Managing user groups in Mews for System for Cross-Domain Identity Management (SCIM)

You can manage and configure your user groups for SCIM, that you configured in your IdP, via your Mews account. This simplifies user access and permissions management in Mews. You can do so after setting up user groups in your Entra ID account. With user groups, you can assign access to properties, roles, cashiers, and more, to users who you add as members of a group. You should configure your user groups to match as closely as possible the structure of your business.  

 

This guide details how to manage your user groups in Mews for existing SCIM user groups that you set up in your IdP.  

 

In this article you can learn about the following: 

User groups in Mews reflect the group structure you set up in your IdP. In Mews, you can assign your user groups to properties, roles, and more.  

You can configure 2 types of user group in Mews:  

  1. Where the user group configuration applies ONLY to the properties within that user group, or
  2. Where the configuration applies across all user groups.  

 

For example, if you want to configure a user group for members to have the Front Desk role in Amsterdam, and in all other properties they have only the Reservations role, you can create the following user groups: 

 

  1. User Group 1:
    1. Properties: Amsterdam 
    2. Role: Front Desk, Reservations
  2. User Group 2:
    1. Properties: London
  3. User Group 3:
    1. Role: Reservations 

 

In this case, if the user you provision is a member of all 3 of the above user groups, they receive the following access, and the system creates the following user accounts: 

 

  1. User Account 1:  
    1. Property: Amsterdam
    2. Roles: Front Desk, Reservations
  2. User Account 2:
    1. Property: London
    2. Roles: Reservations 

 

In this example, User group 1 is the 1st user group type and is applicable only for the properties you select in that user group. User groups 2 and 3 apply across all user groups where the user is a member. 

 

To configure an existing user group: 

  1. In your Mews account, go to the main menu > User management > User groups. 

Managing groups - user groups 1 .png  

  1. Click alongside the group you want to configure, then select Edit details. 

Managing user groups - edit details dots.png  

  1. Select all the parameters you require for the user group, for example, Properties, Roles, Cashiers, Learning paths, Options.  

Managing user groups scim - edit group settings.png  

All fields are optional, except for Roles and permissions 

  • Description: Add a description about your user group.  
  • Learning Path: Choose a learning path to assign to all members of the group. This overrides any existing learning path set at the user account level. If you do not select a learning path in all groups that the user is a member of, the system defaults to Front Office Agent. This is to grant users access to Mews University.   

Note: If you don’t set a learning path for the group, the system automatically uses the learning path set on a user's account. If you don’t set a learning path on the user’s account, the system defaults to the role Front Office Agent.  

  • Properties: Select a property(s) to add all members of the user group to.   
  • Roles and Permissions: Select a role and/or permissions to assign all members of your user group to roles. You can learn more about roles here. If you do not select a role, the system defaults to No permissions. You can choose from the following options:  
    • No permissions
    • Roles. Note: If you select roles, you need to choose the roles you want to give to your users.
    • Admin 
  • Advanced settings:   
    • Receive guest messages: This setting requires the user to have an Admin role or a role with the ‘View Customer Data’ permission, which allows users to read guest messages.

Note: To have this permission, you need to add the user to a group with a role that has this permission or is Admin.  

    • Reset two-factor authentication (2FA): This setting requires the user to have an Admin role. It lets all members of your user group reset 2FA for other users.  

Note: Mews advises only granting this permission to 1 or 2 users in your organization as a security best practice.

  • Cashiers’ external identifiers: Select to add all group members to a property cashier. This allows the users to access cash registers. You can learn more here. 

Notes: 

    • You need to already configure cashiers on your property’s cashiers screen and set an external identifier key before selecting this option. 
    • If you make changes in cashiers, for example, the external identifier key, the system doesn’t reflect this in user groups, and you may need to relink the group to the new cashier. 

  1. Click Save.  

This saves your changes and automatically updates all group members with the configuration you select. 

You can manage your user groups in Mews via the User groups screen, after setting them up and provisioning them via your IdP.  

 

To do so: 

  1. In your Mews account, go to the main menu MMP menu icon.png > User Management > User Groups.
  2. Select   alongside the user group you want to modify, then select Edit group. From here you can update roles, property assignments, or link new properties and permissions.  

Managing user groups - edit details dots.png  

  1. Click Save. 

 

This saves any changes and synchronizes updates with your IdP. 

 

 

You can modify your user groups and users in Mews SCIM in the following ways:  

  • Create new users: When you assign new users to your IdP, the system creates them in your Mews subscription. If your IdP user already exists in Mews, the attribute data set in your IdP user account overrides the data in Mews. New users you create in Mews are provisioned with a Pending state and need to activate their accounts by confirming their email address, before they can log into Mews. 
  • Push user updates: IdP information is considered the source of truth for all supported attributes. Any change you do in the IdP applies to your Mews account.  

Note: Entra ID currently waits up to 40 minutes between each update. You can learn more here. If you need your update to be immediate you need to use the Provision on demand option, located on the left side of the Provisioning screen in the Entra ID console. 

managing user groups scim -provision on demand click.png  

  • Deactivate users: Deactivating a user from the application in the IdP deactivates the user in your Mews subscription. In this case, the user loses all access to the Mews app and any active sessions they had are terminated. 
  • Reactivate users: Upon reactivation of a user, access to the Mews application is restored. Additionally, the accounts associated with that user are also reactivated, giving them access again to the properties configured in the corresponding user groups. 
  • Deleting users: There are 2 steps to delete a user in Microsoft Entra ID:
    • “Soft-delete”: The user account still exists in Mews and shows as active, but they are without permissions and cannot access information.
    • After 30 days the user is automatically fully removed from your Entra ID account, which results in the system fully removing the user from Mews.
  • Removing from provisioning: Deactivating a user account in Mews.
  • Adding a new user group: When you assign new user groups to your IdP application the system creates these groups in your Mews subscription. Note: The user group name should be unique.
  • Changing an existing user group: Changing the name of a user group via the IdP causes the corresponding user group name to change in Mews.
  • Add members to the user group: Adding provisioning members to the provisioned user group results in the corresponding adjustments in Mews. In this scenario, the new members obtain access to the properties configured within this user group.
  • Remove members from the user group: If you remove provisioned members from the user group you provision, it triggers corresponding changes in Mews. Consequently, these members lose access to properties you configure within this user group, unless they are also part of another user group that grants access to the same properties. 

 

There are some limitations or rules on how to access the fullest functionality of your user groups in Mews:  

 

  • You need to create central roles in Mews before setting up SCIM. You can learn more here. 
  • You cannot create new user groups in Mews. You need to create and provision them through your IdP. You can learn more here.  
  • You cannot manually add users to a user group in Mews, as your IdP provisions them into Mews.  
  • You can manually create users in Mews even if you have SCIM enabled. You can edit these in Mews.  
  • If you manually create a user in Mews, but then create the same user in your IdP and provision them, the system links the accounts via the user email. After doing so, you are no longer able to edit them in Mews, only though your IdP. 

 

You can learn more about how to disable System for Cross-Domain Identity Management (SCIM) user provisioning here. 

Was this article helpful?
00



Feedback