Delegating Administrative Permissions

Lee David Painter

Introduction

This article will show you how you can delegate administrative functions to users, this allows you to spread admin responsibilities across other users. For example if you wish to allow some users the ability to create resources, or manager user accounts.

 

Creating a new Role

Your users and their access rights will be bound through Roles. A role provides a set of Permissions to users and groups that belong to it. Go to Administration -> Security & Permissions -> Roles.

 

Here you will see all of the roles that are present in your Realm, in this case the three default roles already present.

We will create a new role specifically for our delegation.

 

Assigning user and groups

Roles can contain both users and groups from your user database. Give the Role a name and begin assigning users and/or groups that you wish to have access to the permissions that will be set in this role.

 

Assigning Permissions

Once the users/groups have been added go to the Permissions tab, at the top is a box containing all the possible permissions. Clicking on the arrow moves the permission into the included field. 

Most permissions are CRUD based, that is Create, Read, Update and Delete. Some areas may not have all of these, and others may define more specific permissions, for example a user must have the Logon permission before they can login to the system.

 

Once you have assigned all the permissions select the Create option to complete the role creation process. The Role will be created and listed in the Roles section if you wish to make any changes later. Any users or groups you assigned will now have the permissions you assigned. 

NOTE: If you want to assign all permissions to a user then there is no need to select all the permissions, just use the built-in Realm or System Administrator role. This will ensure that any new permissions added to the system when new features or updates are added, that a user continues to have full permissions to manage the system. 

Similary, if you need all users in the system to have a specific permission, add this to the Everyone role.

 

Example: Assigning Permissions to manage user accounts

In order to create a role that would allow permission to manage user accounts, begin by creating a new role and assign the users or roles that will have access to this. 

 

On the permissions tab, assign these permissions and save the role:

User Create
User Delete
User Read
User Unlock
User Update

 

If we now login to LogonBox with the user assigned to this role we will see the additional rights that are now available to them. In this case you can see that the User Directory menu option is now available.

 

Selecting this option takes us to the Users page, selecting the Actions menu will then show the various options available.