Managing Administrators
The types of administrators and their roles and responsibilities depend on the size of your deployment. A small, single-organization deployment can have just one Master Administrator (MA) and a Global Administrator (GA) who administers the organization for end users. On the other hand, a very large multi-organization deployment can find it necessary to have multiple GAs who, based on the complexity of the deployment and the number of end users, can further delegate their organization and user management duties among several Organization Administrators (OAs) and User Administrators (UAs).
cara
The types of administrators and their roles and responsibilities depend on the size of your deployment. A small, single-organization deployment can have just one Master Administrator (MA) and a Global Administrator (GA) who administers the organization for end users. On the other hand, a very large multi-organization deployment can find it necessary to have multiple GAs who, based on the complexity of the deployment and the number of end users, can further delegate their organization and user management duties among several Organization Administrators (OAs) and User Administrators (UAs).
See Supported Roles for information about supported administrative roles. This article covers the following administrator management operations:
2
In addition to the operations discussed in this article , the Master Administrator has the privilege to create "Custom Roles" that are derived from the existing default roles supported by RA.
How to Create an Administrator
To create an administrator:
- Ensure that you are logged in with the required privileges and scope to create the administrative user.
- Activate theUsers and Administratorstab.
- Under theManage Users and Administratorssection, click theCreate Administratorlink to display the Create Administrator page.
- In theAdministrator Detailssection, enter the details of the administrator. The following table explains the fields on this page.
Input
| Description
|
User Name | The unique user name for the administrator. |
Organization | The display name of the organization to which the administrator belongs. Note: This is not the organization that this administrator will manage. |
First Name | The first name of the administrator. |
Middle Name (optional) | The middle name, if any, of the administrator. |
Last Name | The last name of the administrator. |
5. In the
Email Address(es)
section, enter the email address of the administrator for the email types configured for the organization.6. In the
Telephone Number(s)
section, enter the phone number to contact the administrator.If multiple telephone types are configured, you
must
enter values for all the mandatory telephone types.7. In the
Custom Attributes
section, enter the Name
and Value
of any attributes you want to add, such as office location.8. Click
Next
to proceed.The next page appears.
9. On this page:
Specify the role of the new administrator from the
Role
drop-down list.- In theSet Passwordsection, set and confirm the password for the administrator.
- In theManagessection, select the organizations that the administrator will have scope on, and perform one of the following:
- Select theAll Organizationsoption, if you want the administrator to manage all current and future organizations in the system.or
- Select the required organizations from theAvailable Organizationslist and click the>button to add these organization to theSelected Organizationslist.
Available Organizationslist displaysallthe organizations that are available in the scope of the administrator creating this new account. TheSelected Organizationsdisplays the list of organizations that you have selected for the administrator to manage.
10. Click
Create
to save the changes, create the account, and activate it.11. Communicate the new password to the administrator.
Privileges Required
An administrator can create other administrators who belong to the same level or to the lower levels in the administrative hierarchy
and
have the same or lesser scope. For example:- The MA can create all other types of administrators.
- GAs can create the followingwithintheir scope:
- Other GAs
- OAs
- UAs
- OAs can create the followingwithintheir scope:
- Other OAs
- UAs
How to Change Profile Information for an Administrator
The profile information for an account includes:
- Personal information (first, middle, and last names and contact information).
- Password for the account.
- Administrator preferences, such as Preferred Organization (the organization that will be selected by default in theOrganizationfields for all administrator-related tasks that you might perform in future), date time format, locale, and timezone information.
An administrator can change their account’s profile information at any time. To change the information for any other administrative account, see How to Update Administrator Information.
To change the administrator profile information for your account, if it was created with basic Username-Password credential:
- Ensure that you are logged in to your account.
- In theHeaderframe, click the <ADMINISTRATORNAME> link to display the My Profile page.
- Edit the required settings in the sections on this page:
- Edit the fields in thePersonal Informationsection, as needed.
- If you want to change the current password, then in theChange Passwordsection, enter theCurrent Password,and specify a new password in theNew PasswordandConfirm Passwordfields.
- In theAdministrator Preferencessection:
- Select theEnable Preferred Organizationoption, and select an organization from thePreferred Organizationlist. This organization will be selected for all administrator-related tasks that you perform from now on.
- Specify the preferredDate Time Format.
- Select the preferredLocalefor your instance of Administration Console.
- Select the required option from theTime Zonelist.
- ClickSaveto change the profile information.
Privileges Required
Only the administrator whose account information is being updated can change this information.
How to Search for an Administrator
To search for an administrator:
- Ensure that you are logged in with the required privileges and scope.
- Activate theUsers and Administratorstab.
- Specify the search criteria to display the list of administrators. You can:
- Search for administrators by specifying the partial or complete information of the administrator in the fields on this page.
- Search for administrators by specifying the organization's Display Name.
- Search for administrators by not specifying any criteria and just clickingSearch.
- Click theAdvanced Searchlink to display the Advanced Search page to search for the required administrators by specifying their Status or Role.
In theUser Statussection, you can search forCurrent Usersbased on the user status (Active, Inactive, or Initial) or you can search forDeleted Users. - SelectEnable search by Accountsif you want to search for administrators based on account IDs also.
- Specify the required details of the administrators and clickSearch.A list of administrators matching the search criteria appears.
Privileges Required
As long as you do not need to update, activate, or deactivate an administrative account, you do not need privileges to search. However, you
must
have the scope over the organizations that the administrator belongs to. For example, a UA can search for administrators in the target organization if
that organization is in their purview.How to Update Administrator Information
To update administrator information:
- Ensure that you are logged in with the required privileges to update the administrative user.
- Activate theUsers and Administratorstab.
- Under theManage Users and Administratorssection, click theSearch Users and Administratorslink to display the corresponding page.
- Enter the partial or complete information of the administrator whose account you want to update and clickSearch.A list of administrators matching the search criteria appears.
- Click the <user name> link of the administrator whose account you want to edit.The Basic User Information page appears.This page also displays theUser Account Information(Account Type,AccountID, andStatus) if any account type was configured.
- ClickEditto change the administrator information on this page.In theUser Detailssection, edit the required fields (First Name,Middle Name, andLast Name).
- In theEmail Address(es)section, edit the emailaddresses for the email types configured for the organization.
- In theTelephone Number(s)section, edit the telephone numbers for the telephone types configured for the organization.
- In theCustom Attributessection, edit theNameandValueof the custom attributes.
- You can either clickSaveto save the changes made and return to the User Information page,oryou can clickNextto proceed with additional configurations.If you don’t see aNextbutton, it means that no account type has been configured for the organization. In this case, clickUpdate Administrator Detailsand go to Step 14.If you clickNext, then the User Account page appears.
- In theUser Accountsection:
- Edit theAccount TypeandStatusfields.
- ExpandAdvanced Attributesto addAccountID Attributesfor the account ID.
If this is the first account ID you are creating, you must clickAddto add an account ID before you can update it. For more information about adding an account ID, see Create Account IDs. - ClickUpdateAdministrator Details.TheUpdate Administratorpage appears.
- In theRolesection on this page, change the role of the administrator by using theRoledrop-down list.
- In theSet Passwordsection:
- SetthePasswordandConfirm Passwordfor the administrator.
- SelectLockto lock the administrator’s credentials for theCredential Lock Period, which you can specify in theFromandTofields.
- In theManagessection, select the organizations that the administrator will manage.You can also remove the organization from the administrator’s scope by moving the specific organization fromSelected OrganizationstoAvailable Organizations.
- ClickSaveto save the updates.
Privileges Required
To update administrator information, you must ensure that you have the appropriate privileges and scope. The MA can update any administrator. The GAs can update all the administrators (including other GAs) in their scope,
except
the MA account. The OAs can update all other OAs and UAs in their purview, while UAs can only update their peers within their scope.How to Demote an Administrator to User Role
You can change the role of an administrator to an user. For example, an administrator in the IT department might have moved to the Engineering department. In this case, we would want to retain the user details, but remove the administrative privileges for the user.
To demote an administrator to a user:
- Perform Step 1 to Step 13, as described How to Update Administrator Information.The Update Administrator page appears.
- On the Update Administrator page, clickChangeRole to User.
- ClickOKin the confirmation dialog box that appears.
- You get the following message:Successfully demoted the administrator to user.
Privileges Required
To update administrator information, you must ensure that you have the appropriate privileges and scope. The MA can update any administrator. The GAs can update all the administrators (including other GAs) in their scope,
except
the MA account. The OAs can update all other OAs and UAs in their purview, while UAs can only update their peers within their scope.How to Configure Account IDs for Administrators
In addition to the user name, an
account ID
is an alternate method to uniquely identify a user in RA system. After you have configured the account types that your organization will use, you can associate one account ID per user for any of these account types. For more information about account types, see Configuring the Account Type .Privileges Required
To configure an account ID for an account type, you must ensure that you have the appropriate privileges and scope to update the user account. The MA can update any user account. The GAs can update all user accounts in their scope. The OAs and UAs can update the user accounts in their purview.
How to Create Account IDs
To create an account ID:
- Ensure that you are logged in with the required privileges and scope to update the administrator information.
- Activate theUsers and Administratorstab.
- Under theManage Users and Administratorssection, click theSearch Users and Administratorslink to display the Search Users and Administrators page.
- Enter the partial or complete information of the administrator whose account you want to update and clickSearch.A list of administrators matching the search criteria appears.
- Click the <user name> link of the administrator whose account you want to edit.The Basic User Information page appears.
- ClickEditto open the Update Administrator page.
- ClickNextto display the User Account page.
- Select theAccount Typefor which you want to add the account ID.
- Specify the uniqueAccountIDin the text box.This combination of account type and account ID will be used to identify the user in addition to the user name.
- Select theStatusof the user account from the drop-down list.
- If required, expand theAdvanced Attributessection, and do the following:
- Provide attributes for the account ID you are creating.
You can specify up to a maximum of three account ID attributes for any account ID. - ClickAddto add the account ID.
How to Update Account IDs
You cannot change the account ID once it is created. You can only change the status of the user account and add or delete account ID attributes and custom attributes.
To update an account ID:
- Complete Step 1 through Step 7 in Create Account IDs to display the User Account page.
- Select theAccount Typefor which you want to update the account ID information.
- If required, change theStatusof the user account from the drop-down list.
- If required, expand theAdvanced Attributessection, and provide attributes for the account ID you are creating and custom attributes, if any.
- ClickUpdateto save your changes.
How to Delete Account IDs
To delete an account ID:
- Complete Step 1 through Step 7 in Create Account IDs to display the User Account page.
- Select theAccount Typefor which you want to delete the account ID.
- ClickDeleteto delete the account ID.
How to Deactivate an Administrator Account
To prevent an administrator from logging in to their account for security reasons, you can deactivate them instead of deleting them. If you deactivate an administrator, the administrator is locked out of their account, and cannot log in unless the account is re-activated again.
To deactivate an administrative account:
- Ensure that you are logged in with the required privileges to deactivate the administrator.
- Activate theUsers and Administratorstab.
- Under theManage Users and Administratorssection, click theSearch Users and Administratorslink to display the Search Users and Administrators page.
- Enter the partial or complete information of the administrator whose account you want to deactivate and clickSearch.You can also click theAdvanced Searchlink to search forCurrent Usersbased on their status (active or inactive) or their roles (GA, OA, or UA).The Search Results page appears, with all the matches for the specified criteria.
- Select one or more administrators you want to deactivate.
- ClickDeactivateto deactivate the selected administrator.
Privileges Required
To deactivate an administrator, you must ensure that you have the appropriate privileges and scope. The MA can deactivate any administrator, while GAs can deactivate all administrators (including other GAs) in their scope,
except
the MA account. The OAs can deactivate all other OAs and the UAs in their purview, while UAs can only deactivate their peers within their scope.How to Temporarily Deactivate an Administrator
Temporarily deactivating
the administrator differs from deactivating
the administrator (See How to Deactivate an Administrator). When you temporarily deactivate the administrator, the administrator is automatically activated when the end of the lock period is reached. But when you deactivate an administrator, you must manually activate them again whenever you want to provide access to them.To temporarily deactivate an administrator, you must specify the
Start Lock Date
and End Lock Date
for the period that you want the administrator to be locked. When the End Lock Date
is reached, the administrator is automatically activated.To temporarily deactivate an administrator:
- Ensure that you are logged in with the required privileges to deactivate the administrator.
- Activate theUsers and Administratorstab.
- Under theManage Users and Administratorssection, click theSearch Users and Administratorslink to display the Search Users and Administrators page.
- Enter the partial or complete information of the administrator whose account you want to deactivate and clickSearch.You can also click theAdvanced Searchlink to search forCurrent Usersbased on their status (active or inactive) or their roles (GA, OA, or UA).The Search Results page appears, with all the matches for the specified criteria.
- Select one or more administrators you want to deactivate temporarily.
- ClickDeactivate Temporarily.The Deactivate User Temporarily dialog box appears.
- In theStarting Fromsection, select the start lockDateand theTime.
- In theTosection, select the end lockDateand theTime.
- ClickSaveto save your changes.If you do not specify any value for theStarting Fromfields, the account is locked from the current time. If you do not specify an end lockDate, the account is locked forever.
Privileges Required
To temporarily deactivate an administrator, you must ensure that you have the appropriate privileges and scope. The MA can deactivate any administrator, while GAs can deactivate all administrators (including other GAs) in their scope,
except
the MA account. The OAs can deactivate all other OAs and the UAs in their purview, while UAs can only deactivate their peers within their scope.How to Activate an Administrator Account
You might need to activate a deactivated administrator. For example, you might deactivate an administrator if the administrator is on long vacation. This helps prevent unauthorized access to that administrator information.
You cannot search directly for the deactivated administrators by specifying the search criteria and clicking the
Search
button on the Search Users and Administrators page. You must
perform an Advanced Search
for such administrators and use the Inactive
option in the Current Users
section to search.To activate an administrator account:
- Ensure that you are logged in with the required privileges to activate the administrator.
- Activate theUsers and Administratorstab.
- Under theManage Users and Administratorssection, click theSearch Users and Administratorslink to display the Search Users and Administrators page.
- Click theAdvanced Searchlink to search forCurrent Usersbased on their status (active or inactive).The Advanced Search page appears.
- Enter the partial or complete information of the administrator in theUser Detailssection.
- In theUser Statussection, forCurrent Users, select theInactiveandInitialoptions to search for all inactive or initial administrators.
- ClickSearchto display the list of all administrators matching the search criteria.
- Select the administrators you want to activate.
- ClickActivateto activate the administrator.
Privileges Required
To activate an administrator, you must ensure that you have the appropriate privileges and scope. The MA can activate any administrator, while the GAs can activate all administrators (including other GAs) in their scope,
except
the MA. The OAs can activate all other OAs and UAs in their purview, while the UAs can only activate their peers within their scope.How to Delete an Administrator Account
Administrator information in RA includes personal information (first name, middle name, last name, email address, and telephone number), credentials, and accounts. When you delete an administrator from Administration Console, the credential and account information must also be deleted along with the personal information. RA supports the cascaded user deletion feature by which all credential, account, and risk-related information for an administrator is also deleted when the administrator is deleted.
If you create a new administrator with the same name as a previously deleted administrator, then the new administrator
does not
automatically assume the privileges of the previously deleted administrator. If you need to duplicate a deleted administrator, then you must manually re-create all privileges.To delete an administrator account:
- Ensure that you are logged in with the required privileges to delete the administrator.
- Activate theUsers and Administratorstab.
- Under theManage Users and Administratorssection, click theSearch Users and Administratorslink to display the Search Users and Administrators page.
- Enter the partial or complete information of the administrator you want to delete and clickSearch.You can also click theAdvanced Searchlink to search forCurrent Usersbased on their status (active, inactive, or initial) or their roles (GA, OA, or UA).The Search Results page appears, with all the matches for the specified criteria.
- Select one or more administrators you want to delete.
- ClickDelete.Even though you have deleted the administrator, their account information is still maintained in the database.
Privileges Required
To delete an administrator, you must ensure that you have the appropriate privileges and scope. The MA can delete any administrator, while the GAs can delete all administrators (including other GAs) in their scope,
except
the MA account. The OAs can delete all other OAs and UAs in their purview. However, the UAs cannot
delete their peers within their scope.