Identity Enterprise is a role-based and group-based access control system, that prioritizes the principle of least privilege. It ensures admins and users have only the necessary permissions for their tasks, mitigating the risk of unauthorized data access and modifications. In this article, we will explore the best practices for administering admin roles and user permissions in Identity Enterprise.
Identify Admin Roles and Users
To streamline permission assignment, start by compiling a comprehensive list of each user's job position. Determine whether they should assume the role of an administrator or a user.
A role is a collection of permissions that can be assigned to users. Utilizing roles simplifies the process of adding, removing, and adjusting permissions. This approach eliminates the need to individually grant user permissions, which becomes increasingly burdensome as your user base grows in size and complexity.
Leverage Admin Roles
Identity Enterprise offers three predefined admin roles to meet the basic needs: Owner, Super Admins, and Read-Only Admin, each with distinct sets of permissions visible in Identity Enterprise Manager > Organizations > Admins > Roles > click a role > Settings.
When predefined roles fall short of meeting your specific requirements, create customized roles with view or edit permissions for each feature. For instance, designating a site-level admin role with permissions to edit Workflow and Attendance while restricting access to other features. Assign these roles strategically by aligning responsibilities with organizational needs.
Note: The Custom Role feature is unavailable in the Identity Enterprise Basic Plan. To apply for a free trial, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Feature Usage > Apply for Plan Add-Ons.
Set an Expiration Time During Admin Role Assignment
Enhance security by setting expiration times when assigning admin roles to users. Identity Enterprise will automatically revoke admin roles and associated permissions once they expire, ensuring a proactive approach to access management.
Assign Granular Permissions in SSO Apps and Workflows
Assign an SSO App Admin
For more granular permission control, individuals can be assigned the role of an SSO app's assignment administrator. Those designated with this role can assign the app to workspace users, accessible through the Members, Admins, or SSO Apps Assignments pages. Additionally, an SSO app admin can view pages such as Overview, System Log, Workspace Settings, and Site Settings within the workspace. To designate a user as an SSO app assignment admin, please go to SSO Apps > select an app > Settings > General Settings > Assignment Admin.
Assign a Workflow Approver
Furthermore, users can be granted detailed permissions for each field within workflows and approval processes. This allows control over whether approvers can have the ability to edit or view specific fields in approval requests. Consider a scenario where you want to limit financial amount visibility to Finance department approvers only, excluding those unrelated to the financial details. You can do so by performing either of the following:
- Go to Workflows and Approvals > Forms > select a form > Form Design > Edit Workflow > select an approver process > click Settings.
- Go to Workflows and Approvals > Forms > create a new form > specify the required information > click Workflow > select an approver process > click Settings.
Create Groups and Assign Group Permissions
End-users should be granted access to the necessary resources to fulfill their work responsibilities. Identity Enterprise makes resource assignment more efficient by supporting assigning access to user groups.
To assign users to groups, please go to Organizations > Members > Groups, create groups, and add users to these groups.
Assign Group Permissions
To assign permissions to groups, do either of the following:
- Go to Organizations > Members > Groups, select a group, click Permissions, and assign resources as needed.
- Go to Services, select a service > site > resource, go to Assigned Users, click the “+” icon > Specific Users > Groups.
- Go to SSO Apps, select an app, and click Assignments > Groups > click the Assign Member. Note: Identity Enterprise also supports assigning SSO apps to users via CSV. You can do so by clicking Assignments > Assign from CSV icon.
Organizations can safeguard business-critical data and comply with their regulations by implementing granular permission controls and clearly defining user roles. This ensures seamless restriction of access, reducing the risk of data breaches.