About users and activity

All of the users and all of their associated activity can be viewed and managed from a single page in the Amperity admin user interface. User access to Amperity is managed in two steps:

  1. Authentication determines and validates who the user is.

  2. Authorization determines what that user is allowed to do.

An unauthorized user may not access Amperity; an authorized user may only view and interact with what their policy allows.

Manage Users

The Users section allows users assigned the Allow user administration policy option to self-service the management of individual users who have access to your tenant.

All of the users and all of their associated activity can be viewed and managed from the Users and Activity page. User access to Amperity is managed in two steps:

  1. Authentication determines and validates who the user is.

  2. Authorization determines what that user is allowed to do.

An unauthorized user may not access Amperity; an authorized user may only view and interact with the areas within Amperity to which their policy allows access.

Add users

Before a user can log into Amperity they must be added and a policy must be assigned to them. The Amperity admin interface allows users to be managed directly using name and password authentication.

To add a user

  1. Open the Users & Activity page.

  2. Click Add User. This opens the Add User dialog box.

  3. Enter the user’s full name (e.g. “Justin Currie”) and the email address with which they will log into Amperity (e.g. “justin.currie@amperity.com”). Only users from a known domain are allowed to access Amperity.

  4. Select the policy to which this user will be assigned.

  5. Select a resource group to which this user will be assigned.

  6. Be sure to send the user a welcome to Amperity email. (This is enabled by default.)

  7. Click Save.

Delete users

All users who should no longer be allowed access to Amperity should be deleted. This will delete the user for all tenants to which that user is assigned. Use the revoke tenant access process to delete a user from a tenant when that user has access to more than one tenant.

To delete a user

  1. Open the Users & Activity page.

  2. Under Users, from the list of users, select the ellipses menu, and then click Delete.

Edit users

If the details for a user change, such as changing the policy to which they are associated, their details may be updated.

To edit a user

  1. Open the Users & Activity page.

  2. Under Users, from the list of users, select the ellipses menu, and then click Edit. The Edit User dialog box opens.

  3. Make your changes.

  4. Click Save.

Revoke tenant access

Amperity users may have access to more than one tenant in Amperity. For example when two brands are managed as separate tenants. If a user has access to more than one set of data, access to an individual tenant may be revoked, which will prevent the user from being able to access this tenant. Access to any other tenant to which that user is assigned remains unchanged.

To revoke tenant access

  1. Open the Users & Activity page.

  2. Under Users, from the list of users, select the ellipses menu, and then click Revoke tenant access.

Allowed domains

Only users from an allowed domain may access Amperity. Amperity maintains a list of approved domains for all users. This acts as an additional step to verify that users who access your brand’s Amperity tenant are approved users. Users cannot be created using an unknown domain.

To allow a domain

  1. Open the Users & Activity page.

  2. Under Users click Add User. The Add user dialog box opens.

  3. Under Allowed domains, click the Request domain link.

  4. Add the domain for which the request is being made, and then specify the reason why it should be allowed.

  5. Click Send.

About SSO group mappings

Amperity supports the use of single sign-on (SSO) to manage the users who can access your tenant.

About resource groups

A resource group represents one or more databases in the Customer 360 tab. Users with access to a resource group can build queries and segments against that database and can send data from that database to downstream workflows.

“All resource groups”

Amperity includes one default resource group: “All resource groups”.

Users that are granted access to the “All resource groups” resource group are allowed to interact with all of the databases in the Customer 360 page.

Custom resource groups

Use a custom resource group to support any combination of team member access to brand-specific databases.

Note

Users who are associated with a custom resource group cannot access the Sources page. (The Sources page requires users to be able to access all data available to the tenant.)

Users who are associated with a custom resource group may be able to view the Stitch page (depending on their policy), but will not be able to view personally identifiable information (PII).

To add a custom resource group

  1. As a user with Admin privileges, open the Users & Activity page.

  2. Next to Resource Groups, click Add Resource Group.

  3. Enter the name of the custom resource group and a description.

  4. Click Save.

Assign users to resource groups

Assign a user to a policy, and then associate that policy to a resource group. A user may be assigned to more than one policy. A policy may be associated with any resource group.

Assign users to policies and resource groups when they are added to Amperity. This can be done using the Amperity UI or from your identity provider (IdP) when managing users with SSO group mappings.

Database permissions

A database may be associated with a single custom resource group. A custom resource group may be associated with more than one database.

Note

A database is always associated with the “All resource groups” resource group.

A database that is assigned permission to a custom resource group allows users associated with that resource group to:

  1. View that database from the Customer 360 page.

  2. View all tables in that database.

  3. Configure database exports from that database.

  4. Build segments and queries that run against that database.

  5. Design campaigns that send the results of segments to downstream workflows.

  6. Use destinations to send the results of queries to downstream workflows.

Note

Users who are associated with the “All resource groups” resource group are allowed to add and edit databases in the Customer 360 page and run Spark SQL queries against all of the data in the tenant.

To set database permissions for a custom resource group

  1. From the Customer 360 page, under All Databases, click the ellipses menu for a database, and then click Change Permissions. This opens the Permissions dialog box.

  2. Click Standard Access, and then select a custom resource group from the drop-down list.

  3. Click Save.

Multi-brand tenants

Use a combination of custom resource groups to define how teams in your organization can interact with brand databases in Amperity, where each custom resource represents a brand.

For example, a tenant with multiple brands, a global analytics team, multiple brand-specific teams, and multiple databases can:

  1. Configure a policy for the global analytics team and assign the policy to the “All resource groups” resource group.

  2. Define a custom resource group for the owners of brand A, and then configure these owners with a policy that is assigned to the brand A resource group.

  3. Define a custom resource group for the owners of brand B, and then configure these owners with a policy that is assigned to the brand B resource group.

  4. Configure the database for brand A for permissions to the custom resource group associated with brand A.

  5. Configure the database for brand B for permissions to the custom resource group associated with brand B.

This will allow members of the global analytics team to access the databases for brands A and B while ensuring that brand owners can only access their brand’s database.

About BI Connect

Business Intelligence Connect is an Amperity-managed cloud data warehouse that provides an easy-to-access location from which you can use any BI tool to access all of your Amperity data.

Important

Business Intelligence Connect is licensed for presentation of Amperity-sourced data within BI tools and contexts. It is not meant to be a general data warehouse solution.

Loading data into the Business Intelligence Connect data warehouse from sources other than Amperity is considered out-of-license. Customers that wish to load data to the Business Intelligence Connect data warehouse from other data sources should contact their Amperity account team to discuss options.

Business Intelligence Connect is available upon request for Amperity tenants who have licensed Amp360. After the data warehouse for Business Intelligence Connect is configured by Amperity for your tenant, you can send data from Amperity to the data warehouse, and then connect any of your BI tools to that data.

Add BI Connect users

Users who are assigned to the Allow user administration policy can add BI Connect users. There are two options: add an existing user of Amperity or by using an email address from an allowed domain.

From an existing Amperity user

A user who has already signed into Amperity may be added directly. On the Users & Activity page, next to BI Connect, click Add BI Connect User and then choose the Select an existing Amperity user option.

Add existing Amperity users to BI Connect.

Note

If your tenant is configured to use SSO this user must also be configured in your tenant’s identity provider (IdP).

From an allowed domain

A user who has an email address from an allowed domain may be added directly. On the Users & Activity page, next to BI Connect, click Add BI Connect User and then choose the Add directly by email address option.

Add Amperity users to BI Connect directly.

About user activity

Amperity keeps records of all user activity, including situations like:

  • A user views personally identifiable information (PII)

  • Information is sent from the Amperity platform

  • Changes are made to a user’s authorization

  • API endpoints are created

All activity may be downloaded to a CSV file and individual event, user, and object IDs may be copied.

Note

The Users section of the Users and Activity page requires the user to be assigned the Allow user administration policy option.

The activity list displays the following columns:

  • Date The date and time of the action (displayed in your local time-zone).

  • User The user who took the action. For most users, this is that user’s friendly name or email address.

    An auth token is displayed for users that accesses Amperity programatically.

  • Action The action taken in the application. Generally this will take the form of “action type/action”. For example, activating a segment appears as “segment/activate” and running a segment for download appears as “query.exec/download”.

    Note

    A few actions in the list are not user-initiated. For example, when a user is granted a new authorization policy, both the grant and the receipt appear on separate rows.

  • Object The object against which the action occurred.

    For example, if a user ran a segment, that segment’s name is displayed. If a user sent a segment to a destination, both the name of the segment and the destination name will be displayed. If the user was the recipient of a new authorization policy, the policy name will be displayed.

Download user activity

The Amperity user interface shows the most recent 1000 user activity events. You can download a CSV file that contains events for any date range for which user events are available.

To download user activity

  1. From the ellipses menu in the top right, click Users & Activity.

  2. Under Activity click Download.

  3. A CSV file named events-yyyy-mm-dd-timestamp.csv is downloaded.

Column names in the user activity CSV file

The first row of the user activity file contains the following column headers, and then a row for each tracked event:

column name

Description

event-id

The Amperity internal identifier for the event. This can be used to request additional information about the event, if needed.

event-type

The type of event.

This value is also available from the Action column under Users on the Users and Activity page.

external-id

Internal value only; this value will be NULL in downloaded log files.

happened-at

The time at which the action occurred.

This value is also available from the Date column under Users on the Users and Activity page.

Note

The downloaded date and time are in GMT; the Amperity user interface shows the date and time in your local timezone.

object

The identifier for the object for which the action occurred.

origin-ip

The IP address that is associated with the user who initiated the action.

object-name

A composed string that describes the object(s) for which the action occurred.

This value is also available from the Object column under Users on the Users and Activity page.

principal-email

The email address for the user who initiated the action.

This value may be NULL when the user is an API key.

principal-id

The identifier for the user who initiated the action. This user may be an API key or a non-human user.

principal-name

The friendly name of the user associated with the activity, if available, otherwise the email address or API key.

This value is also available from the User column under Users on the Users and Activity page.

recorded-at

The time at which the system recorded the action. May be slightly different than the value of happened-at due to the asynchronous nature of Amperity.

source

The component within Amperity that added the log entry.

User activity event types

The following table lists the most common event types, grouped by the component or area within Amperity that is most closely associated with the event type.

Note

Many events are prefixed with a dot-delimited string that typically starts with “amperity”. The specific event is located after a slash (“/”). The following table lists the events by the strings immediately before and after the slash.

For example, the following event:

:amperity.plugin.destination/created

is shown in the following table as:

destination/created

If your tenant shows an event that is not listed in this table, its purpose can often be inferred by the string and the event after the trailing slash. You may open a support ticket to request more information about an event that is not shown in this table. Ask your Amperity support representative for more information about the event, and then request also that this reference be updated.

Event grouping

Description

AI Assistant

The following events are associated with the AI Assistant:

assistant/send-user-message

A user sent a question to the AI Assistant.

query.exec/sampled

A set of sample data was provided to the AI Assistant.

Note

More detail about AI Assistant data sharing policies, how the model stores data, and what types of data is sent (or not sent), is available from the AI Assistant Privacy FAQ .

API keys

The following events are associated with API keys:

api-key/created

An API key was created.

api-key/deleted

An API key was deleted.

api-key/issue

An API token issuer was created.

Note

This event is always associated with the following events:

policy/attached

and

policy/attached-to

api-key/updated

An API key was updated.

BI Connect

The following events are associated with BI Connect:

warehouse/user-added

A user was added to BI Connect.

warehouse/user-removed

A user was removed from BI Connect.

warehouse/user-renewed

A user was allowed to continue accessing BI Connect.

Credentials

The following events are associated with credentials:

credential/created

A credential was created.

credential/deleted

A credential was deleted.

credential/updated

A credential was updated.

Destinations

The following events are associated with destinations:

destination/cloned

A user created a destination by copying an existing destination.

destination/created

A user created a destination.

destination/deleted

A user deleted a destination.

destination/updated

A user updated a destination.

Domain tables

The following events are associated with domain tables:

workflow/domain-data-records-deletion-started

A user deleted records from a domain table.

Orchestrations

The following events are associated with orchestrations and orchestration groups:

orchestration/run

A user initiated a manual run for an orchestration.

orchestration.group/run

A user initiated a manual run for an orchestration group.

Policies

The following events are associated with policies:

policy/attached and policy/attached-to

A policy was was attached to an object that was created within Amperity.

For example, when a new API token issuer is created, the policy/attached and policy/attached-to events are logged and are associated with the name of the API issuer token.

policy/created

A policy was created.

policy/deleted

A policy was created.

policy/detached and policy/detached-from

A policy was was detached from an object that exists within Amperity.

policy/updated

A policy was updated.

Important

Occasionally members of your Amperity team will access your tenant. This is always done as a full administrator.

In situations where they are helping to troubleshoot an issue, answer a question with more detail, and so on, they will often switch their view to match the policy settings associated with your tenant.

For example, if the view is switched to “DataGrid Operator”, that action is logged using the following event type:

amperity.auth.token/user-switched-policies

Privacy rights

The following events are associated with privacy rights workflows:

workflow/domain-ccpa-deletion-started

The CCPA delete workflow has started.

Queries

The following events are associated with the Queries page:

query/activated

A query was activated.

query/created

A query was created.

query/deleted

A query was deleted.

query/moved

A query was moved from one folder into another.

query.draft/discarded

A query in a draft state was discarded.

query.folder/created

A folder on the Queries page was created.

query.folder/deleted

A folder on the Queries page was deleted.

Resource groups

The following events are associated with resource groups:

resource-group/assigned

A user was assigned to a resource group.

resource-group/created

A resource group was created.

resource-group/deleted

A resource group was deleted.

resource-group/updated

A resource group was updated.

Sandboxes

The following events are associated with sandboxes:

tenant/created

A sandbox was created.

tenant/deleted

A sandbox was deleted.

tenant/updated

A sandbox was updated.

Note

These events appear within the sandbox and are followed by the policy/attached-to and policy/attached events to allow the user who created the sandbox to access the sandbox as a DataGrid Administrator.

Single Sign-on

The following events are associated with single sign-on (SSO):

group-mapping/created

An SSO group mapping was created.

group-mapping/deleted

An SSO group mapping was deleted.

group-mapping/updated

An SSO group mapping was updated.

User activity

The following events are associated with the the Users section within the Users and Activity page:

audit.user-activity/download

A user downloaded user activity into a CSV file to view offline.

Users

The following events are associated with Amperity user accounts that are managed from the Users and Activity page:

user/created

A user was created.

user/deleted

A user was deleted.

user/sent-password-reset-email

A user was sent an email to they can reset their password.

Workflow alerts

The following events are associated with workflow alerts:

audience/created

An audience for a workflow alert was created.

Note

This event will show only the first time an email addresss or Slack channel is configured to receive workflow alerts for courier groups, scheduled orchestration groups, or campaigns. All subsequent events related to workflow alerts will show the audience/updated event.

audience/updated

The membership of an audience for a workflow alert was updated. This includes adding or removing email addresses and/or Slack channels to or from a workflow alert.

Workflows

The following events are associated with workflows:

workflow/cancel

A workflow resolution was stopped by a user.

workflow/retry

A workflow resolution was opened, after which a specific resolution option was selected, and then the workflow was retried.

workflow/skip

A user opened a workflow resolution, and then skipped the task that caused the workflow failure.