Beyond Identity provides role-based access control (RBAC) functionality in the Admin Console. RBAC allows a tenant administrator to grant access to certain Admin Console features to different users based on predefined roles.
When configured, users will have access privileges to perform tasks associated with the group. For example, users can be added to a group that provides them the ability to perform all administrative tasks or to a group that only provides them with the ability to view information (for example, to view policy configuration). Access to these capabilities is given by placing a user in the group.
NOTE: This feature is not enabled or viewable by default. Contact your Beyond Identity representative to turn it on.
To configure role-based access control:
1. Log into the Admin Console and click Settings on the left-hand navigation.
2. From the Account Settings page, click Control Access Console. The 11 predefined RBAC roles are displayed.
Role | Description |
Super Administrators | Able to perform all administrative actions for a tenant. Only users in this group can add users to other predefined RBAC groups. |
Directory Administrators | Able to manage users, groups, and devices. |
Directory Read Only | Able to read users, groups, and devices. |
Integrations Administrators | Able to manage OIDC connections, SAML connections, MDM integrations, and Okta integrations |
Integrations Read Only | Able to view OIDC connections, SAML connections, MDM integrations, and Okta integrations |
Policy Administrators | Able to manage policies. |
Policy Read Only | Able to view policy configuration |
Help Desk | Able to view and suspend users, send enrollment emails, and view groups, devices, policy, and event logs |
Help Desk Plus | Able to view and suspend users, send enrollment emails and short codes, and view groups, devices, policy, and event logs |
Help Desk Limited | Able to view users, send enrollment emails, and view groups, devices, policy, and event logs |
Analytics | Able to view insights dashboard and event logs |
3. Click on the appropriate group, such as Directory Administrators. The page provides additional information on the access privileges for the group. You can add users and groups to the RBAC role.
4. To add a user to an RBAC role, click the Users tab.
5. Click Assign access role to users.
6. From the Assign users to role drop-down menu, select each user you want to add.
7. To add a group to an RBAC role, click the Groups tab.
8. Click Assign access role to groups.
9. From the Assign groups to role drop-down menu, select each group you want to add.
NOTE: For RBAC role changes to propagate, the user must log out and log back into the Admin Console.
Assigning managed groups
Assigning managed groups restricts directory management so that admins can only view and manage users within the groups specifically assigned to them. By default, any user or group assigned to these permission groups have permissions to manage all users. This functionality is available for the following roles.
- Directory Administrators
- Directory Read Only
- Help Desk
- Help Desk Plus
- Help Desk Limited
For example, if your organization has three user groups, Engineering, Finance, and Sales, and you assign an admin to manage only the Engineering group, that admin can only view and manage users within the Engineering group.
Limitations for assigned managed groups
Roles without connected user-based permissions don't have managed groups to assign. This includes the list of roles below.
- Super Administrators
- Integration Administrators
- Integration Read Only
- Policy Administrators
- Policy Read Only
- Analytics
Adding a group to manage to a role
The steps below are for configuring managed groups in Beyond Identity.
- Navigate to one of the following roles.
- Directory Administrators
- Directory Read Only
- Help Desk
- Help Desk Plus
- Help Desk Limited
- Click the Pencil Icon next to a user or group that has been assigned the role.
- To add or edit groups in the Edit Managed Groups modal, click the pencil icon under Actions.
- NOTE: Removing all the groups sets the default behavior as managing All users.
NOTE: Events are not scoped to managed groups. Admin with permissions to view event logs can view events for all users across the system.
Comments
0 comments
Please sign in to leave a comment.