
Generating Access Keys for Service Users
You can generate access keys for Service Users at any time.
To add and manage Access Keys for Service Users:
1. On the Settings>Access>Service Users tab, select the NAME text of the Service User. The details page for the Service User opens. Any access keys generated for the Service User are listed in the Access Keys panel.
2. Select Generate Access Key. A Generate Access Key popup appears, which shows:
Organization ID
Access Key ID
API Secret
You can copy each of these string values directly to your clipboard.
Important! When you generate an access key for a Service User, you need to keep a record of the Api Secret before you close the popup, because this will only be shown once.
3. On the Generate Access Key popup, select Close. You are returned to the details page where the access key is listed as ACTIVE on the Access Keys panel.
You can now use the Access Key id and Api Secret to authenticate the Service User to m3ter using the Basic Authentication method and obtain a Bearer Token for making subsequent API calls. See Service Authentication.
4. If you want to generate additional access keys, you can repeat steps 2 to 3. If you generate additional keys, you should take care to mark the old ones as Inactive - those for which you cannot remember or find the Api Secret or those no longer required due to rotation.
Tip: Rotating Access Keys? Note that you can only create up to two Access Keys at a time - if you want to maintain continual rotation of your Service User Access Keys, after creating two you must first inactivate and remove one to create a new one.
Managing Service Users
To manage Service Users:
1. Select Settings>Access. The Access page opens with the Users tab selected.
2. Select the Service Users tab. The page adjusts and list the Service Users in your Organization.
3. If you want to edit a Service User, select the Edit icon:
The Edit page opens.
4. Make your editing changes and select Update Service User.
5. If you want to delete a Service User, select the Delete icon:
A confirmation dialog appears.
6. Select Yes to continue and delete the Service User.
Creating and Managing User Groups
You can create User Groups and add Permission Policies to them. User Groups are very useful for controlling access to your Organization when you want to set up a number of people with the same Permission Policies assigned to them. For example, you might have a Billing Operations team and you want to restrict the access of all members of this team to performing certain billing operations when working in your Organization. You can then:
Create a Permission Policy which allows the required range of Billing resource access.
Create a new Billing User Group and add this Permission Policy to it.
Add each team member to the Billing User Group.
Do not assign any Permission Policies to any Billing Operations team member.
Creating User Groups and Adding Permission Policies
To create a User Group and add Permission Policies to the Group:
1. Select Settings>Access. The Access page opens with the Users tab selected.
2. Select the User Groups tab.
3. Select Create User Group. The Create page opens.
4. Enter a Name for the new User Group.
5. Use the Permission Policies drop-down list to select the Policies you want to apply to the Group:
6. Select Create User Group. The User Group Details page for the new User Group opens and the Permissions Policies panel lists the Policies you've applied to the Group:
You can manage the Permission Policies for the User Group from here:
Select Add Permission Policy to add another Permission Policy to the User Group.
Use the Delete icon to remove the Permission Policy from the User Group:
7. To return to the User Groups tab from the details page, select User Groups in the breadcrumb at top-left. From there, you can manage your User Groups:
Select the NAME hotlink text to open the details page for a User Group and manage the Permission Policies applied to the Group.
Select Edit to update:
Select Delete to remove:
Adding Users to User Groups
To add Users to a User Group:
1. Select Settings>Access. The Access page opens with the Users tab selected.
2. Select the NAME hotlink text of the User you want to add to a User Group. The User Details page opens.
3. On the User Groups panel, select Add to User Group. The Users page opens.
4. Use the Add to User Group drop-down to select the User Group you want to add the user to.
5. Select the Add to User Group button. You are returned to the User Details page and the User Group you've added the User to is listed on the User Groups panel.
Inviting Users to your Organization
From the Access page, you can invite users to join your Organization. The invitee will receive an e-mail invite and will then be able to access your Organization with the permission level you've assigned to them.
Important - User Invite Permission Required! You can issue an invite to a user to join your Organization only if you have the required permissions. The invite user permission can be conferred either with the Administrator Managed Permission Policy or a Custom Permission Policy that includes a config:create action for the orgUserInvitation resource.
If you attempt to invite a User to your Organization but you don't have the required permissions, you'll receive an error.
To invite a User to join your Organization:
1. Select Settings>Access. The Access page opens with the Users tab selected.
2. Select the Invitations tab. Any invitations previously issued for your Organization are listed.
3. Select Invite User. The Create invitation page opens.
4. Enter the details of the User you want to invite to your Organization:
The name and contact details you need to enter for the invite differ:
If the invited User is already a m3ter user and holds a m3ter account, the First name, Last name, and Contact number are optional.
If the invited User is not already a m3ter user and does not hold a m3ter account, the First name, Last name, and Contact number are required.
5. If you want to make the invited User's access to your Organization time-bound, use the pop-up calendar to enter the date you want their access to cease in the Access end date field.
6. If you want to make the invitation time-bound, use the pop-up calendar for the Invite expiry date to enter the date you want the invitation to expire. Note that by default the invitation expiry date will be set at 30 days in the future.
7. Use the Permission Policies drop-down selection list to select the Permission you want to assign to the invited User. Note that when the User has joined your Organization, you'll be able to edit the Permission Policies assigned to them.
8. Select Invite User. The Invitations Details page opens for the invited User and the User will receive an e-mail inviting them to join your Organization:
If the User is already a m3ter User and has a m3ter account, they can click a link and use their credentials to log into your Organization.
If the User is not already a m3ter User and does not already have a m3ter account, they will be invited to create a m3ter account before logging into your Organization.
9. On the Access>Invitations tab, your Invitations are listed:
EMAIL ADDRESS. The invited User's email address.
ACCESS END DATE. The date you set for the invited User's access to your Organization to end.
EXPIRY DATE. The date on which the invite expires - after that date the invited User will no longer be able to accept the invite. By default, any invite is valid for 30 days from the date you sent the invite.
ACCEPTED. Whether or not the invitation has been accepted.
10. When an invited User has joined your Organization, they appear in the Users tab on the Access page:
If you entered an ACCESS END DATE for the invited User's access, this will be shown.
Their STATUS is shown as ACTIVE.
See above: Managing Users and Adding Permission Policies.
11. At any time, you can open the Access>Invitations tab and select the NAME hotlink text of an invited User to open the Invitation Details page for the User.
Tracking User Activity in your Organization
You can track User activity for the main configuration entities created for your Organization - many of the details pages, such as the Meter details pages, carry audit information on which User:
Initially created the entity.
Most recently modified the entity.
This audit data also allows you to click a hotlink text to open the details page for the logged User:
Tip: User Activity is also shown on Account Specific Details Pages! Which User created and which User last modified is also tracked in the Console on the details pages for some Account specific entities - Account Plans, Prepayments, Balances, and Contracts on an Account.
Granting m3ter Support Access
You can grant m3ter Support time-bound access to your Organization. You'll likely want to do this to allow Support to respond to a request you've made to them for help in resolving an issue encountered in your Organization.
Note: Support Terms? When you grant m3ter Support access to your Organization, their activity in your Organization will be conducted fully in accordance with our Support Terms.
To grant m3ter Support access to Organization:
1. Select Settings>Access. The Access page opens with the Users tab selected.
2. Select the Support Access tab.
3. On the Support Access Details panel, select Grant support access. The page adjusts.
4. For Support access end date, use the calendar pop-up to select the date on which you want support access to end.
5. Use the Permission Policies drop-down list to select the Permission Policies you want to apply for support users when they access your Organization.
By default, the Administrator managed Permission Policy is selected.
6. Select Update Support Access. You are returned to the Support Access tab and the Support Access Details panel and Permission Policies panel now shows the updated Support access:
In this example:
Support access will end at midnight on August 30th, 2023.
Support has been granted Administrator access until that point in time.
7. If you want update the Support access you've granted - maybe because the issue you made a request to Support about has now been resolved and you want to close-off access, you can:
Reset the Support access end date to tomorrow's date and select Update support access to end access as soon as possible. Note that when you grant Support access, it must be for at least the remainder of the current day.
Under Permission Policies, delete any Permission Policies you've added for the access.
Viewing Permission Policies
To view Permissions Policies in your Organization:
1. Select Settings>Access. The Users page opens.
2. Select the Permission Policies tab. Any existing Managed or Custom Permission Policies are listed.
Next: Data Explorer
Additional Support
Login to the Support portal for additional help and to send questions to our Support team.