1.1. User Accounts
Every user has an independent account with the Thunk.AI service. The service uses SSO (single-sign-on OAuth 2.0/OIDC-based authentication) to authenticate user accounts.
In the public multi-tenant instance of the service, the two SSO providers supported are Google and Microsoft. If the user's business email is provided by either Google Workspace or Microsoft 365 and the company's admin allows SSO authentication for third-party applications like Thunk.AI, then Thunk.AI signon will work seamlessly. In some organizations, SSO is blocked for security reasons. In this case, you might see an error as shown below. You will need to ask your admin to enable SSO for Thunk.AI.
Google Admin SSO help: https://support.google.com/a/topic/7556686
Microsoft SSO admin help: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tenant-restrictions
In a private instance, any suitable OIDC-compatible identity provider can be used for authorization.
A user must have an account in the system to create thunks or to participate in thunks.
1.2. Access Control
The platform enforces access control based on the users listed in every thunk and the roles assigned to them.
There are three user roles within a thunk:
Thunk Owner/Designer: this is a user who designs the logic of a thunk. In a traditional application, this would have needed programming skills. But since Thunk.AI is a no-code intelligent platform, the application logic is described in natural language.
Human Agent: this is a user who may be assigned a work step as part of the thunk workflow. The human agent along with their AI agent are responsible for performing that step.
End User: this is a user who can only engage with the thunk by making a workflow request.
Typically, the designers and the human agents are members of the team or organization providing the workflow application or service, while the end user is a consumer of the application.