Setup Limited Admin Roles
Users prefer Pleasant Password Server with a KeePass client!
Setting up additional accounts with administrative permissions can reduce the burden on your main administrator, and allow you to reduce the access requirements that your Admin operates with day-to-day.
This can help minimize your admins:
- number of visible folder/password entries
- number of role permissions
The application now provides some default roles for you to get started:
- Administrator - Super-User, full administrative permissions across the application
- User - Basic access, view the Client Downloads tab
- App Admin - These users can administrate application settings
- User Admin - These users can administrate users
- Help Desk - These users can perform tasks typical of help desk members
- Report & Audit - These users can run Reports & view Audits event logging
Below are example scenarios for some limited administrative roles to setup:
You can modify or combine these as you wish.
User Admin
Perhaps an administrative user will only need User Management ability, but not need the ability to administrate folder/entry access.
Summary:
- can Administer Users
- no folder access
Setup Steps:
- Roles: Setup another Administrative Role
- Set the Permissions: include the ability to Administer Users with this role
- Users: Assign this Role to user accounts, who will function with limited admin access
- Home: Do not assign this Role on Root.
Add or remove any additional access as needed for the role.
Help Desk
Summary:
- can view user and role lists and details
- can view policy details
- can reset account lockouts
- can view enrollment status
- (optionally) set password
- (optionally) synchronize users and roles
Setup Steps:
- Roles: Setup another Role
- Set the Permissions: may wish to include User and Role permissions, such as:
- View Only user/role/policy details
- (Optionally) Set User Password
- Reset User Lockouts
- View Only User Directories
- Get User Lists / Get Group Lists
- (Optionally) Sync Users / Roles / Reset Users
- Enrollment Status viewing
- Users: Assign this Role to user accounts, who will function with limited access
- Home: (optionally) can assign this Role additional folder/entry access
Add or remove any additional access as needed for the role.
Provisioning Team
Sometimes provisioning teams/roles do not need to know the passwords, but it is helpful to have them administrate nevertheless. A provisioning team members could add and remove access to credentials without having access to the password.
Summary:
- has limited folder access (Full + Grant + Block)
- optionally can Administer Users
- no View Password access
Setup Steps:
- Roles: Create a new Role, "Provisioning Team"
- Access Levels: Create a "Provisioning Team" Access Level with the same set up as Full+Grant+Block but set "View Entry Password" action to false. Set "Modify Entries" action to false (modify passwords).
- Users: Create a new user and assign them the Provisioning Team role.
- Home: Selectively assign this Role with the Provisioning Team Access Level on the Root folder, or to the Folders / Entries you wish them to manage.
Add or remove any additional access as needed for the role.
Limited Admin
Perhaps an administrative user will not need User Management ability, but still would have other administrative access such as Auditing/Reporting/Managing folders/entries, etc.
Summary:
- has limited Permissions
- optionally has limited folder access
- no Administer User
Setup Steps:
- Roles: Setup another Administrative Role
- Set the Permissions: do not include the ability to Administer Users with this role
- Users: Assign this Role to user accounts, who will function with limited admin access
- Home: (optionally) Selectively assign this Role at the Root folder, or to the Folders / Entries you wish them to manage.
Add or remove any additional access as needed for the role.
Limited Folder Admin
Summary:
- has limited folder access
- optionally has Administer Users
Setup Steps:
- Roles: Setup another Administrative Role
- Set the Permissions: (optionally) include the ability to Administer Users with this role
- Users: Assign this Role to other user(s), who will function with limited admin access
- Home: Selectively assign this Role to the Folders / Entries you wish them to view/manage.
Add or remove any additional access as needed for the role.