Non-Interactive Proxy Users

If your Altru database integrates with other systems — such as a custom application or automated processing task — you likely need non-interactive or proxy users. These differ from traditional Altru users in that they require programmatic access to your database but don't need to sign in and perform tasks within the Altru application itself.

Proxy users:

  • Only need to authenticate every 365 days

  • Authenticate via personal access tokens (PATs) instead of passwords

  • Don't require an email address

  • Inherit the same system roles as their linked proxy owners

Proxy owner Proxy user
Traditional user who signs in to Altru and performs tasks Non-interactive account that authenticates on behalf of the proxy owner
Authenticates via Blackbaud ID Authenticates via a username and PAT
Authenticates every time they sign in to Altru Authenticates every 365 days

From Administration, Application Users, you can add and manage proxy users. To easily distinguish them from traditional application users, select Columns, then add the Is proxy and Proxy user owner columns.

To add a proxy user, you must have system role administrator rights. You must also be signed in with the Blackbaud ID you wish to link the proxy user to. Your Blackbaud ID acts as the proxy owner.

Note: When you add a proxy user, it automatically inherits the same system roles as its proxy owner. You can remove roles from the proxy user at any time.

  1. From Administration, Application Users, select Add proxy user.

  2. Enter a unique user name and save.

  3. From the list of application users — or from the Proxy Users tab of your Blackbaud ID record — open the proxy user record.

  4. Select the Personal Access Token tab, then select Add.

    Note: You can return to the proxy user and add a PAT at any time.

  5. To help you keep track of where the PAT is in use, enter the name of the service or process that uses the token.

  6. Copy the token and use it to sign in to your service or process. For your security, you won't be able to view it again.

  7. Confirm that you copied the PAT, then Save.

Tip: Repeat this process to create multiple proxy users for a single proxy owner, such as when you manage multiple integrations for the same Altru database.

You can revoke a PAT for any reason, such as when the token is expired.

  1. From the Application Users page, open the proxy user record.

  2. Select the Personal Access Token tab.

  3. Expand the row and select Revoke PAT.

  4. Select a reason. If you have rights to add code table entries, you can enter a custom reason.

  5. Save.

For your security, PATs expire after 365 days. You can schedule a process to automatically revoke expired PATs that are no longer in use.

  1. From Administration, select Global changes.

  2. Select Add.

  3. Select the Manage personal access tokens global change process, enter a name, and save.

The process automatically runs and displays the number of records processed.

Tip: From the global change process record, you can create a schedule to automatically run the process on a regular basis. For more information, see Create a job schedule.

To manage a proxy user's roles, from the Application Users page, open the proxy user record. You manage system roles for proxy users the same way you manage traditional application users, but there are a few important things to note:

  • When you add or copy system roles to a proxy user, Altru automatically checks to ensure the proxy owner has the same roles. A proxy user's level of access cannot exceed its owner's.

  • When you add or copy system roles to a proxy owner, the roles are automatically added to any linked proxy users.  You can remove roles from the proxy user at any time.

  • When you remove a role from a proxy owner's record, it's also removed from any linked proxy users.

To delete, inactivate, or reactivate a proxy user account, from the Application Users page, expand the proxy user's row and select an action:

  • Delete — Delete a proxy user that was created in error or is no longer needed.

  • Mark inactive — Temporarily disable the proxy user's account and revoke all associated PATs.

    Note: Proxy users are automatically marked inactive after five consecutive failed attempts to authenticate.

  • Mark active — Reactivate a disabled proxy user's account. When you reactivate a proxy user, you must regenerate PATs.

Note: If you inactivate a proxy owner, all linked proxy users are also marked inactive. If you reactivate the proxy owner, you must reactivate proxy users separately.