Administrator roles
Introduction to administrator roles
The Intelligent Application Manager provides different levels of authority to ensure the security of your applications.
For example, only administrators are allowed to create new applications, while an application manager is responsible for creating user groups and users for a subset of applications.
Assign roles to users
To assign administrator rights in IAM:
menu Authorization > Users > tab Administrators
Available administrator roles
The following administrator roles are available:
ISV's = information specifically for Independent Software Vendors hosting multi-tenant SaaS environments.
| Role | Rights |
|---|---|
| Main administrator | - Full control over the IAM. - Set-up new tenants and manually link users and user groups to them. - Runs in developer mode within the own tenant. This offers extra options in the Developer ribbon. ISV's : - Never assign the Main administrator role to a customer. This role is not limited by the tenancy filters and has access to all the users and all the tenants it is inked to. |
| Application administrator | - Create new applications and tenants, and link roles to user groups. User groups can be created by a Group administrator. - Assign Application owners. ISV's : - Never assign the Application administrator role to a customer, since this role has access to all applications and users of all tenants, to be able to assign application owners. |
| Application owner | - See user groups assigned to the own tenant. - Assign roles of the assigned application(s) to user groups. ISV's : - The Application owner role is subject to tenancy and can be assigned to customers. |
| Group administrator | - See users and user groups within the own tenant. - Create new user groups. The user group will automatically be assigned to the own tenant. - Link users to user groups within the own tenant. Users can be created by a User administrator. - Define Group owners. ISV's : - The Group administrator role is subject to tenancy and can be assigned to customers. |
| Group owner | - Link users to the groups for which they are the owner, within the own tenant. ISV's : - The Group owner role is subject to tenancy and can be assigned to customers. |
| User administrator | - See users, user preferences and user logging within the own tenant. - Create new users. The user will automatically be assigned to the same tenant ISV's : - The User administrator role is subject to tenancy and can be assigned to customers. - NOTE: Duplicate user IDs or email addresses might reveal information about users already registered to another customer. |
| Simulator | - Simulate other users for troubleshooting purposes within the own tenant. See user simulation. ISV's : - The Simulator role is subject to tenancy and can be assigned to customers. - NOTE: if a user is both a Root administrator and a Simulator, any user of any tenant can be simulated. |
| Developer mode | - Run in developer mode within the own tenant. ISV's : - Never assign the Developer mode role to a customer. This role allows a user to download the system logs which contain information of all tenants. |
Examples
An application administrator responsible for creating users and user groups and linking roles to user groups requires the following roles:
- Application administrator or Application owner.
- Group administrator and Group owner.
- User administrator.
A single tenant requires the following roles for creating users and user groups and linking users to user groups:
- Group administrator and Group owner.
- User administrator.