Ushur Accounts Authentication and Authorization

Introduction

Ushur is an AI-powered platform that combines process automation and conversational interfaces to automate enterprise workflows. This is enabled with a state-of-the-art linguistics engine, together with a drag-and-drop builder that enables conversational workflow and integration hooks into an enterprise’s systems of record.

This document helps users of the product to understand the product offerings related to account management, authentication, and authorization.

Ushur Workflow Builder

Ushur workflow builder is a state-of-the-art web application that enables enterprises to author end-to-end intelligent and automated conversational journeys with their end-users. Enterprises can create accounts for their users and provide them with relevant access to manage these workflows. The below sections highlight the possibilities and recommendations.

Account Management

Enterprises can use the account management capabilities of the Ushur platform to control access. Enterprises can create as many accounts as their business needs and associate roles and responsibilities to those accounts. When creating an account, enterprises have the option to choose if the account needs to be mapped to an SSO user that they manage with their own identity provider, otherwise the account will have the ability to access the platform with the defined username and a password that can be set by the account holder.

Our recommendation is for enterprises to create accounts with the SSO option so that they can manage access to the Ushur platform through the Enterprise Single Sign-On system. This ensures access is controlled from one single platform when employees join or leave the company.

Authentication

Accounts can be authenticated based on the type selected at the type of creation. Accounts can be authenticated using an enterprise-wide single sign-on provider that is configured, or via a username and password check that’s managed internally within the Ushur platform. Both are secure, however, the SSO option enables enterprises to keep access control within their systems and takes away the problem of their users having to remember an additional username and password. The SSO option also offers other advantages in managing users who have left the organization where access can be turned off in only one place. The users have the convenience of having to remember and maintain only one password – their corporate password – as opposed to multiple passwords.

Ushur simplifies the process of integrating into any of the leading identity providers such as Microsoft Azure and Google. Currently, Ushur supports integration with Google and Microsoft Azure.

Implementation guides are published regularly on the Ushur Service Desk Portal such as the Azure SSO Implementation Guide.

Authorization

Enterprise Account

An Enterprise Account is the highest-level account created when a customer is onboarded to Ushur. This is the account under which all the user accounts and their Ushur workflows are created and administered. For example:
[email protected] or [email protected].

Please note, that ushurdummy.me is a fictitious domain used for creating these top-level Enterprise accounts. The user accounts will be created with their company-provided email addresses such as [email protected]

The Ushur Support team will create these Enterprise accounts. It is not recommended to log in using the Enterprise account credentials except to create the very first admin user, which will be used to create all the other users in the account.

Adding a New User Account

1. Log in to the builder, and click User Admin in the main dashboard.

   

2. In the Add New User screen, ensure to specify the email address, the initial password, and the user’s full name in the Nick Name field.

3. Click Add User to complete the user account creation. For more information, refer to Add New User.

Activate the user

You must activate the new user account. The activation/deactivation feature is useful to enable or disable access without having to re-create the account.
After activation, the user will receive a welcome email inviting the user to log in to their builder account. The Invite Sent status color will change from orange to green to indicate the Active state.

The User authorization within the builder is managed via roles and their associated privileges. Enterprises can create different roles to ensure their users are provided with specific or limited access. During a user log-in, the builder UI applies for these roles and displays only those options and features that are enabled for that user. The platform provides sample roles with different levels of access. Enterprises can choose to use these roles use them as a template, and customize to define refined roles for each access level.
The default roles and privileges are listed below:

To know more about the role-based access control settings, refer to Role-Based Access Control Settings.

Note

All the above roles do not have access to account-level configuration and settings. Contact your Customer Success Manager for specific access.

Create a Custom Role

To create a custom role, select the starting role and click Clone. Update the individual privileges in the specify a custom role name. For example: HappyIns-Admin.

Assigning a Role to a User

1. Locate the user account to be updated and click Privileges.

   

2. Select the role to be assigned to the user and click Save.

   

3. The new role assignment will be displayed in the user account:

   

Invisible App

Ushur’s Invisible App is a secure two-way communication platform designed for conversations between enterprises and their customers. However, it is prudent for every workflow to identify and ascertain that the conversation is indeed happening with the intended customer. This is critical when the workflow involves collecting sensitive information such as PII or Social Security numbers etc.

Authenticate in Workflow

Enterprises can always use modules like the fetch or webhook to build checks into the workflows based on user inputs or just the email or phone number the workflows are initiated. With these modules, a workflow can be made to query and match against enterprises' system of records to verify if there is a match and the workflow is initiated by a customer they can identify.

Multi-factor Authentication (MFA)

Ushur platform also can enable multi-factor authentication at an engagement level. This will protect every engagement and enforce that an end-user must provide a six-digit code that is generated every time the Invisible App link is accessed. The feature is enabled at the workflow level.

1. Within the workflow, click Settings.

   

2. Navigate to the Invisible App section, select Enable MFA, and click Save and Preview.

   

3. When Ushur is launched and the Invisible App link is clicked, the customer is prompted to enter the one-time code sent to their mobile phone.

   2FA Input Field on the Invisible App	2FA Code

4. In addition to the MFA capability provided by Ushur, Enterprises can implement their multi-factor authentication. For example, a prompt for driver’s license ID, or the last 4 digits of their Social Security Number, etc. can be configured too.

5. The Open Responsemodule is used to capture the user input. In the module properties, click Invisible App Properties to view the options.

   

6. Check Type Password. When the Ushur workflow is triggered, any text typed in the input field will now be masked with asterisks.