Delegated Administration
EFT allows you to assign sub administrator accounts that have a very specific subset of permissions for managing EFT, COM, Site(s), Settings Templates, user accounts, user passwords, and reports. Permissions are assigned to sub-administrators via a series of controls on the server's Administration tab.
For example, suppose you want to give your help-desk people the ability to create user accounts on EFT, but you are worried that the help-desk might accidentally make changes to EFT in the process of creating these accounts. Furthermore, you do not want the help desk people to manage user accounts that belong to the engineering and marketing groups. Delegated administration allows you to create one or more sub-administrator accounts that have access ONLY to user accounts management. Using templates to house marketing, engineering, and other department accounts, you can further limit the sub-administrators to only those accounts for departments that they are authorized to manage. Also, each of the sub accounts can be allowed or denied access to COM and/or Auditing and Reporting.
All administrator accounts are treated equally with respect to password expiration, reset, and removal of inactive accounts.
If you change the Event Rule permissions (such as whether a user can read from, write to, or execute a rule) for an administrator when they are logged in to the administration interface, the account user will have to log out and then log back in to effect the changes.
(See also Optional Permissions for administrator.)
The available sub administrator account types include:
-
Server administrator - Can create, modify, or remove administrator accounts, and can manage Sites, Settings Templates, and user accounts.
-
Site administrator - Can manage everything for a specific Site and the Settings Templates on the Site, and can change user passwords, but does not have control over EFT. The Site administrator cannot click the Server node nor access any of the node's tabs; stop/start the Globalscape Server service from within the administration interface; create, remove, or rename Sites, Servers, or Server Groups; access or modify EFT global or applet settings; close the Server engine; or stop/start any Site other than those assigned to the Site administrator.
-
Event Rule administrator - Similar to Site administrator, but more restrictive. Cannot manage Groups, Settings Templates, Transfer Activity, or Gateway tab. The Event Rule administrator can view and manipulate within Event Rules the VFS, HA nodes for load balancing, address book, OpenPGP keys, Report names, users, Settings Template names, Group names, Backup, Content Integrity profile names, AS2 profile names, calendar names, Email Actions, context variables. The Event Rule administrator must be given explicit permission to manage Event Rules and Connection Profiles; the default is all permissions.
-
Template Settings administrator - full control over the accounts assigned to that Settings Template, including the ability to view, add, remove, and modify user accounts, and group assignment; can change all Settings Template settings, except for the VFS root path for assigned Settings Templates; can see the entire VFS tree, but can only modify the parts of the VFS that belong to root folders that belong to the Settings Template to which the account is assigned; can access the General tab on EFT to view statistics; can kick and monitor users.
They cannot access the Reports tab unless specifically allowed; cannot select the Site, Server, or Server Group nodes, nor view the corresponding tabs; cannot access Server settings, nor any Settings Template not assigned to their account. They can access the OpenPGP, SFTP, and SSL key manager, and create, import, export, and add keys and certificates. They cannot delete keys or certificates.
-
A Template Settings administrator is not permitted to change the Settings Template home (root) folder that was assigned by the Site or Server administrator.
-
A Template Settings administrator is not permitted to change the value of the "Treat home folder as user's default root folder" setting.
-
When creating or modifying users, the Template Settings administrator cannot browse or manually designate paths relative to the Settings Template root folder.
-
A Template Settings administrator can delete users and, consequently, the user’s home and sub-folders, as long as the user belongs to a template assigned to that administrator, and that user’s root folder is subordinate to the Settings Template root folder.
-
User administrator - Has all the privileges of the Change Password administrator, but can also create new users. The User administrator is not allowed to see or edit users' settings or Template settings, and is limited to change password, disable user, or create more users. User administrators can unlock user accounts.
-
Change Passwords administrator - Can enable/disable users and change passwords for users in their specified Settings Template(s), but cannot add nor remove users, manage other Settings Template(s), manage Sites, nor control EFT. When a Change User Password administrator logs in to EFT, only the view below is available.
Related Topics