User management

The User manager app in Hub is used to manage users, security roles, permissions and authentication setup.


Hydra provides authorization and authentication services used in apps and other services including permissions and feature toggles to ensure they work within the security model. Hydra does not control how a permission is used in an individual app or service. If you need to know the permissions required to use an app or the purpose of a permission, contact the team responsible for that app or view the application's entry in applications.json.


A user represents an account that can perform actions within an application. Typically, users are humans, but they can also represent an external app interacting with platform APIs.

  • Users can be assigned a security role which contains permissions that determine what the user has access to.
  • Users can also be assigned to locations.
  • A user can only belong to one entity, usually a company, but users could also belong to Suppliers, Carriers, Partners or Master Entities.


Entities are the building blocks of Platform/Hub. They are representations of the organizations that interact in the retail ecosystem and lifecycle.

This includes:

  • iQmetrix customers (retailers or companies)
  • entities that support retail activities (suppliers, carriers, manufacturers)
  • entities that enhance and provide value to iQmetrix and our customers (partners, master entities)

The entities that currently exist in Platform/Hub are Company, Supplier, Carrier, Manufacturer, Partner and Master Entity.


A company is the representation of our core customer in Platform/Hub, typically a retailer.

  • Users (employees) can be associated with it.
  • Companies can have a hierarchical structure with locations (stores).
    • A Company Tree is a representation of how a Company is structured. The Root (top-most) Company Tree Node always represents the Company that owns the tree.
    • The Entity Store contains several APIs for dealing specifically with Companies and their structure.

Manufacturers, Suppliers and Carriers#

Manufacturers, Suppliers and Carriers are primarily used to categorize products.

  • Suppliers, Partners, Carriers and Master Entity can also have users associated with them.

Master entity#

A Master Entity can be a company, supplier, manufacturer, or any organization that has an established relationship with one or many company sub-entities.

  • Is used to group companies that are somehow associated and share some part of their operations (reporting, product lists, etc).
  • Their purpose is to allow manufacturers, vendors, or any type of content provider to reflect how their content is displayed in a retailer’s location.

Security Roles#

Security roles are a set of permissions.

  • Any entity that can have users can have security roles, including iQmetrix.
  • A security role is added to a user at a specific node in the company tree. This will give that user permission of that feature at the specified location, group or division in the company tree.


Permissions determine what the user has access to.

  • Users never get permissions directly. Only security roles get permissions.
  • It's up to the individual services and applications to ask if the user has a permission for the appropriate entity.
  • Permissions can be checked in the context of an entity: "Does user X have Permission Y for Entity Z?". If you are verifying the user's context in another way, then consider using a user permission check without the entity.
  • Request new permissions
  • Changing an existing permission

Permission Types#

For all of iQ's permission types please refer to Hydra's How Do Permissions Work?

Restricted Permissions#

Restricted Permissions are permissions that only certain clients should have access to. For example: Cova permissions only make sense to Cova customers, and suppliers don't really need to access GL services.

  • Restricted permissions are made available to clients by iQ Administrators on a per-entity, per-permission basis
  • If a restricted permission makes sense for an entity, an iQ Administrator must turn on the restricted permission for that entity
  • Turning the permission on will make it visible and assignable for iQ Administrators and client users with the Edit Security Role permission
  • If the restricted permission is off, only iQ Admins will see the permission, but they won't be able to assign it
  • When a restricted permission is toggled off in the Restricted Permissions app, all related security roles and users will have that permission revoked
  • Instructions on Managing Restricted Permissions

Creating a test user#

As an iQ user, go to "Users" menu item in Hub and select "Users" (INT, RC and PROD). Search for your test company and select "Create New User". You will not receive an email with the temporary password in DEV or INT. You can go to Mail Trap to retrieve it, but it is simpler to set the password by selecting "Reset Password" under "Tools".


Core5Daily is a test company that is updated with the latest data each night. That makes it ideal to test changes quickly and it is free for anyone to assign test users to.

Create and assign a Security role#

As an iQ user, go to "Users" menu item in Hub and select "Security Roles" (INT, RC and PROD). Search for your test company and select "Create New Security Role". You will have to name it, and then you can configure it as you want. Now you can search for your user, given they belong to the same company, and assign them this role.

Feature Toggles#

Feature toggles are collections of product features, and sub features, that product teams can enable, disable, or trial (configure) for a company. Feature toggles allow iQ teams to offer opt-in for clients on feature releases. When used consistently, feature toggles can even be used as the source of truth for iQ billable features.

  • Can be set in Hub under Entities - Companies - select a company - Applications & Features
  • Can be used to determine if a company has access to certain functionality.
  • Should not be called explicitly every time you need to check the status of a toggle for a company.
    • Since feature toggles do not change often, it is recommended that downstream apps listen to messages and cache changes locally or take action immediately.
  • Feature Toggle endpoints provide information about Features being used by entities as well as updating the feature toggles for entities.
  • Features endpoints are generic and not related to any specific entity.


Further reading#

Last updated on by aslaug sollilja