Access Management
User guide for managing users, client applications, and access groups in Movement
Overview
Access Management is a single Settings page where administrators can manage all access to your Movement tenant. It consolidates three related capabilities into one place:
- Users — invite, remove, and manage roles for the people in your tenant.
- Apps — create and manage OAuth2 client applications used to access the project44 API.
- Access groups — define logical groups of shipments, orders, or other data that can be assigned to users and applications.
The Apps tab is new. It replaces the previous workflow that required customers to create and manage OAuth2 client applications through API calls or through project44 support. You can now perform these tasks directly in Movement.
Getting to Access Management
From any page in Movement, open the Settings menu in the left navigation, then select the Access management tile.
Figure 1. The Access management tile on the Settings page.
The page opens with three tabs: Users, Apps, and Access groups. Click any tab to switch views. Your selection persists while you remain on the page.
Users tab
The Users tab is the same User Management experience you have used previously, now living inside Access Management. Functionality has not changed.
Figure 2. The Users tab.
From here you can:
- Search users by name, email, or other attributes.
- Filter by tenant and by user status (Active, Invited).
- Export the user list.
- Add a new user with the Add User button.
- Click a user to view and edit their details, roles, and access groups.
Apps tab
The Apps tab is where you create and manage OAuth2 client applications. Client applications are how external systems (your TMS, ERP, custom integrations, and so on) authenticate to the project44 API.
Figure 3. The Apps tab listing all client applications.
Each row in the list shows:
- Name — the display name you chose for the application.
- App ID — the unique identifier (also called Client ID) that your integration uses when requesting an access token.
- Access — either *User* (standard access) or *Administrator* (elevated access for inviting carriers, adding ELD/GPS connections, creating subscriptions, and other higher-level functions).
- Created time — when the application was created.
- Last token created time — when an access token was most recently generated using this app. Useful for spotting stale or unused integrations.
Creating a new client application
- Click Add client app in the top right of the Apps tab.
- Enter a Name for the application. Choose something descriptive — your future self and your teammates will thank you.
- Decide whether the application needs Administrator access. Most integrations should *not* need this; leave the checkbox unchecked unless you specifically need higher-level functions such as inviting carriers, adding ELD/GPS connections, or creating subscriptions.
- Click Create client app.
Figure 4. The Add a client application dialog.
Save your client secret immediately
After you create the application, a dialog appears with the client secret. This secret, along with the App ID, is what your integration uses to authenticate to the project44 API.
Figure 5. The client secret dialog appears once, immediately after creation.
Important The client secret is shown only once. It cannot be retrieved after you close this dialog. Copy the secret and store it somewhere secure (a password manager, a secrets vault, or wherever your team keeps API credentials) before closing the dialog. If you lose the secret, you will need to generate a new one — see *Generating a new secret* below. |
Viewing application details
Click any application name in the list to open its details page. You will see two main sections:
Figure 6. The client application details page.
Client application details
The left panel shows the application metadata:
- Name, Client ID, and Tenant (with UUID and ID).
- Access level (User or Administrator).
- Last token created on — when the application most recently obtained an access token.
- Created by and Modified by — the user who created and last edited the application, with timestamps.
Click Edit to change the application name or access level.
Application access
The right panel controls what the application can see and do:
- Access groups — applications can only access data that belongs to the Access groups they are members of. Click Manage groups to add or remove groups. By default new apps are added to *Full Data Access*.
- Roles — roles grant the application access to specific features (for example, *Movement Analytics*, *Shipment Editor*, *Movement Root Cause Analysis*). Click Manage roles to add or remove roles.
Generating a new secret
If a secret has been lost, compromised, or you simply want to rotate credentials on a schedule, you can generate a new one.
- Open the application’s details page.
- Click Actions in the top right and choose Generate new secret.
- Confirm the action. The new secret appears in a one-time dialog — copy and store it immediately, just as you did at creation.
Heads up Generating a new secret invalidates the existing secret. Any integration still using the old secret will stop being able to authenticate as soon as its current access token expires. Plan the rotation so you can update the new secret in your integration without an outage. |
Editing an application
From the details page, click Edit in the Client application details panel. You can update the name and toggle Administrator access. Click Save to apply your changes.
Deleting an application
When an integration is decommissioned, delete the corresponding client application to ensure its credentials can no longer be used.
- Open the application’s details page.
- Click Actions, then Delete client app.
- Type the Client ID to confirm, then click Delete app.
Warning Deletion is permanent and cannot be undone. Any integration using this application will immediately stop authenticating. Confirm that no critical workflows depend on this app before deleting it. |
Access groups tab
The Access groups tab is the same Access Groups experience you have used previously. Functionality has not changed.
Figure 7. The Access groups tab.
Access groups define logical subsets of your data — for example, all shipments with a specific SOLD_TO value, or all shipments using a specific mode of transport. From here you can:
- Search and filter access groups by type.
- View the group logic, member count, and last modified date.
- Click View details on any group to inspect its members and configuration.
- Click Add access group to create a new group.
Access groups are assigned to users (in the Users tab) and to client applications (in the Apps tab) to control what data each one can see.
Best practices
- Use descriptive application names. A name like *"warehouse-eta-integration-prod"* is much easier to manage than *"new app 3"*, especially as your tenant grows.
- Default to User access. Only grant Administrator access when an application specifically needs higher-level functions such as inviting carriers, adding ELD/GPS connections, or creating subscriptions.
- Store secrets in a secrets manager. Never paste client secrets into shared documents, chat tools, ticket comments, or source control.
- Rotate secrets periodically. Use the *Generate new secret* action to rotate credentials on a regular schedule, especially after team changes.
- Scope with Access groups. Assign client applications only to the Access groups whose data they actually need — not to *Full Data Access* by default — to minimize the blast radius if credentials are ever compromised.
- Audit unused apps. Use the *Last token created time* column on the Apps tab to identify integrations that are no longer active, and delete them.
Frequently asked questions
I closed the secret dialog without copying it. How do I get the secret back?
The secret cannot be retrieved. Open the application’s details page and use Actions > Generate new secret to create a new one, then update your integration.
What is the difference between User and Administrator access?
Administrator access grants the application higher-level functions such as inviting carriers, adding new ELD/GPS connections, and creating subscriptions. User access is suitable for the vast majority of integrations that read or write shipment, order, and tracking data.
Can I move a client application between tenants?
No. A client application belongs to the tenant in which it was created. To use an integration in a different tenant, create a new application there.
Where did the old User Management and Access Groups pages go?
They are now tabs inside the new Access Management page on Settings. The functionality is identical to what you had before — the Users and Access groups tabs are the same tools you were already using, just consolidated under one heading.