User Authentication

Authentication answers the fundamental question: "Who are you?"

It's the process of verifying identity and managing user accounts in your ADOC platform. Think of it as the front door to your data observability system - it controls who can walk through that door.

Why Authentication Matters

Security Foundation

Authentication is your first line of defense. Without proper user management:

  • You don't know who accessed what
  • You can't revoke access when someone leaves
  • You have no audit trail for compliance
  • Security breaches go undetected

Operational Efficiency

Good authentication practices mean:

  • New hires get access on day one
  • Team reorganizations happen smoothly
  • API keys enable automation
  • Access reviews take minutes, not days

Compliance Requirements

Most regulations require you to:

  • Track who has access to sensitive data
  • Remove access when people leave
  • Regularly review and audit access
  • Document access decisions

Authentication in ADOC: The Building Blocks

1. Users

Individual people who access ADOC.

Key Concepts:

  • Each user has a unique identity (email address)
  • Users authenticate with username/password or SSO
  • User accounts can be enabled or disabled
  • Users are assigned to groups for access management

Example: Sarah Chen (sarah.chen@company.com) - Data Engineer

2. Groups

Collections of users organized by team, department, or function.

Key Concepts:

  • Groups organize users at scale
  • Permissions are assigned to groups, not individual users
  • Users can belong to multiple groups
  • Groups align with your organizational structure

Example: "Data Engineering" group contains all data engineers

3. API Keys

Credentials for programmatic access (scripts, CI/CD, integrations).

Key Concepts:

  • API keys enable automation without using personal credentials
  • Each key has an access key and secret key pair
  • Keys can be revoked independently
  • Keys should have expiration dates

Example: CI/CD pipeline uses API key to deploy pipelines automatically

The Authentication Flow

Copy

Real-World Example: Sarah's Journey

Day 1: Onboarding

Monday Morning - 9:00 AM

Sarah Chen joins your data engineering team.

Admin actions (5 minutes):

  1. Send invitation to sarah.chen@company.com
  2. Assign to "Data Engineering" group
  3. Verify she can log in
  4. Set attributes (team, manager, start date)

Result: Sarah logs in at 9:15 AM, sees her team's pipelines, starts working.

Week 1-12: Active Use

Daily Operations

Sarah uses ADOC every day:

  • Views pipeline execution status
  • Investigates failed runs
  • Creates new data pipelines
  • Collaborates with team

Admin actions: Minimal (groups manage permissions automatically)

Month 6: Promotion

Sarah Becomes Team Lead

Admin actions (2 minutes):

  1. Add Sarah to "Team Leads" group
  2. Sarah now has approval permissions
  3. Update attributes (level: Senior Engineer)

Result: Sarah's access automatically elevated based on group membership.

Month 18: Departure

Sarah Accepts Job at Another Company

Admin actions (10 minutes):

  1. Disable Sarah's account immediately
  2. Revoke all API keys
  3. Remove from all groups
  4. Document in audit log
  5. Transfer resource ownership

Result: Sarah's access removed within 1 hour of notification. Complete audit trail maintained for compliance.

Common Authentication Tasks

TaskWhen You Do It
Onboard a New Team MemberNew hire starts
Organize Users into Teams/GroupsNew team forms
Manage Access ChangesPromotions, transfers
Offboard a UserEmployee leaves
Audit and Review User AccessQuarterly reviews
Bulk User ManagementMass onboarding

Authentication Best Practices

Do's

User Management:

  • Onboard users 1-2 days before start date
  • Use consistent naming conventions (first.last@company.com)
  • Set attributes for HR tracking (manager, department, start date)
  • Test access before announcing it's ready

Group Management:

  • Organize by job function, not by person
  • Keep groups aligned with org structure
  • Use descriptive names (Data Engineering, not Group1)
  • Limit to 20-30 groups for most organizations

API Keys:

  • Use service accounts for automation (not personal keys)
  • Set expiration dates on all keys
  • Rotate keys every 90 days
  • Store in secret management systems

Offboarding:

  • Disable accounts immediately (don't delete)
  • Revoke API keys separately
  • Document offboarding in attributes
  • Preserve accounts for audit trail

Don'ts

Common Mistakes:

  • Don't assign permissions to individual users (use groups!)
  • Don't share API keys across systems
  • Don't delete user accounts (disable instead)
  • Don't skip setting user attributes
  • Don't forget to revoke API keys during offboarding
  • Don't create groups for individuals
  • Don't let API keys live forever without expiration

Authentication Metrics to Track

Health Metrics

  • Active Users: Currently enabled accounts
  • Inactive Users: No login in >90 days (offboard candidates)
  • Users Without Groups: Over-permissioned users (security risk)
  • API Keys: Total keys, expired keys, unused keys

Operational Metrics

  • Average Onboarding Time: Target <10 minutes
  • Access Request Turnaround: Target <1 day
  • Offboarding Completion: Target <1 hour from notification

Compliance Metrics

  • Access Review Frequency: Quarterly recommended
  • Orphaned Accounts: Users whose manager left
  • Stale API Keys: Keys >90 days old
  • Audit Coverage: % of users reviewed

Authentication vs Authorization

Important: Authentication and Authorization work together but serve different purposes:

Authentication (Who)Authorization (What)
Who are you?What can you do?
Verifies identityGrants permissions
Users, Groups, API KeysRoles, Domains, Resources
"Sarah is a data engineer""Data engineers can create pipelines"

Common Questions

Q: Should I create a group for each user?

A: No! Groups are for shared access. If only one person needs specific access, assign a role directly (but this should be rare).

Q: What happens to a user's data when I disable their account?

A: Nothing! Pipelines they created continue running. Only their ability to log in is removed. This is why we disable instead of delete.

Q: How do I know if someone needs access?

A: Follow these guidelines:

  • Manager approval required
  • Access based on job function
  • Least privilege by default
  • Time-bound for contractors

Q: Can a user belong to multiple groups?

A: Yes! This is normal. For example, Sarah might be in "Data Engineering" (her team) and "Pipeline Owners" (her function).

Q: How often should I audit access?

A: Quarterly for most organizations. More frequently for highly regulated industries or high-turnover teams.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Onboard a New Team Member

For additional help, contact www.acceldata.force.com OR call our service desk +1 844 9433282

Copyright © 2025

On This Page
User AuthenticationWhy Authentication MattersSecurity FoundationOperational EfficiencyCompliance RequirementsAuthentication in ADOC: The Building Blocks1. Users2. Groups3. API KeysThe Authentication FlowReal-World Example: Sarah's JourneyDay 1: OnboardingWeek 1-12: Active UseMonth 6: PromotionMonth 18: DepartureCommon Authentication TasksAuthentication Best PracticesDo'sDon'tsAuthentication Metrics to TrackHealth MetricsOperational MetricsCompliance MetricsAuthentication vs AuthorizationCommon QuestionsQ: Should I create a group for each user?Q: What happens to a user's data when I disable their account?Q: How do I know if someone needs access?Q: Can a user belong to multiple groups?Q: How often should I audit access?