User Management lets administrators control who can access the CommerceIQ platform and what they can do once inside. From inviting new users to assigning roles and adjusting permissions, this tool provides a centralized and secure way to manage access across teams, products, and retailers—without needing IT support.
As of June 4, 2025, this user management workflow is live for a select few customers, and will be available for all customers in the coming months.
Key capabilities
Control access at the country, product, and retailer level
Use a self-serve tool to manage roles and permissions
Add, edit, and remove users with admin access
Country-product-retailer access control
Users only see the data and tools relevant to their assigned countries, products, and retailers. This ensures secure, segmented access and improves platform usability.
Self-serve tool for admins
Admins can manage users and permissions directly in the platform—no IT support required. With the self-serve tool, admins can:
Invite new users
Set or modify roles and permissions
Resend activation links
Deactivate users when necessary
To invite new users:
Navigate to Tools & settings -> User management
Click "invite user"
Add their email
If they need admin permissions, mark them as an admin
Set permissions for DSA, Copilot, and RMM
Click "send invitation"
An email invite will be sent to the user
The invite will expire in 14 days
Set or modify roles and permissions:
Navigate to Tools & settings -> User management
Click on the user that you want to modify
Adjust their job function
Adjust their role
Click the pencil icon to edit their permissions or make them an admin
Click "update user" at the bottom right corner of the page
To deactivate users:
Navigate to Tools & settings -> User management
Click on the user you want to deactivate
Select "Deactivate user" on the bottom right corner of the page
Authentication and single sign-on (SSO)
The platform supports both SAML 2.0 and OAuth 2.0, ensuring compatibility with most identity providers (IdPs). CIQ uses WorkOS to manage authentication and SSO integration. Customers can enable SSO with support from the CIQ team. WorkOS supports major providers including Okta, Azure AD, Google Workspace, OneLogin, Ping Identity, ADFS, and any other SAML2 or OAuth-compliant IdP. SSO users are redirected to their organization's IdP for authentication, while non-SSO users log in using CIQ-managed credentials. If a user leaves the organization, SSO access is automatically revoked through the customer’s IdP, and admins can also manually deactivate users.
Frequently asked questions
Who can manage users? Only admins with the “Admin” role can assign, modify, or manage users.
Can users request role changes? Yes, users can submit role change requests through the self-serve tool. Requests require admin approval.
What is country-product-retailer access control? This restricts each user’s access to the specific countries, product lines, and retailers they’ve been assigned.
Will users see products they don’t have access to in the menu? No. For example, if a user only has access to ESM, they won’t see RMM or DSA in the navigation—even if those products are part of the broader account.
How do I invite a new user? Go to the User Management page, click "Invite user," enter the email, assign permissions (now or later), and send the invite.
What happens after a user is invited? They’ll receive an activation email. Once they click the link and complete onboarding, they can access the platform.
How long is the activation link valid? The link is valid for 14 days. Admins can resend it anytime from the User Management dashboard.
Can permissions be updated after a user joins? Yes. Permissions can be set or updated any time after account activation.
Can users be deactivated? Yes. Admins can deactivate users to revoke access due to role changes or security needs.
What happens if a user resets their password before activating? They’ll receive a new activation link. Password reset is only available after activation.
What if the user didn’t receive or lost the activation email? Use the self-serve tool to resend the activation link.
Can permissions be changed after reactivating a user? Yes. Once a user is reactivated, their permissions can be updated like any active user.
Can customers enable SSO? Yes. Customers can enable SSO with support from the CIQ team. A detailed step-by-step guide is available here: SSO Setup Documentation.
Is there a difference in user experience between SSO and non-SSO logins? Yes. SSO users authenticate via their organization’s IdP, while non-SSO users log in with CIQ-managed credentials.
What happens if a user leaves the organization? If using SSO, access is automatically revoked through the customer’s IdP. Admins can also deactivate users manually to remove access.