An IDP user that has the role whitelabel_admin has basically the same access rights after he logged in via SSO as a regular admin that logs into our QR code platform (without SSO).
The same goes for whitelabel_manager. If an IDP user has the role whitelabel_manager and logs in via SSO he has the same rights as a manager that logs directly into our QR code platform (without SSO).
For the teamleader there is something important to understand. If you use the 1:n SSO Setup, then you already know that every IDP user has the allowed QR code platform users he is allowed to use assigned in the IDP.
During the SSO login process he can then choose one of the assigned QR code platform users like Marketing or CustomerService in our example.
Now comes the twist: if an IDP user has not only the QR code platform whitelabel user (eg. Marketing, CustomerService) assigned but also the role whitelabel_teamleader then he is able to access these QR code platform whitelabel users with elevated rights.
Elevated access rights mean that any potential restrictions that got defined on the Permissions section of a QR code platform whitelabel
user do NOT get applied.
Let's take a look at the following table to see a comparison of the different possible scenarios of which IDP Roles lead to which access rights in the QR code platform.
| IDP Role | Permissions in QR code platform | Access to QR code platform whitelabel users |
|---|
whitelabel_admin
| Full permissions | All users |
| whitelabel_manager | Full permissions
(except invoicing and branding) | All users |
| whitelabel_teamleader + User1 (e.g. Marketing) | Full permissions
(except invoicing and branding) | User1 |
| whitelabel_teamleader + User1 + User2 | Full permissions
(except invoicing and branding) | User1 + User2 |
| User1 (e.g. Marketing) | Restricted permissions | User1 |
| User2 (e.g. CustomerService) | Restricted permissions | User2 |
| User1 + User2 | Restricted permissions | User1 + User2 |
As an example we see here the permissions of the whitelabel user Marketing. Here the permission of creating a QR code is deactivated.
This means if an IDP user logs into our QR code whitelabel platform via SSO and has not also the role whitelabel_teamleader he cannot create a QR Code.
On the other hand if the IDP user also has the role whitelabel_teamleader assigned to it he has elevated rights and is not bound to such limitations as a restriction to not be able to create QR Codes. Hence, he still can create QR Codes.