Identity & Access Management

Overview

Provisioning user accounts to a large workforce across multiple applications can be burdensome to businesses. And, in the hospitality sector, the high turnover of staff makes staying on top of creating and disabling accounts difficult. That's where Fourth's Identity & Access Management comes in — it's a solution tailored to hospitality that's designed to take the stress out of managing user accounts.

Integration options

Fourth Identity & Access Management provides flexible integration options for enhanced compatibility with our partners and customers. Fourth can:

  • Act as the identity provider for all user accounts; that is, the system that creates and maintains accounts. Users log into Fourth and partner applications using their Fourth credentials.
  • Integrate with another system, such as Active Directory, to allow users to log into Fourth (and partner applications) using corporate credentials. Fourth still acts as the identity provider for connected partners in this scenario.

Benefits of Fourth as an identity provider

Regardless of the option chosen, businesses achieve better authentication and account management, while end users have a better user experience. However, when Fourth is the identity provider, everyone benefits:

  • Customers can provision users without needing a corporate email address for each user. This is powered by Fourth Accounts.
  • Partners use Fourth to determine whether a user is valid and currently employed by the customer, and create accounts using just-in-time provisioning.
  • End users benefit from single sign-on across applications, and need only remember one set of credentials across Fourth and our partners.

As an identity provider, we offer strong security features, such as:

  • Robust authentication services to verify users
  • Centrally-controlled access permissions for modules
  • Customer-specific password complexity rules
  • Enforcement of two-factor authentication
  • Identity event logs, for auditing purposes

Technology

Fourth uses the industry-standard SAML protocol to integrate with partners and customers. See the following:

Single Sign-On & SAML for an overview of these topics. Outbound Federation if you are a partner integrating with Fourth. Federated Authentication if you are integrating Okta or Active Directory with Fourth.

Fourth Accounts

Fourth Accounts hold the details of Fourth users, such as their name, email address, Fourth Account ID, personnel number, and access rights.

Each person who accesses Fourth — from your management team viewing Analytics, or your casual staff checking payslips through Engage — is provided with a Fourth Account. This means that, by default, employees who aren't traditionally provided accounts by your organization's identity provider have accounts in Fourth. Integrating with Fourth's ID & Access Management offers a way to supplement your organization's own solution to cover a much larger percentage of users.

The life cycle of a Fourth Account is managed by Fourth based on the user's employment status:

  • When a new active employee is added into Fourth Workforce Management, Fourth creates and issues an account.
  • When an employee is listed as terminated, Fourth deactivates their account.

This keeps the Fourth identity store always up-to-date with the current user and employees. 

Fourth Account IDs

The unique identifier for an account is called a Fourth Account ID. This is an 18-digit alphanumeric string.

  • In SAML assertions, it is labeled LongUserID
  • In the Fourth Account SCIM API, it is labeled as id
  • In the UK Employee API, it is labeled FAID and is returned in the GET Employees response.