Setup Limited Admin Roles

Setting up additional accounts with administrative permissions can reduce the burden on your main administrator, and allow you to reduce the access requirements that your Admin operates with day-to-day.

This can help minimize your admins:

  • number of visible folder/password entries
  • number of role permissions

Below are example scenarios for limited administrative roles:

You can modify or combine these as you wish.

User Admin

Perhaps an administrative user will only need User Management ability, but not need the ability to adminstrate folder/entry access.

Summary:

  • can Administer Users
  • no folder access

Setup Steps:

  1. Roles: Setup another Administrative Role
  2. Set the Permissions: include the ability to Administer Users with this role
  3. Users: Assign this Role to user accounts, who will function with limited admin access
  4. Home: Do not assign this Role on Root.

 

Add or remove any additional access as needed for the role.

Help Desk

Summary:

  • can view user and role lists and details
  • can view policy details
  • can reset account lockouts
  • can view enrollment status
  • (optionally) set password
  • (optionally) synchronize users and roles

Setup Steps:

  1. Roles: Setup another Role
  2. Set the Permissions: may wish to include User and Role permissions, such as:
    • View Only user/role/policy details
    • (Optionally) Set User Password
    • Reset User Lockouts
    • View Only User Directories
    • Get User Lists / Get Group Lists
    • (Optionally) Sync Users / Roles / Reset Users
    • Enrollment Status viewing
  3. Users: Assign this Role to user accounts, who will function with limited access
  4. Home: (optionally) can assign this Role additional folder/entry access

 

Add or remove any additional access as needed for the role.

Provisioning Team

Sometimes provisioning teams/roles do not need to know the passwords, but it is helpful to have them administrate nevertheless. A provisioning team members could add and remove access to credentials without having access to the password.

Summary:

  • has limited folder access (Full + Grant + Block)
  • optionally can Administer Users
  • no View Password access


Setup Steps:

  1. Roles: Create a new Role, "Provisioning Team"
  2. Access Levels: Create a "Provisioning Team" Access Level with the same set up as Full+Grant+Block but set "View Entry Password" action to false. Set "Modify Entries" action to false (modify passwords).
  3. Users: Create a new user and assign them the Provisioning Team role.
  4. Home: Selectively assign this Role with the Provisioning Team Access Level on the Root folder, or to the Folders / Entries you wish them to manage.


Add or remove any additional access as needed for the role.

Limited Admin

Perhaps an administrative user will not need User Management ability, but still would have other adminstrative access such as Auditing/Reporting/Managing folders/entries, etc.

Summary:

  • has limited Permissions
  • optionally has limited folder access
  • no Administer User
     

Setup Steps:

  1. Roles: Setup another Administrative Role
  2. Set the Permissions: do not include the ability to Administer Users with this role
  3. Users: Assign this Role to user accounts, who will function with limited admin access
  4. Home: (optionally) Selectively assign this Role at the Root folder, or to the Folders / Entries you wish them to manage.

 

Add or remove any additional access as needed for the role.

Limited Folder Admin

Summary:

  • has limited folder access
  • optionally has Administer Users

Setup Steps:

  1. Roles: Setup another Administrative Role
  2. Set the Permissions: (optionally) include the ability to Administer Users with this role
  3. Users: Assign this Role to other user(s), who will function with limited admin access
  4. Home: Selectively assign this Role to the Folders / Entries you wish them to view/manage.

 

Add or remove any additional access as needed for the role.

Tag page
You must login to post a comment.