Back Office permissions, and SSO

There are 2 main permissions roles in TAP backoffice:

  • Affiliate Admin - the role with highest set of permissions. Can manage sensetive settings, has access to all affiliates' and players' data/

  • Affiliate Manager - the role has limited set of permissions. Can manage and see data only of the affiliates asssigned to them by Affiliate Admin.

You can find detailed explanation of all roles below.

Important to note that if you manage multiple labels, a specific user can have different permissions towards different labels. So one user can be Affiliate Admin in label A, and at the same time Affiliate Manager in label B.

Default permissions groups in Smartico

Here you can find permission groups of the administrative users in the TAP Back Office

Role
Allowed to do

Affiliate Admin

Has full access to all affiliates and player data Can - Can manage all settings - Can create Destination Links, Promo codes and Media Assets - Can approve/cancel payment requests - Can manage pending affiliates application and assign a Manager to affiliates (everyone can be assigned as Manager, regardless of that is the user's role)

Affiliate Manager

Has no access and visibility into the affiliate profiles that are managed by other Managers, nor has access to their players and performances Can - Manage deals and settings related to the affiliates assigned to them - Make payment requests for the affiliates assigned to them - Build tracking links for the affiliates assigned to them Cannot - Manage any global settings - Manage pending affiliates' applications (review, decline, approve) - View and manage the afiliate profiles assigned to other Managers - View the players/performances of affiliates assigned to other Managers - Assign/re-assign master affiliates in a sub-affiliate network - Make balance adjusments - Approve/Cancel payment requests - Create/edit/disable Destination Links, Promo codes and Media Assets - Manage Marketing resources and campaigns

When an affiliate is reassigned to a different manager, the previous Affiliate Manager's access to that affiliate is revoked. They will no longer have access to the the affiliate profile and the data related to them.

Note that each role can be extended with additional permissions or some possibilities can be restricted from role, for example - Affiliate Admin can create a new user with role of Affiliate Admin, but exclude the possibility to make adjustments to affiliate's balances

"Additional" and "Restriction" roles

Operator can give what is called "Additional roles" to the users.

For example, the Affiliate Manager role doesn't have permission to manage custom tags, but the role can be given to particular user as "Additional role"

Also, some permissions can be taken away on user level using "Restriction roles", for example, to make balance adjustments.

Current restriction roles that can be taken away from the user

Role
Explanation

Aff:Make affiliate balance adjustments

Removes permission to make adjustments to the affiliate's balance

Current additional roles that can be granted to the user

Role
Explanation

Aff:Make affiliate balance adjustments

Removes permission to make adjustments to the affiliates' balances

Affiliation \ Access integration files

Gives access to the integration files log

Affiliation, manage custom tags

Gives permission to manage custom tags Note: This permission is part of Affiliate Admin role by default. Can be granted as an additional permission to Affiliate Manager role

Affiliation, Extra - Allow Brands creation

Gives permission to access and manage Brands - Activate/Deactivate brands - Apply rule for destination link transformation per brand Note: This permission is part of Affiliate Admin role by default. Can be granted as an additional permission to Affiliate Manager role

Authorization with SSO

TAP/Smartico supports Single Sign-On (SSO), currently available for Google and Microsoft users, with plans to expand support to other providers in the future.

To enable SSO, the client needs to provide the email domain(s) used in their Google Workspace (e.g., mycompany.com). This setup allows users with emails under the specified domain (e.g., [email protected]) to log in using SSO.

Note: TAP/Smartico is not supporting authorization using personal mails managed under generally available domains like googe.com, yahoo.com etc. Only company managed emails/domains are supported.

When enabling SSO client must provide

  1. List of company owned mail domains, e.g. mycompany.com, mycompany.org

  2. If to allow user creation on TAP side when new user logins through SSO. In case "yes", then specify:

    1. The default permission role to be assigned to new users (e.g., "Affiliate Admin", "Affiliate Manager").

    2. The TAP label(s) to which newly created users will have access. E.g. label ids - 4444 and 4445

    3. Which of the listed in point "b" labels will be assigned as "home" label (in case of having more than one label)

The logic of user matching and permissions assignment

  • For new users: New users logging in via SSO will

    • automatically be assigned access to the specified label(s), listed in point 2b

    • they will get the default permission role as specified in point 2a

    • they will have "home" label assigned according to point 3c

  • For existing users: If an existing user logs in via SSO, they will be matched by their email address and retain their current set of permissions.

It is also possible not to allow user creation when new user logins through SSO.

Template of the request for enabling SSO:

Mail domain(s)

mycompany.com, mycompany.org

Allow new users creation

YES/NO

List of label IDs

4444,4445

Home label ID

4444

Default permission

Affiliate Admin

PreviousPlayer Referral ProgramNextAPI Keys and URL

Last updated

Was this helpful?