Catalyst allows you to add an unlimited number of users to your environment, enabling your team to maintain and manage access securely and efficiently. This guide walks through everything you need to know to manage users and permissions in Catalyst.
This article contains the following topics:Â
- Definition of User Accounts
- Security and Permissions
- Key Points to Remember
- How to Add a New User
- Group Permissions
- Navigation Permissions
- Hierarchy Security
- Permissions Summary
- Impersonating a User
What Are User Accounts?
User accounts represent individual team members who require access to Catalyst. Each user is assigned permissions that define what they can see and do in the system.
Note on Login Credentials: Catalyst now uses Microsoft Single Sign-On (SSO) for most environments. That means users log in using their Microsoft account, and EBM Software no longer manages usernames or passwords. Any password issues must be resolved through your internal IT team using standard Microsoft account recovery tools.
User management is still handled within the Administration section of Catalyst for permissioning and role setup.
Security and Permissions: Controlling User Access
Catalyst offers fine-grained access controls so administrators can restrict or allow access to different sections of the application. This ensures users only see what they need.
Key Points to Remember
Permissions are additive: If a user has both “Read” and “Edit” access to a section, they will be able to edit it.
Groups simplify setup: Assigning users to preconfigured Groups ensures consistency and reduces setup time.
Adding a New User
🔹 For EBM or Blue Ops Employees: If you need to add a teammate to a Catalyst instance or project, you must do so through Diligent or Ontario, not directly within Catalyst.
For all other users:
Navigate to the Administration tab and select Users
Click Add User in the bottom-right corner
-
Fill out the user information form.
Use "Is Client Admin" only for top-level users who need full system access.
-
If you're in a legacy environment (non-SSO), you may still see a checkbox labeled "Allow System to Generate Password."
If present, leave it selected. The user will receive an email with a temporary password and login instructions.
If you’re on Microsoft SSO (which is the current default), the password option will not appear. The user will log in using their Microsoft credentials instead.
Click Save. The user can now be assigned permissions.
Managing User Permissions
Group Permissions: Access Control
Groups help standardize permissions across users. Assigning someone to a group will automatically apply all group-level permissions to them. You can create groups at any time and modify them later as needed.
Navigation Permissions: Defining User Visibility
Navigation permissions determine which sections (like Planning or Administration) and tiles (such as Financial Planning or User Management) a user can access.
Read Access: User can see the tile/section but cannot interact with it
Edit Access: User can both view and make changes
Hierarchy Permissions: Controlling Access to Specific Data
If your environment uses hierarchy-based security, you'll need to manually assign hierarchy permissions for users who require access to company, item, or account-level data.
These are assigned in the Hierarchy Permissions tab.
Useful for users who need to map accounts, manage hierarchies, or limit visibility by region, business unit, etc.
Permission Summary: Putting It All Together
The final Summary tab gives you a full overview of the user's access. You can also view all users and their permissions in a filterable table in the admin section.
Impersonate User (Admin Only)
The Impersonate User feature allows admins to temporarily act as another user for troubleshooting purposes (e.g., testing access or navigation).
Access it by clicking the ellipsis menu next to a user and selecting "Impersonate."
To stop impersonating, click your user menu in the top-right and choose "End Impersonation."
⚠️ Note: Changing another user’s password via impersonation is no longer supported in modern Catalyst environments using Microsoft SSO. Password management is now controlled entirely by your organization’s IT team.
By understanding and properly assigning permissions, you’ll ensure that your Catalyst environment remains secure and that users have access to the tools they need—nothing more, nothing less.
Need help determining whether your environment uses SSO or legacy login? Reach out to support@ebmsoftware.com.
Comments
0 comments
Article is closed for comments.