User populations

Separate user groups with different authentication methods, access permissions, and management needs.

💡 Why this matters
Prevents privilege escalation, simplifies compliance auditing, and enables delegated administration for different user types.

What are user populations

User populations organize users into distinct groups with separate:

• Authentication methods (SSO, social login, username/password)
• User attributes and password policies
• Access permissions to applications
• Delegated administrators

Common examples: Employees use corporate SSO, customers use social login, partners use partner federation.

User populations vs. suborganizations

Need	Use User Population	Use Suborganization
Same organization, different access	Yes	No
Separate legal entities	No	Yes
Shared compliance requirements	Yes	No
Independent IT management	No	Yes

Key capabilities

Separate authentication

Each population can use different identity providers:

Population	Authentication method	Example
Employees	Corporate SSO	Azure AD, Okta
Customers	Social + self-registration	Google, Facebook
Partners	Partner federation	Partner's SSO system

Unique identifiers

• Same email can exist in multiple populations
• Users are unique within their population only
• Prevents conflicts between user groups

Delegated management

Assign population managers with limited administrative rights:

Manager type	Can do	Cannot do
User manager	Add/remove users, reset passwords	Change authentication settings
Population admin	All user management, basic settings	Cross-population access, security policies

Access control

Control which applications each population can access:

Application type	Employees	Customers	Partners
Internal tools	Yes	No	No
Customer portal	Support view	Yes	No
Partner portal	Admin view	No	Yes

⚠️ Security note
Each population inherits organization security policies but can have additional restrictions