2. Cross-Franchise Users

7. marraskuuta 2022


Overview

Erply's franchises are groups of accounts that have been configured with a shared product catalog or a shared customer registry.

A franchise lets each store owner see only their own data—but the accounts can still be centrally managed, and the HQ has access to centralized reporting.

In such a chain, there are always users that must be able to access all store accounts. Separate logins for each account are difficult to manage; this article explains how to set up cross-franchise logins for these users.

Prerequisites

  1. A franchise with shared data. This feature cannot be used on franchises that use the “Synchronize from HQ” model, nor on groups of accounts that have not been joined into a franchise.
  2. Shared user groups. User groups must be configured as shared (so that each account sees the same user groups).
  3. New back office menu.
  4. Brazil POS (if access to point of sale is needed). Berlin POS is not supported.

Setup Steps

1. Define Accounts and Areas

As the first step, you need to describe your current franchise: which accounts does it contain? This setup only needs to be done once.

  1. Log in to the franchise HQ.
  2. Check your user group permissions (Settings > User Groups). You will need permissions for the following modules:
    1. Franchise accounts
    2. Areas
    3. Users
  3. Find Settings > Multi-Account Users in the new menu. If your account is not part of a shared-data franchise, the page will report an error.
  4. Consider if you want to group your accounts into Areas (regions, districts). If you do, define the Areas first. Access permissions can be granted both by area and by account. Therefore, if the franchise contains a large number of accounts, having the accounts organized into Areas comes handy later.  One account can belong to multiple Areas; it is OK if the Areas overlap. One of the Areas can be “All Accounts”, for example.
  5. Select “Accounts” and add each account into the list as a separate entry. You need to specify the account's number (usually a six-digit number). For easier identification, give the account a name (eg. name of the store, name of the franchisee) and a code (if there is an alternative numbering scheme in use for stores / franchisees).

Note: the list of Accounts is strictly informative. This list is only used to lay out the screen where you grant permissions to users.

  • Entering an arbitrary account number does not attach that account to your franchise. Attaching new accounts still needs to be done by Erply onboarding team.
  • Entering an arbitrary account number does not give anyone access beyond your own franchise.

2. Mark a User as a “Multi-Account User” and Grant Permissions

After the accounts have been defined, proceed to the third section on the page, titled “Franchise Users".

  1. Pick a user name from the dropdown.
  2. Click the “edit” icon.
  3. Check the box “Multi-account user”.
  4. Select accounts or areas that the user must be able to access.
  5. Save.

3. Log In

This user is now authorized to log in to multiple accounts. From the user's perspective, this is how it works:

  1. Go to login.erply.com to sign in. Signing in directly to back office or POS does not work.
  2. Use HQ user name and password, but enter the number of the desired store account.
  3. On the login.erply.com dashboard, the “Switch Account” tab lists all the other accounts that you have access to. If you pick an account from the list and are not signed in to that account yet, you will need to re-enter your credentials. We are considering to eliminate this extra step in the future.

Notes

Here are a few clarifications on how the feature works.

1. On store accounts, the employee and user records do not necessarily need to exist. 

If the username or the employee record does not exist yet, logging in via login.erply.com will create it automatically.

2. Deleting a multi-account user from a store account does not have any effect. 

On next login, the username will be re-created automatically.

3. When an HQ user is promoted into a “multi-account” user, all users with the same name in store accounts effectively get overwritten.

Such users can no longer log in with their old store password. Erply will notice that a multi-account user with the same name now exists, and will thus require the multi-account user’s password.

Often, that is the desired result. A corporate administrator who already had store usernames before, can now easily consolidate those.

But care must be taken if there is a possibility that the match could be accidental (eg. an HQ user “tom” is unrelated to a store user “tom” somewhere).

4. A multi-account user can update their own password—or their multi-factor authentication preferences—on any account. 

The change will be made to the HQ record. But, for that to work, password must be changed in login.erply.com, not in back office. Back office password change does not have any effect.

5. Deleting a multi-account user from the HQ will delete the same username from store accounts, too. 

6. All users, regular users and multi-account users alike, are still subject to store account’s MFA (Multi-factor authentication) and SSO (Single Sign-On) requirements, not the HQ reqirements.

If a store account requires MFA, then a multi-account user will also be asked to enroll an email address or an authenticator app. Those enrollments will follow the user everywhere, so the same email also works in other stores that require MFA.

In stores that do not require MFA, the user can log in with just username and password, the enrollments will be ignored.

Ultimately though, it would be preferable that the franchise enforces consistent multi-factor authentication or single sign-on rules across the chain.