Restricted user Administrator

Estimated reading: 10 minutes 194 views

This user can manage users and roles in a given application.
This user type is also allowed to manage users and roles of the applications for which the user is a member of ‘Membership Manager’ role.

The Restricted User Administrator will be assigned the restricted user administrator permission set by default.
The Restricted User Administrator will be assigned following permissions by default:

Description	Remarks
Audit and Reporting\Can Generate Documentation	This permission gives you the right to generate documentation.
Audit and Reporting\Can Read Event Log	This permission gives you the right to read an Event Log.
Groups\Can Create Group	This permission gives you the right to create a group.
Groups\Can Delete Group	This permission gives you the right to delete a group.
Groups\Can Read Group	This permission gives you the right to read group.
Groups\Can Update Group	This permission gives you the right to update a group.
Roles\Can Create Application Role	This permission gives you the right to create an application role
Roles\Can Create Shared Role	This permission gives you the right to create a shared role
Roles\Can Delete Application Role	This permission gives you the right to delete application role
Roles\Can Delete Shared Role	This permission gives you the right to delete shared role
This permission gives you the right to delete shared role	This permission gives you the right to grant or revoke application roles to groups.
Roles\Can Grant Revoke Application Roles To Users	This permission gives you the right to grant or revoke application roles to users.
Roles\Can Grant Revoke Shared Roles To Groups	This permission gives you the right to grant or revoke shared roles to groups.
Roles\Can Grant Revoke Shared Roles To Users	This permission gives you the right to grant or revoke shared roles to users.
Roles\Can Read Application Role	This permission gives you the right to read an application role.
Roles\Can Read Shared Role	This permission gives you the right to read a shared role.
Roles\Can Read System Role	This permission gives you the right to read a system role.
Roles\Can Update Application Role	This permission gives you the right to update an application role.
Roles\Can Update Shared Role	This permission gives you the right to update a shared role.
Users\Can Approve Pending Users	This permission gives you the right to approve or deny users.
Users\Can Assign Remove Users To Groups	This permission gives you the right to assign or remove users to the group.
Users\Can Create User	This permission gives you the right to create an user.
Users\Can Delete User	This permission gives you the right to delete an user.
Users\Can Lock Unlock User	This permission gives you the right to lock or unlock an user.
Users\Can Read User	This permission gives you the right to read an user.
Users\Can Update User	This permission gives you the right to update an user.

To explore the impact of permissions please click on the relevant link below:

Impact of Restricted User Administrator Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted User Administrator Role.

The User will be assigned following permissions:

Description	Remarks
CanGenerateDocumentation	This permission gives you the right to generate documentation.
Can Read Event Log	This permission gives you the right to read an Event Log.

When the user logs in using the assigned mode of authentication, the following screen will be displayed.
The user will be able to view list of all the applications (A).

Since the user has the permissions Can Generate Documentation he can use the Generate Documentation option to generate the documentation for the available entities.

Can Read Event Log permission allows access to the event log as shown below:

Impact of Restricted User Administrator Role on Groups

This module explains the impact on the groups if the user has been granted a Restricted User Administrator Role.

The User will be assigned the following permissions:

Description	Remarks
Can Create Group	This permission gives you the right to create a group.
Can Delete Group	This permission gives you the right to delete a group.
Can Read Group	This permission gives you the right to read group.
Can Update Group	This permission gives you the right to update a group.

When the user logs in using the assigned mode of authentication, the following screen will be displayed.
The user will be able to view list of all the applications (A).

Since the user has permissions to Can Read Groups, the user will be able to view the group that has been assigned to him.
The parent groups of the assigned group will also be displayed.

Depending on the user privileges and assigned group privileges the list of privileges will be decided automatically.
The Can Create Group privilege allows the user to create a group. This option will be available only if the user has been assigned to a group.

The new group will be listed under the Parent Group. The user can view group details by clicking on the group name.

Since the user has the Can Delete Group and Can Update Group privileges he can remove or update group related details.

Impact of Restricted User Administrator Role on Roles

This module explains the impact on the roles if the user has been granted a Restricted User Administrator Role.

The users will be allowed to manage only those applications for which the user is a member of ‘Membership Manager’ role.

The User will be assigned following permissions:

Description	Remarks
Can Create Application Role	This permission gives you the right to create an application role
Can Create Shared Role	This permission gives you the right to create a shared role
Can Delete Application Role	This permission gives you the right to delete application role
Can Delete Shared Role	This permission gives you the right to delete shared role
Can Grant Revoke Application Roles To Groups	This permission gives you the right to grant or revoke application roles to groups
Can Grant Revoke Application Roles To Users	This permission gives you the right to grant or revoke application roles to users
Can Grant Revoke Shared Roles To Groups	This permission gives you the right to grant or revoke shared roles to groups
Can Grant Revoke Shared Roles To Users	This permission gives you the right to grant or revoke shared roles to users
Can Read Application Role	This permission gives you the right to read an application role
Can Read Shared Role	This permission gives you the right to read a shared role
Can Update Application Role	This permission gives you the right to update an application role
Can Update Shared Role	This permission gives you the right to update a shared role

When the user logs in using the assigned mode of authentication, the following screen will be displayed:
The user will be able to view list of all the applications (A).

The user can create a new role under an application (for which he has “Membership Manager” role), since the user has the Can Create Application Role privilege.

The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:

Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update role details by clicking on Application>Role> Rolename.
Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users” & “revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here (missing link) to know more.

Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

Revoke role from users: When you select option “Revoke role from users” you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “Yes” , the role will be successfully revoked and below message will appear:

The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.

The new role will be listed under the application, the user can select and grant role.

The user can delete the application role since he has the Can Delete Application Role privilege.
Additionally the Restricted User Administrator has access to manage the Shared Roles.
The Can Create Shared Role privilege allows the user to create a new Shared Role.

The new role will be listed under the Shared Roles option. The user can view the role details by clicking on the role name as shown below:

The user has the privilege to read shared roles because of the Can Read Shared Role privilege and update information because of the Can Update Shared Role privilege the role details will be displayed in an editable mode.
Since the user has also been granted the Can Grant Revoke Shared Roles To Users privilege the user can edit the granted users option.

The user can select and edit the members for the selected role. Click here to know more.
The user can grant the shared role to the groups, since he has the Can Grant Revoke Shared Roles To Groups privilege.

The user can assign the shared role to the group.

The user can delete the shared role since he has the Can Delete Shared Role privilege.
The Restricted User administrator also has the privilege to view the system roles in read only mode because of the Can Read System Role privilege.

Impact of Restricted User Administrator Role on Users

This module explains the impact on the users if the user has been granted a Restricted User Administrator Role.

The User will be assigned following permissions:

Description	Remarks
Can Create User	This permission gives you the right to create an user
Can Delete User	This permission gives you the right to delete an user
Can Lock Unlock User	This permission gives you the right to lock or unlock an user
Can Read User	This permission gives you the right to read an user
Can Update User	This permission gives you the right to update an user

When the user logs in using the assigned mode of authentication, the following screen will be displayed.
The user will be able to view list of all the applications (A).

The user can create a new user because of the Can Create User privilege.
The user can create a user only under the groups assigned to him.

When the user clicks on the new user option following screen will be displayed.

When the user clicks “OK” the new user account will be created and will be displayed in the Grid on Right side.

The user can view the user details by clicking on the user name as shown below:

Since the user has the privilege Can Read User and Can Update User, the user will be able to update the user details.
The restricted user administrator will have the privilege to delete the user, since he has the Can Delete User privilege.
Additionally the restricted user administrator can lock an user or unlock user accounts because of the Can Lock Unlock User permission assigned to him.

See Also:

Special Roles
Impact of granting multiple roles
Special Roles & Permission Matrix