How to add a new user
This guide walks through the complete process of adding a new user to the Energyworx platform, from start to finish. It explains what each step is, why it is needed, and who is responsible.
For detailed information on permission groups and their configuration, see How to Whitelist and Assign Permissions. For automated whitelisting and permission assignment via SAML, see SAML Authentication.
Overview
Adding a new user to the platform is a three-step process:
| Step | Action | Who | Result |
|---|---|---|---|
| 1 | Whitelist the user's identity | Customer admin | The user can log in to the platform |
| 2 | User logs in | The user | A user account is created on the platform |
| 3 | Assign permission groups | Customer admin | The user can access resources in their namespace(s) |
Key concepts
- Billing Account: The top-level organizational unit for your organization. Contains one or more namespaces.
- Namespace: A workspace within a billing account that holds datasources, configurations, and other resources. Users are whitelisted per namespace.
- Whitelisting: Granting an identity (email address) access to one or more namespaces. Without whitelisting, a user cannot log in to the platform — even if they have a valid Google, Microsoft, or linked identity provider account.
- Permission Group: A set of permissions that controls what a user can do within a namespace (e.g., view datasources, start flows, manage configurations). Each customer defines their own groups.
Responsibility split
| Action | Responsible |
|---|---|
| Creating a new namespace | Energyworx (via Service Desk) |
| Whitelisting users to namespaces | Customer administrator |
| Assigning permission groups to users | Customer administrator |
Before you can whitelist users and assign permissions, your organization must have designated administrators with the appropriate base permissions. If this has not been set up yet, see Initial Setup: Designating Your Administrators.
Step 1: Whitelist the user
Whitelisting registers a user's email address on one or more namespaces, allowing them to log in to the platform. Before this step, the user cannot access the platform at all.
Required permissions: read and create on the billingaccount resource (Whitelisting Administrator role).
Steps:
- Navigate to Identity Access Management → Whitelist
- Click the + Add button
- Enter the user's email address
- Select the namespace(s) the user should have access to
- Confirm
After this step, the user's identity is registered but no user account exists yet — the user must log in first.
Step 2: User logs in
Once whitelisted, the user can log in to the platform using their Google, Microsoft, or linked identity provider account. On first login, the platform automatically creates a user account.
After this step, the user can log in and see the namespaces they were whitelisted for in the namespace selector (top right of the platform UI). However, they cannot yet access the contents of those namespaces — they need permission groups for that.
Step 3: Assign permission groups
Permission groups control what a user can do within a namespace. Without any groups assigned, a whitelisted user can log in but cannot view or interact with resources like datasources, flows, or configurations.
Required permissions: read and update on the iam resource (Permission Administrator role).
Steps:
- Navigate to Identity Access Management → Users
- Find the user in the list and click Details
- Click + Add Group
- Select the appropriate permission group from the dropdown
- Repeat for additional groups if needed
After this step, the user has full access according to the permissions defined in their assigned groups. For an overview of which permissions are needed for which platform functionality, see Functional permission requirements.
Summary
After completing all three steps, the user:
- Can authenticate with the platform (via whitelisting)
- Has a user account (created on first login)
- Can access namespace resources according to their permission groups
If any step is skipped:
| Missing step | Effect |
|---|---|
| Not whitelisted | User cannot log in at all |
| Not logged in yet | User account does not exist; permissions cannot be assigned |
| No permission groups | User can log in and see namespaces, but cannot access any resources |