Skip to main content

CommerceIQ User Management Guide

Everything you need to know about user management

Updated over 2 months ago

​The CommerceIQ User Management Guide outlines how administrators can control user access to the CommerceIQ (CIQ) platform. Key capabilities include granular access control based on country, product, and retailer, self-serve administration, and flexible permissioning.

The guide details the user management workflow, covering:

  • Inviting Users: Admins can invite new users (email + password or SSO) via the dashboard, setting their administrative privileges and product access. Activation links are valid for 14 days.

  • Accepting Invites: Email + password users complete a form, while SSO users log in directly via their identity provider. Passwords for email + password users work across multiple CIQ instances.

  • Granting and Updating Access: Admins can modify job functions, roles, and permissions for existing users at any time through the User Management dashboard.

  • Deactivating Users: Admins can deactivate email + password users manually. For SSO users, deactivation is usually automatic when they leave an organization, with manual deactivation as an additional option.

The document also covers SSO integration (supporting SAML 2.0 and OAuth 2.0 via WorkOS) and password reset procedures (handled within CIQ for email + password users, and by the IdP for SSO users). Only users with the Admin role can manage users. Support is available through Customer Success Managers or the CIQ Support Portal.

Overview

User Management empowers administrators to control who can access the CommerceIQ (CIQ) platform and define what each user can do once inside. From inviting users to assigning roles and managing permissions, administrators can handle all access control tasks using a centralized, self-serve tool. This capability eliminates the need for IT involvement and ensures secure access management across teams, products, and geographies.

Note: As of June 4, 2025, this feature is available to select customers and will be rolled out to all customers in the coming months.

Key Capabilities

  • Granular Access Control: Admins can grant access based on specific countries, products, and retailers. This ensures that users only see the data and tools relevant to their responsibilities.

  • Self-Serve Administration: A user-friendly interface allows admins to independently add, modify, or deactivate users without technical support.

  • Flexible Permissioning: Admins can assign and change user roles and permissions at any point in time.

Access Control Model

CommerceIQ follows a segmented access model, allowing admins to restrict user access by country, product line, and retailer. This ensures data confidentiality and provides a focused user experience by displaying only relevant information and tools.

Admin Self-Serve Dashboard

The self-serve dashboard empowers admins to:

  • Invite new users by email

  • Assign user roles and permissions based on job responsibilities

  • Resend activation emails if needed

  • Deactivate users who no longer require access

User Management Workflow

1. Inviting Users

For Email + Password Users

Admins can invite new users via the dashboard using the following steps:

  1. Go to Tools & Settings > User Management

  2. Click "Invite User"

  3. Enter the user’s email address

  4. Check the Admin box if the user requires administrative privileges

  5. Assign access for applicable products (e.g., DSA, Copilot, RMM)

  6. Click "Send Invitation"

The user will receive an email with an activation link. The link is valid for 14 days.

For SSO Users

Once SSO is set up, admins can assign product-level permissions directly via the user management dashboard. Users will log in using their organization’s SSO credentials.

2. Accepting Invites

For Email + Password Users

Users onboard to CIQ by clicking the activation link in the invitation email, post which they must complete a form with their name, job function, and password.

For SSO Users

Once SSO is enabled, there's no need for invitation acceptance. Users can visit the platform, enter their email, click "Continue," and complete the IDP authentication flow. You will receive a welcome email to the CIQ Platform.

Multiple Instance Access:

  • If a user is invited to multiple CIQ instances, they must accept each invite.

  • The password created for the first instance works across all others; no additional setup is needed.

3. Granting and Updating Access

Admins can update access and permissions anytime.

For Existing Users:

  1. Navigate to User Management

  2. Click on the user’s name

  3. Adjust the job function and role as necessary

  4. Click the pencil icon to update product/retailer/country permissions or toggle admin rights

  5. Click "Update User" to save changes

For New Users

Permissions can be defined during the initial invitation process.

For SSO Users:

The process is similar to an existing user

  1. Navigate to User Management

  2. Click on the user’s name

  3. Adjust the job function and role as necessary

  4. Click the pencil icon to update product/retailer/country permissions or toggle admin rights

  5. Click "Update User" to save changes

This screen confirms that the user has been successfully onboarded. The Customer Success Manager (CSM) must now grant access to the appropriate region and associated retailers for the relevant product line

4. Deactivating Users

For Email + Password Users:

  1. Open User Management

  2. Select the user you wish to deactivate

  3. Click "Deactivate User" at the bottom of the screen

Note: You can re-activate the user following the above steps, just click on the “Activate” button, and the access will be restored

For SSO Users:

  • If a user leaves the organization, their SSO access is automatically revoked through the identity provider.

  • Manual deactivation in the CIQ dashboard is also available as an extra layer of control.

5. SSO Integration

CommerceIQ supports both SAML 2.0 and OAuth 2.0 protocols, ensuring compatibility with a wide range of identity providers (IdPs).

  • Authentication is managed via WorkOS, which supports providers such as Okta, Azure AD, Google Workspace, OneLogin, Ping Identity, ADFS, and more.

  • CIQ customers can request support from the CIQ team to enable and configure SSO.

  • SSO Users are authenticated via their organization's IdP, while non-SSO users log in using credentials set on the CIQ platform.

6. Password Reset

For Email + Password Users:

  • After activating your account, click "Forgot Password" on the login page.

  • Enter your registered email and follow the link sent to reset your password.

  • Note: The password reset link expires after 15 minutes.

For SSO Users:

  • Password reset is handled by the customer’s IdP, so no reset is required within CIQ.

Multi-Instance Access

Users may require access to multiple CIQ client instances:

  • Email + Password Users: The same password works across all instances once set up.

  • SSO Users: Access is granted based on email whitelisting and geographical configurations within the IdP.

Troubleshooting & FAQs

Who can manage users?

Only users with the Admin role can add, edit, or deactivate users.

Can users request role changes?

Yes. Users can request changes via the self-serve tool, which will require admin approval.

What is country-product-retailer access control?

This control mechanism restricts each user’s visibility and actions to only the countries, products, and retailers assigned to them.

Will users see products they don’t have access to?

No. For example, if a user only has access to ESM, they won’t see RMM or DSA in the menu.

How do I invite a new user?

Use the Invite User button in the User Management interface. Enter their email, assign roles and permissions, and send the invite.

What happens after a user is invited?

They receive an activation email. After completing onboarding, they can log into the platform.

How long is the activation link valid?

The link is valid for 14 days. Admins can resend it at any time.

Can permissions be updated after onboarding?

Yes. Admins can modify permissions at any time from the User Management dashboard.

Can users be deactivated?

Yes. Admins can remove access at any time for security or operational reasons.

What if a user resets their password before activating their account?

They will be sent a new activation link.

What if a user didn’t receive the activation email?

Admins can resend the activation link from the dashboard.

Can permissions be changed after a user is reactivated?

Yes. Once reactivated, the user is treated like any active user.

Can customers enable SSO?

Yes. CIQ supports SSO setup. A detailed setup guide is available, and CIQ support can assist as needed.

Is there a difference in login experience for SSO users?

Yes. SSO users log in via their organization’s IdP. Non-SSO users use credentials managed within CIQ.

What happens when a user leaves the organization?

SSO access is automatically revoked via the IdP. Admins can also deactivate users manually in CIQ.

Support

For any issues or questions, contact your Customer Success Manager or raise a ticket through the CIQ Support Portal.

Product Manager - Alabhya Vaibhav

Engineering Manager - Rajan V

Developer - Aviroop Banerjee

Did this answer your question?