Roles And Privileges

Allows you to view and assign privileges to user account roles. Portal utilizes role-based access control (RBAC), also known as a role-based security system, to restrict access to authorized users. All of the resources in Portal are protected by privileges, so that only users with the correct privileges are granted access to specified resources.

The relationship between users, roles and privileges is shown below. One user can have multiple roles, and one role can have multiple privileges.

In addition, within Portal, roles have a hierarchy structure, which is also referred to as role dependency. In this structure, the parent role has all of the privileges of the child roles, and the parent role can assign child roles to new users.

This structure means that certain roles require combinations for more access than they would receive separately. For example, to create a new user, a role must have the User Management privilege (PRIVILEGE_USER_MANAGEMENT_RW). The SaaS Client Manager role can add new users because it has the User Management privilege. The SaaS Client Manager role also has nine child roles that it can assign. However, the SaaS Client Report Administrator role cannot add new users, because it does not have the User Management privilege.

If the user has both SaaS Client Manager and SaaS Client Report Administrator roles, then this user will inherit the User Management privilege from the SaaS Client Manager role. This means that the user can create a new user, and this user will also inherit all of the child roles from the parent role.

Note: See List of user roles for a complete list of roles and their associated privileges and permissions.

Restrictions on assigning roles to other users

The hierarchy of roles also has an impact on the ability to add and remove roles from other users. A parent role gives the user the ability to add or remove child roles for that parent role. If a user is assigned multiple parent roles, the user will have the ability to add or remove child roles for all the assigned parent roles.

Consider an example:

  • SaaS Client Agent is a child role of the SaaS Client Manager role.

  • User A has the SaaS Client Manager role, giving her permission to add and remove the SaaS Client Agent role from other users.

  • User B has the SaaS Client Agent role. User A has permission to remove that role from User B.

  • User C has the SaaS Client Agent and SaaS Client Report Administrator roles. User A has permission to remove only the SaaS Client Agent role from User C. She cannot remove the SaaS Client Report Administrator role. This role would show as disabled to User A.

  • If User A had the SaaS Client Administrator role, then she would be able to remove the SaaS Client Report Administrator role as well.

For details about these roles, see List of managing roles and their child roles

Restrictions on changing another user's password

This hierarchical roles system also restricts the changing of passwords. To change another user's password, an acting user must be assigned all the roles and sites that manage the roles and sites assigned to the target user. This is a security measure designed to prevent the acting user from gaining access to roles and sites that are not assigned to them.

In addition, the password reset privilege is assigned only to the following roles. This list does not include internal-only roles.

  • Account Manager

  • Partner Administrator

  • Partner Manager

  • SaaS Client Administrator

  • SaaS Client Manager

  • SaaS Client Manager (Limited)

  • SaaS Client User Reset

List of managing roles and their child roles

This is the list of roles that have permissions to assign roles (child roles) to other users. This list does not include internal-only roles.