Sign in

nShift Help Center

Configuring Access Management

Avatar
Malene Tidemann
Updated

Access Management helps you control what users can see and do in nShift Portal. By creating access groups, organizations can define roles such as Administrator, Support, Regular user, or Read-only viewer, etc., and ensure their employees have access to the data and functionality they need, without granting unnecessary permissions.

For organizations with multiple subsidiaries, brands, or business units, Access Management also helps separate access between organizations. This allows company owners to manage users within each organization while ensuring users see only the data relevant to their own company or subsidiary.

Sections in this article:

Note: Access Management must be activated for your company before you can use it. Contact nShift Customer Service to get started.

Introduction to Access Management

Access is built from three components that you combine to fit your organization's structure. Some organizations 

1. Functionality sets

Functionality sets define what actions a user can perform. You might create one set for read-only viewers (reports only), another for support staff (user lookup and reporting), and a fuller set for administrators (full user and settings management). See an overview of functionalities here.
 

2. Data sets

Data sets define which data a user can see. In a company with multiple regions, brands, or business units, each team can be scoped to only their relevant organizations, locations, and accounts.
 

3. Access groups

An access group can include a data set, a functionality, or both. After it's created, users can be assigned to the group. The group defines what actions a user can perform and which data they can work with.
 

Common role patterns

Here are examples of how you might structure roles within a single company:

Role Functionality set Data set
Viewer Reports only Their business unit
Support User lookup, view shipments All business units
Regular user Standard shipping operations Their business unit
Administrator Full access incl. user management All business units

You can have as many combinations as your organization's needs, for example, a regional admin who can manage users within their region but cannot see data from other regions.
 

 

Migrated data access

For existing customers, a special migration process is used when access groups are enabled.

During the migration, access groups are automatically created to preserve each user's current access. These migrated access groups do not contain data sets or functionality Sets. Instead, permissions are assigned directly to the access group, matching the access users had before the migration.

To clearly identify migrated permissions, any migrated data sets, and functionality Sets are marked as Legacy Access.

Over time, administrators can replace these migrated access groups with new access groups built using data sets and functionality sets. This allows a gradual transition to the new access model without disrupting existing user access.

As a result, a migrated company may initially have several automatically created access groups and multiple Legacy Access data sets and functionality sets that preserve historical permissions.
 

Example showing migrated access groups:

 

Use cases

This section provides practical examples of how to set up access management using access groups. The examples apply both to existing companies that have been migrated to the new access model and to new customers setting up access management for the first time. If your company has migrated data, you can gradually move your users to new access groups as you set them up.

We will walk through two common scenarios:

  1. A company with a single organization, where the goal is to separate operational users who work in the platform from administrative users who manage access, configurations, and user accounts.
     
  2. A company with multiple organizations, such as a 3PL (Third-Party Logistics) provider, where users may require access to one, several, or all organizations, and where access needs to be managed efficiently across different customer organizations.

These examples demonstrate how data sets and functionality Sets can be combined into access groups to create a scalable and maintainable access structure while ensuring users have access only to the data and functionality they need.

 

Use case A - a company with a single organization

In this scenario, a company is looking to manage access for three types of user roles: admins, warehouse workers, and team leads who oversee the warehouse workers. 

Start by creating an access group for the warehouse workers:

  1. Log in to nShift Portal with the company owner.
     
  2. Go to Settings > Company Management > Access Management. 
     
  3. Go to the Data sets tab and click +New data set.
     
    new-data-set.png
     
  4. Enter a display name and select the organisations, locations, and member accounts that the Warehouse workers should have access to. 
     
    data-set-config.png
     
  5. Click Finish.
     
  6. Next, open the Functionality tab and click +New functionality set.
     
    new-functionality-set.png
     
  7. Give it a clear display name that reflects the role, e.g., "Warehouse access". Expand the functionality sections and enable the relevant toggles. In this example, the warehouse workers should have access to create and view shipments and access to Track and Trace. For a more detailed description of the functionalities, see this article: Understanding the Functionalities list

    functionality-selection.png 
  8. Click Finish.
     
  9. Go to the Access groups tab and click +New access group.

    new-access-group.png 
  10. Enter a display name that accurately represents the role and scope, such as "Warehouse Workers Access." Then, select the appropriate data set and functionality set created for this role. To do this, click on the Functionality Sets tab and choose an option from the drop-down menu. Repeat this process under the Data Sets tab.

    access-group-config.png
     
  11. Click Finish, review the configuration, then click Save.
     
  12. The owner can now create warehouse worker users and assign them to this group. This can be done when creating the user under the Access tab or from the access group by clicking Manage users

 

In this scenario, the owner would like to delegate the management of warehouse workers to a group of team leads, allowing them to create and oversee the warehouse workers.

  1. Go to Settings > Company Management > Access Management. 
     
  2. Click the Data sets tab and +New data set.

    new-data-set.png
     
  3. Name the data set and set the data selection to Group data access. Choose the "Warehouse workers access" created earlier. 

    group-data-access.png
     
  4. Click Finish.
     
  5. Open the Functionality tab and click +New Functionality set
     
    new-functionality-set.png
     
  6. Name the functionality set, e.g., "Team lead admin".  Expand the functionality sections and enable the relevant toggles. Since the team leads should have some admin privileges, their functionalities should include Users and Access Management under Company Management. For a more detailed description of the functionalities, see this article: Understanding the Functionalities list
     
  7. Click Finish.
     
  8. Go to the Access groups tab and click +New Access group.

    new-access-group.png
     
  9. Enter a display name that clearly represents the role and scope, such as "Team Lead Access." Then, select the data set and functionality set assigned to this role, including the data set created for the Warehouse workers. This step is important to ensure that team leads can access the "Warehouse workers Access" group.
     
  10. Click Finish, review the configuration, then click Save.
     
  11. The owner can now create users and assign them to the team lead group, allowing them to create and manage warehouse workers.
     

The process described above can be used to create access groups for other roles in your organization. 
 

Use case B - a company with multiple organizations

In this scenario, we have a company with 4 subsidiaries. The same structure could also apply to a 3PL company. The owner will set up workers and managers for each subsidiary. Workers from each subsidiary will not be able to see and configure data from other subsidiaries. 

 

Start by creating the access groups for the workers in the four different subsidiaries:

  1. Log in to nShift Portal with the company owner.
     
  2. Go to Settings > Company Management > Access Management.
     
  3. Go to the Data sets tab and click +New data set.

    new-data-set.png 
  4. Enter a display name and select the organisations, locations, and member accounts that the Warehouse workers should have access to. Choose descriptive names so it is easier to identify each data set later on, e.g., "Brand 1", "Brand name 2", "Brand 3", etc. 
     
  5. Click Finish
     
  6. Repeat for each of the subsidiaries, only selecting the organisations, locations, and member accounts that the workers in each subsidiary should have access to. There are now four different data sets. 
     
  7. Next, open the Functionality tab and click +New functionality set

    new-functionality-set.png
     
  8. Give the functionality set a clear display name that reflects its role, such as "Workers with Checkout." Expand the functionality sections and turn on the relevant toggles. If workers from all subsidiaries require access to the same functionality, creating just one functionality set will be sufficient. However, in this case, we need two sets because workers in subsidiary 1 need access to shipments, printing, and track and trace, but not to Checkout. All other subsidiaries will need access to the Checkout functionalities as well.  For a more detailed description of the functionalities, see this article: Understanding the Functionalities list
     
  9. Click Finish.
     
  10. Go to the Access groups tab and click +New access group.
     
    new-access-group.png
     
  11. Enter a display name that reflects the role and scope, e.g., "Workers brand 1", and select the data set and functionality set that should apply to workers of the first subsidiary. 
     
  12. Click Finish, review the configuration, then click Save.
     
  13. Repeat and create new access groups for each of the other subsidiaries.
     
  14. The owner can now create worker users and assign them to this group. This can be done when creating the user under the Access tab or from the access group by clicking Manage users. Existing users can also be assigned to the new access groups. 

 

The owner is now ready to create the access groups for the managers. In this scenario, there will be managers managing workers under two subsidiaries at the same time, so there will be a group for managing subsidiary 1+2 and another to manage subsidiary 3+4. 

  1. Start by creating the data sets. Go to Settings > Company Management > Access Management. Choose the Data sets tab and click +New data set.
     
    new-data-set.png
     
  2. Name the data set and set the data selection to Group data access. Choose the two data sets created for the workers of both subsidiaries 1 and 2. 
     
  3. Click Finish and create another data set with Group data access containing the two data sets created for subsidiaries 3 and 4. 
     
  4. Open the Functionality tab and click +New Functionality set

    new-functionality-set.png 
  5. Name the functionality set, e.g., "Managers".  Expand the functionality sections and turn on the appropriate toggles. Since Managers need to have some admin privileges, their functionalities should include Users and Access Management within Company Management. While some 3PL companies might benefit from having multiple Manager functionality sets, in this case, one set is sufficient because all managers in this company will have the same functionalities across all subsidiaries.  For a more detailed description of the functionalities, see this article: Understanding the Functionalities list
     
  6. Click Finish.
     
  7. Go to the Access groups tab and click +New Access group.

    new-access-group.png 
  8. Enter a display name that clearly reflects the role and scope, like "Manager brand 1+2." Next, choose the data set and functionality set created for this role. Also, be sure to include the data sets for the subsidiaries that managers in this access group will oversee.
     
  9. Click Finish, review the configuration, then click Save.
     
  10. Create a similar manager access group for the two other subsidiaries. 
     
  11. The owner can now create users and add them to the managers group, or assign existing users to the group.
     

 

Expected results and best practices

Once configured, access groups give you a clean, auditable permission model that scales as your organization grows or changes.
 

Expected results

Users will only see the data relevant to their role and team. Sensitive operations, such as user management or financial reporting, are restricted to the appropriate roles. Onboarding new staff becomes straightforward: assign them to the right access group, and they have the correct access immediately.
 

Best practices

  • Reuse functionality sets across teams where the role is the same — a Viewer in one region works the same as a Viewer in another.
  • Keep the data sets team- or region-specific, so the scope is always explicit.
  • Use clear naming conventions such as [Role] – [Scope] to make groups easy to manage as they grow.
  • Keep admin and regular user access groups separate, even if the underlying data scope is the same.
  • Test each role by signing in as a user assigned to that group before rolling out more broadly.
     

Access Management vs. Configuration Data Access

 

Note: This section is intended for customers who are using configuration data access in their setup.


Are you wondering when to use Access Management versus Configuration Data Access? 

Access Management controls which features users can access and what data they can see.

Configuration Data Access, on the other hand, controls who can modify data. You only need to set this up if someone other than the owner or root user needs permission to change the data structure, like adding or removing organization units and member accounts, or if they need to grant configuration data access to others.

Most users usually just need access to the features and products without changing the underlying data structure in the nShift solution. Changes to the data structure are typically made when setting up new brands, countries, subsidiaries, or similar.

This article focuses on Access Management. To learn more about Configuration Data Access, please go to: Setting up Configuration Data Access

 

Related articles