Distributed User Management
Description
LogicNets releases above 7.4 include an update to the User Management Module that allows for distributing partial user management responsibilities to users other than the system administrator. By providing a user or users with a Group Administrator role, the system administrator gives identified users controlled access to the User Management Module to create and manage users of specific user groups within a LogicNets installation. The picture below explains the distributed user management concept:
System administrators manage all of the users and user groups in the system, but system administrators can also set up group administrators, who will then have permissions that allow them to manage users within a specific group. This function allows for distributed user management and is especially useful for those companies with a large user base. System administrators can delegate certain user management tasks to group administrators.
Use
This function is used as part of User Management for all LogicNets-based applications.
Create User Groups to be Managed by Group Administrators
To use group administration functionality, you must first set up the user groups that will be managed by group administrators. Remember that only system administrators can set up user groups, so you must have system administrator privileges to complete these steps.
For this functionality, you will need to set up two user groups: the group that will contain the users to be managed and the group that will contain the group administrators. In the image above, the group that contains the administrators is identified with a 1 and the user group the administrators will manage is identified with a 2. You can also set permissions so group administrators can add users to the group administrator role as well, which is identified by the 3 in the image.
- From the Access Management module, click the Groups button to enter Group Management.
- Click new to add a new user group.
- Enter the name of the first user group and a description for that group. Click Add.
- Click Save on the Group Details page to save the group.
- Repeat the first four steps, creating the administrator group for the first user group you created.
- Once you have created the two groups you need to set the relationship between them. From the list of groups, click the user group you created and click modify.
- In the Managed By section, select the name of the administrative group you created and click Save.
- Optional: If you want to allow group administrators to add new administrators to their group, open the administrative group you created from the list of groups. In the Managed By section, select the name of the administrative group you created and click Save.
Note that an administrator group can manage multiple user groups; for example, you can have vendor1_users, vendor2_users, and vendor3_users. Vendor1_administrator can manage vendor1_users only, vendor1_users and vendor3_users, or all of the groups.
Step 8 is optional and has benefits and risks:
- Benefit: Allowing group administrators to assign the role to more than one administrative user allows administrators coverage during busy periods or vacations.
- Risk: Adding users to the administrator group allows them to add and delete other users. The rules surrounding the approach should be clear across all of the administrators. You may want to establish guidelines for user management for administrative users.
- Optional: Set account expiry date and/or password expiry date. When you create a user's account, you can set the account to expire at a particular date; for example, you know the user is only going to be with your company for 3 months. You can also set the date on which the user's password will expire. In the user's account details, use the calendar icon next to these fields to select the dates. Click Save to save your changes.
Add Administrators to the Administrative Group
Once you have created your administrative and user groups, you can assign a user to the group administrator role and they can begin to manage the users in the user group you created. Add a user to the administrative group by either searching for an existing user and modifying this list of groups to which they belong or by adding a new user.
- In the Groups section of the user's profile, first add the user to the group that allows them to see any administrative functionality. This group is called system.accessmanagement.groupadmin.
- From the Groups dropdown menu, now you must also select the name administrative group you created.
- Click Save to save your changes.
Now this user has the ability to create new users and assign them to the user group under their administration.
Manage Users in a User Group
User group administrators will see the Access Management icon on their portal page when they log into the LogicNets application. Unlike system administrators, however, group administrators will only see the User and Groups buttons at the top of the page.
User group administrators can perform the following functions:
- Create a new user.
- Add a user to a group or groups.
- Modify a user's profile details.
- Reset a user's password.
- Delete an existing user.
When creating a new user, the group administrator can assign the user the groups that he is managing. The group manager can also assign users to the administrator group he manages to allow more than one person to manage the users assigned to a particular group. The group administrator can also remove users from the administrator group.
User group managers do not have the privileges required to allow them to change settings such as the following:
- Packages on the Dashboard
- Workspaces on the Dashboard
- License Details
- User Roles
Those settings can only be modified by the system administrator.
Remove User from a Group
User administrators are able to delete a user from a group; for example, if the user is no longer involved in the application or leaves the company. You should only use this feature if you create the user in error. To remove a user from the user group you manage it is better to deactivate the user's account instead. To do this, do the following:
- Find the user in the list of users you manage.
- Click modify to modify the user's information.
- Under Status, select Inactive from the dropdown menu.
- Click Save to save your changes.