Holibob Docs

Security Principal Users - Agents, Admins & Suppliers

Introduction

Security Users is a core part of our platform.

It manages how different types of users, such as agents, administrators, and suppliers, interact with the platform, access data, and perform their roles.

Key Purposes:

  • Enable a marketplace for experiences by connecting suppliers with partners, agencies, and end consumers.

  • Provide secure, role-based access to data and actions.

  • Support efficient onboarding, management, and support for all user types.

User Types & Roles

A user is always defined within a “security principal”, an organisational context that determines what they can access.

Common Security Principals include:

  • Partners & Channels: Users are administrators who manage multiple brands or sub-entities.

  • Sales Agencies: Users are agents and supervisors who book and support consumers.

  • Suppliers: Users manage products, availability, and consumer support for their own offerings.

  • Internal Admins: Holibob staff with broad or specialised access.

Hierarchy Example:

Company (Holibob)
└── Partner
    └── Channel
        └── Agency
            └── Agent (this is the user)

Each user’s access is limited to their assigned principal and its descendants.

Authentication

Our system supports many secure authentication methods.

Each user is typically assigned the most secure method available for their organisation:

  • Username & Password

  • Microsoft Entra (Office 365 SSO)

  • Google Enterprise SSO

  • Dedicated SSO (corporate federated identity)

Single Sign-On (SSO) is encouraged for all organisations, enabling secure access via your corporate directory and simple provisioning and removal of users access.

Access Control

Access control ensures users only see and act on data within their assigned scope. This is enforced by:

  • Hierarchical Tenancy: Users are linked to a principal (e.g., a specific supplier or agency) and can only access data within that scope.

  • Record-Level Ownership: Every key record (product, booking, etc.) is linked to its owning principal and user.

Supply-Side vs. Demand-Side:

  • Supply-Side: Suppliers manage their own products and cannot see other suppliers’ data.

  • Demand-Side: Partners and agencies manage their own consumers and bookings, strictly partitioned from others.

Permissions

Permissions provide fine-grained control over what users can do, beyond just what data they can see.

  • Feature Access: Permissions determine which parts of the system (support, finance, analytics, etc.) a user can access.

  • Action Control: Permissions specify whether a user can view, create, update, or delete data.

  • Sensitive Data: Special permissions are required to access or decrypt sensitive data (e.g., PII).

Permissions are assigned:

  • Directly to users

  • Inherited from their principal (e.g., Partner, Channel)

Example Permissions:

  • PRODUCT_CREATE – Can create new products

  • BOOKING_AVAILABILITY – Can view booking availability

  • SUPPLIER_PROFILE – Can update supplier profile

  • CONSUMER_PII - can see and potentially update sensitive information such as phone numbers and email addresses

Navigators & User Experience

The administration system uses “navigators”, modular, step-based UI screens, to help users:

  • View and manage entities (products, bookings, consumers, etc.)

  • Search, filter, and report on data within their scope

  • Navigate up and down the hierarchy (e.g., from Partner to Channel to Agency)

This UI dynamically adapts to each user’s permissions, displaying only the relevant tabs, fields, and actions.

Security & Compliance

Our system contains many elements that ensure security and compliance.

These include:

  • Role-Based Access Control (RBAC): Assigns permissions based on roles.

  • Principle of Least Privilege: Users get only the access they need.

  • Regular Audits: Ensure that permissions and access are up to date.

  • Data Encryption: Sensitive data (like PII) is encrypted and access-controlled.

Key Concepts

Concept

Description

Examples

Domains

Logical groupings of business entities and data

Products,
Consumers,
Bookings

Navigators

Modular UI components for managing and navigating domain data

Product Navigator,
Channel Navigator

Access Control

Hierarchical, role-based system for data/action permissions

USER,
PRINCIPAL,
DESCENDANT

Permissions

Fine-grained control over features and actions

PRODUCT_CREATE,
BOOKING_AVAILABILITY

Security Principal Users – Agents, Admins & Suppliers

Security Principal Users are a foundational element of our platform, enabling secure, flexible, and efficient management of user access and permissions for all partners, agencies, and suppliers. By assigning each user to a specific organisational context known as a “security principal”, the platform ensures that every action and data access is governed by robust, role-based controls. This approach empowers partners to confidently connect with suppliers, manage multiple brands or sub-entities, and support their teams in delivering exceptional experiences to end consumers, all while maintaining the highest standards of data security and compliance.

Key Benefits

  • Granular Access Control: Assign precise roles and permissions to each user, ensuring individuals only access the data and features relevant to their responsibilities.

  • Enhanced Security: Benefit from advanced authentication options and strict role-based access, protecting sensitive information and reducing risk.

  • Streamlined Onboarding: Easily add, manage, and remove users as your organisation evolves, with support for Single Sign-On (SSO) and corporate identity systems.

  • Operational Efficiency: Empower agents, admins, and suppliers to perform their roles effectively within a secure, intuitive environment.

  • Compliance Ready: Built-in controls, audit features, and data encryption help you meet regulatory and data protection requirements.

  • Clear Organisational Boundaries: Ensure that each team, agency, or supplier only accesses their own data, supporting privacy and competitive integrity.

How It Works

Organisational Hierarchy & Security Principals

Every user is defined within a “security principal”—an organisational unit such as a partner, agency, or supplier. This determines what data and actions they can access. The hierarchy typically follows this structure:

Company (Holibob)
└── Partner
    └── Channel
        └── Agency
            └── Agent (user)

  • Partners & Channels: Administrators who manage multiple brands or sub-entities.

  • Sales Agencies: Agents and supervisors who book and support consumers.

  • Suppliers: Teams who manage their own products, availability, and consumer support.

Each user’s access is limited to their assigned principal and its descendants, ensuring strict data partitioning and privacy.

Authentication

Our platform supports a range of secure authentication methods, with each user typically assigned the most secure method available for their organisation:

  • Username & Password

  • Microsoft Entra (Office 365 SSO)

  • Google Enterprise SSO

  • Dedicated SSO (corporate federated identity)

Single Sign-On (SSO) is strongly encouraged, enabling secure access via your corporate directory and simplifying user provisioning and removal.

Access Control

Access control ensures users only see and act on data within their assigned scope. This is enforced by:

  • Hierarchical Tenancy: Users are linked to a principal (e.g., a specific supplier or agency) and can only access data within that scope.

  • Record-Level Ownership: Every key record (product, booking, etc.) is linked to its owning principal and user.

  • Supply-Side vs. Demand-Side: Suppliers manage their own products and cannot see other suppliers’ data. Partners and agencies manage their own consumers and bookings, strictly partitioned from others.

Permissions

Permissions provide fine-grained control over what users can do, beyond just what data they can see:

  • Feature Access: Permissions determine which parts of the system (support, finance, analytics, etc.) a user can access.

  • Action Control: Permissions specify whether a user can view, create, update, or delete data.

  • Sensitive Data: Special permissions are required to access or decrypt sensitive data (e.g., PII).

Permissions are assigned directly to users or inherited from their principal (e.g., Partner, Channel). Example permissions include:

  • PRODUCT_CREATE – Can create new products

  • BOOKING_AVAILABILITY – Can view booking availability

  • SUPPLIER_PROFILE – Can update supplier profile

  • CONSUMER_PII – Can see and potentially update sensitive information such as phone numbers and email addresses

Navigators & User Experience

The administration system uses “navigators”—modular, step-based UI screens—to help users:

  • View and manage entities (products, bookings, consumers, etc.)

  • Search, filter, and report on data within their scope

  • Navigate up and down the hierarchy (e.g., from Partner to Channel to Agency)

The UI dynamically adapts to each user’s permissions, displaying only the relevant tabs, fields, and actions.

Security & Compliance

Our platform is designed with security and compliance at its core:

  • Role-Based Access Control (RBAC): Assigns permissions based on roles.

  • Principle of Least Privilege: Users receive only the access they need.

  • Regular Audits: Ensure permissions and access remain up to date.

  • Data Encryption: Sensitive data (like PII) is encrypted and access-controlled.

  • Privacy by Design: Security and privacy measures are embedded from the outset, supporting GDPR and other regulatory requirements.

Partner Actions

  • User Setup: Assign users to the appropriate organisational unit (partner, agency, or supplier) and select their roles and permissions.

  • Enable SSO (Recommended): Integrate your corporate identity provider for streamlined and secure user authentication.

  • Review Permissions: Periodically review and update user roles and permissions to ensure ongoing security and compliance.

  • Monitor Access: Utilize the built-in audit features to track user activity and ensure compliance with data protection requirements.

By leveraging Security Principal Users, your organisation can confidently manage access and collaboration across teams, agencies, and suppliers, ensuring data security, operational efficiency, and a seamless experience for everyone involved. This feature empowers your business to grow and adapt while maintaining the highest standards of security and control.