# Back Office permissions, and SSO There are 2 main permissions roles in TAP backoffice: * **Affiliate Admin** - the role with highest set of permissions. Can manage sensetive settings, has access to all affiliates' and players' data/ * **Affiliate Manager** - the role has limited set of permissions. Can manage and see data only of the affiliates asssigned to them by Affiliate Admin. You can find detailed explanation of all roles below. Important to note that if you manage multiple labels, a specific user can have different permissions towards different labels. So one user can be Affiliate Admin in label A, and at the same time Affiliate Manager in label B. ## Default permissions groups in Smartico Here you can find permission groups of the administrative users in the TAP Back Office | Role | Allowed to do | | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Affiliate Admin |

Has full access to all affiliates and player data

Can
- Can manage all settings
- Can create Destination Links, Promo codes and Media Assets
- Can approve/cancel payment requests
- Can manage pending affiliates application and assign a Manager to affiliates (everyone can be assigned as Manager, regardless of that is the user's role)

| | Affiliate Manager |

Has no access and visibility into the affiliate profiles that are managed by other Managers, nor has access to their players and performances

Can
- Manage deals and settings related to the affiliates assigned to them
- Make payment requests for the affiliates assigned to them
- Build tracking links for the affiliates assigned to them

Cannot
- Manage any global settings
- Manage pending affiliates' applications (review, decline, approve)
- View and manage the afiliate profiles assigned to other Managers
- View the players/performances of affiliates assigned to other Managers
- Assign/re-assign master affiliates in a sub-affiliate network
- Make balance adjusments
- Approve/Cancel payment requests
- Create/edit/disable Destination Links, Promo codes and Media Assets
- Manage Marketing resources and campaigns

| |

Affiliate Admin, Limited

|

Has the same permissions/restrictions as Affiliate Manager, but:


Can
- See all affiliates and players data (except affiliates in Pending status)
- Can manage the Deals of all affiliates

Cannot
- Change affiliate details and settings in any affiliate profile

| {% hint style="warning" %} When an affiliate is reassigned to a different manager, the previous Affiliate Manager's access to that affiliate is revoked. They will no longer have access to the the affiliate profile and the data related to them. {% endhint %} {% hint style="info" %} Note that each role can be extended with additional permissions or some possibilities can be restricted from role, for example - **Affiliate Admin** can create a new user with role of **Affiliate Admin**, but exclude the possibility to make adjustments to affiliate's balances {% endhint %} ## "Additional" and "Restriction" roles \ Operator can give what is called "Additional roles" to the users. For example, the Affiliate Manager role doesn't have permission to manage custom tags, but the role can be given to particular user as "Additional role"
Also, some permissions can be taken away on user level using "Restriction roles", for example, to make balance adjustments.
Current **restriction roles** that can be taken away from the user | Role | Explanation | | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | | Aff:Make affiliate balance adjustments | Removes permission to make adjustments to the affiliate's balance | | Aff:Limit managers/admins, variant 1 |

Cannot:
- Export Affiliates list
- Export Registration list
- Impersonate affiliate's login (View as affiliate)

| Current **additional roles** that can be granted to the user | Role | Explanation | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Aff:Make affiliate balance adjustments | Removes permission to make adjustments to the affiliates' balances | | Affiliation \ Access integration files | Gives access to the integration files log | | Affiliation, manage custom tags |

Gives permission to manage custom tags

Note: This permission is part of Affiliate Admin role by default. Can be granted as an additional permission to Affiliate Manager role

| | Affiliation, Extra - Allow Brands creation |

Gives permission to access and manage Brands

- Activate/Deactivate brands
- Apply rule for destination link transformation per brand

Note: This permission is part of Affiliate Admin role by default. Can be granted as an additional permission to Affiliate Manager role

| ## Authorization with SSO TAP/Smartico supports Single Sign-On (SSO), currently available for **Google** and **Microsoft** users, with plans to expand support to other providers in the future. To enable SSO, the client needs to provide the email domain(s) used in their Google Workspace (e.g., **mycompany.com**). This setup allows users with emails under the specified domain (e.g., ****) to log in using SSO. {% hint style="info" %} Note: TAP/Smartico is not supporting authorization using personal mails managed under generally available domains like googe.com, yahoo.com etc. Only company managed emails/domains are supported. {% endhint %} **When enabling SSO client must provide** 1. List of company owned **mail domains**, e.g. mycompany.com, mycompany.org 2. **If to allow user creation** on TAP side when new user logins through SSO. In case "yes", then specify: 1. The **default permission role** to be assigned to new users (e.g., "Affiliate Admin", "Affiliate Manager"). 2. The **TAP label(s)** to which newly created users will have access. E.g. label ids - 4444 and 4445 3. Which of the listed in point "b" labels will be assigned as "home" label (in case of having more than one label)
The logic of user matching and permissions assignment * **For new users**: New users logging in via SSO will * automatically be assigned access to the specified label(s), listed in point 2b * they will get the default permission role as specified in point 2a * they will have "home" label assigned according to point 3c * **For existing users:** If an existing user logs in via SSO, they will be matched by their email address and retain their current set of permissions. {% hint style="info" %} It is also possible **not to allow user creation** when new user logins through SSO. {% endhint %} Template of the request for enabling SSO:
ConfigurationValue
Mail domain(s)mycompany.com, mycompany.org
Allow new users creationYES/NO
List of label IDs4444,4445
Home label ID4444
Default permissionAffiliate Admin
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.theaffiliateplatform.com/general-concepts/back-office-permissions-and-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.