User management
Mosaic provides a hosted solution for managing your users and their profiles. Users are organized by tenant, meaning user information is shared with all apps in a tenant.
User identity
In Mosaic, user identities are centralized across all applications within a tenant. This not only reduces your data management costs, it allows providing more personalized customer experiences. This goes beyond personalizing a welcome screen. For example, a tenant that provides health and fitness services can make training suggestions in their fitness app based on user purchases in their retail app.
Although user identities are managed on the tenant level, app-specific user information can be added to the user's profile. For example, this can be used to associate a Mosaic user with the user's app identity (external_account_id). In addition, any social accounts used to login are automatically linked to the Mosaic user through their profile.
A user identity is created when a user logs in to an app for the first time (if you allow authentication flows to create new users) or an administrator creates a new user via the API or UI. Every Mosaic user has a unique identifier (user_id), which is automatically generated when the user is created. Depending on your integration use case, you can leverage the following attributes as user identifiers when managing and authenticating users with Mosaic:
| Identifier | Description |
|---|---|
username |
The user name for password authentication. |
email |
The primary email address of the user that can be used for authentication. |
phone_number |
The primary phone number of the user that can be used for authentication. |
external_user_id |
The attribute set outside Mosaic, it corresponds to ID in your system or external IDP. |
user_id |
The ID is generated by Mosaic and returned upon user creation. |
User profile
The user profile contains general information about the user, such as their name, email, phone number, and birthday. Additionally, when a user authenticates with a social network (Google, Apple, etc.), the profile stores their social account details. Some profile details, such as a phone number or email, are verifiable (i.e., can be validated by Mosaic as belonging to the user), while other data (e.g., address, language) doesn't require verification.
The general information is shared with all apps in the tenant. The tenant-level data can be enriched to include the user's identifier within your system (external_user_id), and custom data for this user (custom_data). In addition, the user profile contains app-specific data. This is data collected in the context of a specific application, and includes the user's app identity (external_account_id) and any custom data (custom_app_data) you want to store for your users. If the user grants access to a third-party client, the consent will appear along with the other app information.
Note
Tenant-level custom user data is limited to 500 KB per user, and 500 KB per app for app-specific custom user data.
The user profile can be updated and accessed from the Admin Portal, using Identity Orchestration journeys, or APIs. In addition, some basic profile information is included in the ID token returned upon successful authentication (see Identity data).
App users
Although user identity is shared across all apps in your tenant, users don’t necessarily have access to all apps. Users can only access apps that they are assigned to. When creating a new user, you’ll need to specify which applications they can access. New or existing users are automatically assigned to the application they’re logging in to (if you allow authentication flows to create new users). You can also add or remove applications for existing users from the Admin Portal or using dedicated APIs.
User status
In the user lifecycle, there are several statuses a user might have. The user status indicates whether the user has logged in to an app. When a user is created by an administrator, but has not yet authenticated to an assigned app, their status is set as Pending. After the user logs in, their status is set as Active. If the user is temporary (for example, a project-based employee) or this known to be frauster, an administrator can suspend such user. Suspended users cannot log in to any apps in your tenant. If needed, suspended user can be re-activated, and they will restore their previous status (Pending or Active). When a user is deleted, the user's activity events remain in the audit logs.
User groups
You can create groups and add users to the groups you created. This enables controlling which users have access to specific application features using group membership. Like users, groups exist on the tenant level. To create and manage groups, see the relevant APIs.
User devices
You can if there are devices registered for the user and linked to their user record. See device management for details.
User management
Users can be managed by administrators either in the Admin Portal, or via APIs, or using Identity Orchestration journeys. When using the APIs or journeys, you can only manage the users for the specific application identified by the client ID and secret used to authorize the API or journey call. If a Management Application is used, you can manage users across all applications of the tenant. User management includes the ability to create and delete users, update their profiles, assign users to groups and apps, and update their status.
To streamline user lifecycle management across Mosaic and third-party apps, consider using Users SCIM APIs.
Note
After users are deleted, their actions are retained and can be viewed in the audit logs.