Administrator roles
Introduction to administrator roles
The Intelligent Application Manager provides different levels of authorization to ensure the security of your applications.
For example, only an application administrator is allowed to create new applications, while an application owner is responsible for the authorization of a subset of applications.
Definitions
Authorization
Authorization is the process of assigning a role to a user group for an application.
- In the Software Factory: assign roles and rights to functionality.
- In IAM: create user groups.
- In IAM: grant user groups access to applications.
- In IAM: create users and add them to user groups.
All the users in a user group will receive the complete set of roles for the granted applications.
Authorization
Tenants
Tenants represent an isolated, administrable set of users and user groups.
- User groups are always part of a tenant.
- Users are always part of a tenant.
- Users can only be a member of a user group within the same tenant.
- Also users with an administrator role are always part of a tenant.
- Without further tenant configuration, all the users and user groups reside in the default tenant.
See also Tenants.
Authorization with a tenant
Role overview
- Main administrator (Main admin)
- Application administrator (Appl admin)
- Application owner (Appl owner)
- Group administrator (Group admin)
- Group owner
- User administrator (User admin)
- Simulator (Sim)
- Developer mode (Dev)
Which role can view what information?
Each role except for the Main administrator and Application administrator can only view the information within their own tenant(s).
| Main admin | Appl admin | Appl owner | Group admin | Group owner | User admin | |
|---|---|---|---|---|---|---|
| CAN VIEW | ||||||
| tenants | all | all | own | own | own | own |
| applications | all | all | own | - | - | - |
| user groups | all | all | own | own | own | - |
| users | all | all | - | own | own | own |
| roles (module auth) | all | all | own | - | - | - |
Which role can assign another role?
The Main administrator can assign the other administrator roles. Administrators can assign the underlying owner roles in the same category.
See also Assign a role to a user.
| Main admin | Appl admin | Appl owner | Group admin | Group owner | User admin | Sim | Dev | |
|---|---|---|---|---|---|---|---|---|
| CAN ASSIGN A | ||||||||
| App adm | x | |||||||
| App ownr | x | |||||||
| Grp adm | x | |||||||
| Grp own | x | |||||||
| Usr adm | x | |||||||
| Sim | x | |||||||
| Dev | x |
Which role has what rights?
| Main admin | Appl admin | Appl owner | Group admin | Group owner | User admin | Sim | Dev | |
|---|---|---|---|---|---|---|---|---|
| IS ALLOWED TO | ||||||||
| tenant - create | x | |||||||
| OpenID | x | |||||||
| client applications | x | |||||||
| application - create | x | x | ||||||
| application - configure | x | x | ||||||
| application - authorize | x | x | x | |||||
| roles - limit (module auth) | x | x | ||||||
| user group - create | x | x | ||||||
| user group - add users | x | x | x | |||||
| user - create | x | x | ||||||
| user - simulate | x | x | ||||||
| run in developer mode | x | x |
Role assignment for Independent Software Vendors
If you are an Independent Software Vendor (ISV), you need to know which roles you can assign to your customers and which not. You can find this information in the table below.
For more important information about assigning roles as an ISV, read all the role descriptions. See Available administrator roles.
| Main admin | Appl admin | Appl owner | Group admin | Group owner | User admin | Sim | Dev | |
|---|---|---|---|---|---|---|---|---|
| Suitable for customers | no | no | yes | yes | yes | yes | yes | no |
Assign a role to a user
main administrator application administrator group administratorSee also Which role can assign another role?.
To assign administrator roles to users in IAM:
menu Authorization > Users > tab Administrators
- Go to the appropriate role tab.
- Some roles need more data than others. If required, select the required data for the role, such as a Tenant, Model and Branch, or User group.
- Select a User.
Manage roles
To view and manage which user has which role:
Advanced menu > Administrators
- Select the menu group for the role you want to inspect. Here you can view a list of the which users have been assigned to each role. If you remove a row from this list, it removes the role from the user, it does not remove the user. You can also add users to this role.
Available administrator roles
Main administrator
A Main administrator can perform any task in IAM.
Never assign the Main administrator role to a customer. This role is not limited by the tenancy filters and has access to all the users and tenants it is linked to.
| Exclusive rights | Can view | |
|---|---|---|
| - Assign the Application administrator, Group administrator, User administrator, Simulator and Developer mode roles to users - Create tenants - Set up OpenID and client applications - All other configuration and maintenance | - All tenants - All applications - All user groups - All users |  |
Application administrator and owner
An application administrator's primary role is to create and maintain applications, and set up or delegate authorization for these applications. They can select users of any tenant to promote them to application owner.
An application owner's primary role is to set up the authorization for their assigned delegated applications. Applications in a tenant can be maintained by multiple application owners, and application owners can maintain applications in multiple tenants.
- Never assign the Application administrator role to a customer, since this role has access to all the applications and users of all tenants.
- The Application owner role is subject to tenancy and can be assigned to customers.
| Application administrator rights | Can view | |
|---|---|---|
| - Fully manage all applications, including authorization - Assign the Application owner role to users - Limit the available roles to specific modules. See Module authorization. Configure application information like: - system flows - printers - email providers - OAuth servers - file storage locations - translations - module authorization | - All applications - All user groups (to set up authorization) - All users (to assign the Application owner role) | |
| Application owner rights | Can view | |
|---|---|---|
| - Manage authorization for assigned applications | -  Assigned applications -  User groups within their own tenant -  Roles limited by module authorization. See Module authorization. |  |
Group administrator and owner
A Group administrator's primary role is the administration of user groups within their tenant.
A Group owner's primary role is to add users to user groups within their tenant.
Both the Group administrator and Group owner roles are subject to tenancy and can be assigned to customers.
| Group administrator rights | Can view | |
|---|---|---|
| - Create user groups - Add users to user groups - Assign the Group owner role to users | - User groups within their own tenant - Users within their own tenant |  |
| Group owner rights | Can view | |
|---|---|---|
| - Add users to user groups | - Assigned user groups (within their own tenant) - Users within their own tenant |  |
User administrator
A User administrator's primary role is the user administration within their tenant.
- WARNING - Duplicate user IDs or email addresses might reveal information about users already registered to another customer.
- The User administrator role is subject to tenancy and can be assigned to customers.
| User administrator rights | Can view | |
|---|---|---|
| - Create and fully manage users | - Users within their tenant |  |
Simulator
With the role of Simulator you can simulate other users for troubleshooting purposes within your own tenant. See User simulation.
- WARNING - if a user is both a Main administrator and a Simulator, any user of any tenant can be simulated.
- The Simulator role is subject to tenancy and can be assigned to customers.
Developer mode
With the role Developer mode, you can run the software in developer mode within your own tenant. See Developer mode.
WARNING - Never assign the Developer mode role to a customer. It allows a user to download the system logs that contain information of all tenants.
Examples
An employee responsible for creating users and user groups and linking roles to user groups requires the following roles:
- Application administrator or Application owner.
- Group administrator and Group owner.
- User administrator.
If you are using tenancy: a single tenant requires the following roles for creating users and user groups and linking users to user groups:
- Group administrator and Group owner.
- User administrator.