Overview
Once the customers are mapped out as organizations, the next step is to start mapping out their employees to the corresponding organization users in the Tesouro platform.Create an organization user
To create an organization user, callPOST /identity/v1/users. The request must be authorized using a partner-level access token.
By default the user is created in your own organization. To create the user in a descendant organization instead, set that organization’s ID in the optional X-Organization-ID request header. You must have visibility into the target organization.
status to INVITED sends the user an invitation email with a one-time link to complete sign-in. Setting it to ACTIVE provisions the user immediately; use this when your platform handles authentication and the user will arrive with a valid JWT.
List all organization users
To get information about all the organization users managed by the organization, callGET /identity/v1/users.
Retrieve an organization user
To get information about a specific organization user, callGET /identity/v1/users/{userId}.
Edit an organization user
To edit an existing organization user, callPATCH /identity/v1/users/{userId}.
Disable or enable an organization user
Organization users are not deleted. To revoke a user’s access, callPOST /identity/v1/users/{userId}/disable. To restore access, call POST /identity/v1/users/{userId}/enable.
Get an organization user token
To make API calls on behalf of an organization user, exchange the user’s JWT for a Tesouro access token using OAuth 2.0 Token Exchange (RFC 8693):subject_token must be a JWT from your OIDC provider with the user’s stable identifier in the sub claim and their email in the email claim.
The successful response contains the access token for the specified organization user:
Authorization: Bearer TOKEN request header to make API calls on that user’s behalf.
Get the authenticated user info
The authenticated organization user can check all its own information by callingGET /identity/v1/users/me. The request must be authorized using an organization user level-access token:
role and the effective permissions granted by that role.
Roles and permissions
For an introduction to the role model, system roles, and custom role management, see the Roles guide.