Can I create a super user Admin?
21 January, 2013
Hi,
I have enabled "Client Organization Functionality" in the configuration.
And what I would like to achieve is to have a Super user Admin account that is not visible to the Client.
Each client should have an admin account to manage its own users but should NEVER be able to make changes to the Super user Admin.
Client admins should never be able to see which Client Organization other Client's belong to
Is this possible to do?
I have enabled "Client Organization Functionality" in the configuration.
And what I would like to achieve is to have a Super user Admin account that is not visible to the Client.
Each client should have an admin account to manage its own users but should NEVER be able to make changes to the Super user Admin.
Client admins should never be able to see which Client Organization other Client's belong to
Is this possible to do?
Hi,
yes, the way to achieve this sort of setup is to create a Sub-Admin role that is not allowed to modify the main Administrator. You will need Yellowfin version 6.1 (post-September 2012 build) or later for this functionality.
As an Administrator go to Role Management and under 'User Administration' tick 'Restrict Visible Roles'. This will mean that this user will have restricted access to roles.
Next go to Configuration and on the Authentication panel, select the roles that a user cannot see. You need to highlight them, click 'select' and then click save. Note: It is not possible to see this when you have the restricted roles tick against your role (from previous step).
Now log in with a user who has the new role which is restricted and the following will be affected:
- User management
-- Only users with roles that you can see will be in the list
-- When adding or editing a user, only roles you can see will be available for selection
- Group management
-- When adding a 'role' to a group, only roles you can see will be available.
I hope that helps you with your Super Admin concept, if there are any further questions or if any issues arise then don't hesitate to contact us. Please let us know how it goes.
Regards,
Dave
yes, the way to achieve this sort of setup is to create a Sub-Admin role that is not allowed to modify the main Administrator. You will need Yellowfin version 6.1 (post-September 2012 build) or later for this functionality.
As an Administrator go to Role Management and under 'User Administration' tick 'Restrict Visible Roles'. This will mean that this user will have restricted access to roles.
Next go to Configuration and on the Authentication panel, select the roles that a user cannot see. You need to highlight them, click 'select' and then click save. Note: It is not possible to see this when you have the restricted roles tick against your role (from previous step).
Now log in with a user who has the new role which is restricted and the following will be affected:
- User management
-- Only users with roles that you can see will be in the list
-- When adding or editing a user, only roles you can see will be available for selection
- Group management
-- When adding a 'role' to a group, only roles you can see will be available.
I hope that helps you with your Super Admin concept, if there are any further questions or if any issues arise then don't hesitate to contact us. Please let us know how it goes.
Regards,
Dave
Hi Dave,
I have done as per your instructions and it's what I wanted to achieve, thanks for that.
However, I have given the client User Management access as well and noticed that the client would be able to change the Super Admin password.
How do I disable that?
I have done as per your instructions and it's what I wanted to achieve, thanks for that.
However, I have given the client User Management access as well and noticed that the client would be able to change the Super Admin password.
How do I disable that?
Another thing I noticed is that I can create a new Admin account although I'm logged in as a Client.
What I am trying to achieve is to let the Client manage their own users while maintaining my own Super Admin account at the same time.
The Clients should not be able to change my password or add a new Admin account
I hope that is do-able?
What I am trying to achieve is to let the Client manage their own users while maintaining my own Super Admin account at the same time.
The Clients should not be able to change my password or add a new Admin account
I hope that is do-able?
Hi,
I think we must have done something differently because I have not been able to reproduce those issues.
The way I set things up was like this, I created a new Role called SubAdmin, this was a copy of the Admin role but with the Restricted Visible Role turned on and the Admin role selected as the restricted role.
1) This new SubAdmin role had User Management turned on:
2) Here is a screenshot from the Administrator's perspective of all of the users from ClientOrg1:
3) Then here are the users that the new SubAdmin (i.e. user3) is allowed to see in ClientOrg1. Note that the Administrator is not visible, therefore his/her password can't be modified by the SubAdmin:
4) Here is a screenshot of the SubAdmin logged into ClientOrg1 in the User Management screen, note how the role of Admin is not available to the SubAdmin when creating a new account:
I wonder if you might perhaps try this way of setting things up, i.e. copy the Admin role and call it SubAdmin, then Restrict the Visible Role of Admin from the SubAdmin, hopefully it will work for you as it did for me.
Otherwise if it doesn't, then could you please carefully outline the steps you have done so that we can reproduce them over here. Or if I have misunderstood something could you please tell me what it is.
Regards,
Dave
I think we must have done something differently because I have not been able to reproduce those issues.
The way I set things up was like this, I created a new Role called SubAdmin, this was a copy of the Admin role but with the Restricted Visible Role turned on and the Admin role selected as the restricted role.
1) This new SubAdmin role had User Management turned on:
2) Here is a screenshot from the Administrator's perspective of all of the users from ClientOrg1:
3) Then here are the users that the new SubAdmin (i.e. user3) is allowed to see in ClientOrg1. Note that the Administrator is not visible, therefore his/her password can't be modified by the SubAdmin:
4) Here is a screenshot of the SubAdmin logged into ClientOrg1 in the User Management screen, note how the role of Admin is not available to the SubAdmin when creating a new account:
I wonder if you might perhaps try this way of setting things up, i.e. copy the Admin role and call it SubAdmin, then Restrict the Visible Role of Admin from the SubAdmin, hopefully it will work for you as it did for me.
Otherwise if it doesn't, then could you please carefully outline the steps you have done so that we can reproduce them over here. Or if I have misunderstood something could you please tell me what it is.
Regards,
Dave
Thanks Dave, that really helped alot
I have another question about the Reports
Using the super-admin, I created some reports for Client A
Then, I logged out and logged in as sub-admin of Client B but I can see the reports I created for Client A
I want Client B to see only reports created for them, the other reports should be not visible to them
Can I do that?
I tried using the Groups but it doesn't seem to do the trick
Please advise
Thanks
I have another question about the Reports
Using the super-admin, I created some reports for Client A
Then, I logged out and logged in as sub-admin of Client B but I can see the reports I created for Client A
I want Client B to see only reports created for them, the other reports should be not visible to them
Can I do that?
I tried using the Groups but it doesn't seem to do the trick
Please advise
Thanks
Hi,
that's great - I'm glad it helped!
Regarding your new question, the situation you have described can't happen unless Client A is the Default Org, in which case that is the way the Client Organisation hierarchy has been designed in Yellowfin. In other words, if you don't want Clients A & B to be able to see each other's reports then make sure that neither of them are the Default Org.
Here is a link to our Wiki page on Client Orgs, that should help you to understand the architecture better.
If you have any further questions after reading that page then please don't hesitate to contact us.
Regards,
Dave
that's great - I'm glad it helped!
Regarding your new question, the situation you have described can't happen unless Client A is the Default Org, in which case that is the way the Client Organisation hierarchy has been designed in Yellowfin. In other words, if you don't want Clients A & B to be able to see each other's reports then make sure that neither of them are the Default Org.
Here is a link to our Wiki page on Client Orgs, that should help you to understand the architecture better.
If you have any further questions after reading that page then please don't hesitate to contact us.
Regards,
Dave
Hi all,
Just an update for YF7 users (post 2013December Builds), "Restricted Roles" is now located under Administration>Configuration>System>General Settings.
To 'Restrict Visible Roles' this is still done within Administration>Admin Console>Roles>(Select the role you wish to apply 'Restrict Visible Roles'), but to select the roles you wish to restrict now head to Administration>Configuration>System>General Settings instead of Administration>Configuration>Authentication.
Kind Regards,
Katie
Just an update for YF7 users (post 2013December Builds), "Restricted Roles" is now located under Administration>Configuration>System>General Settings.
To 'Restrict Visible Roles' this is still done within Administration>Admin Console>Roles>(Select the role you wish to apply 'Restrict Visible Roles'), but to select the roles you wish to restrict now head to Administration>Configuration>System>General Settings instead of Administration>Configuration>Authentication.
Kind Regards,
Katie