User Administrator Feature

Introduction

There are scenarios where it is advantageous to have a user with limited administrative capabilities in Issuetrak, without needing to take up an agent license to do so. Beginning with Issuetrak 11.2, it is possible to give permission to an end user account for limited administration of other users within their organization. When a user is provided with this permission, we then refer to them as an “User Administrator” or “User Admin”. The User Administrator is capable of limited provisioning of new and existing users in Issuetrak.

In summary, a User Administrator:

  • Does not take up an Agent license
  • Has the ability to create non-AD user accounts within their own organization (and Additional Organizations), add them to groups, and set their password
  • Is limited to viewing and editing End User accounts within their own organization (and Additional Organizations)
  • Does not have the ability to edit or set user permissions directly, but can grant group membership

Necessary Permissions

The only necessary permission to make an account into a User Admin is Can access and maintain users in this user's Organization and its "Additional Organizations".

However, there are two permissions that the account cannot have if they are a User Admin:

  • Allowed Read Only access to Administration information
  • Can access and maintain Administration functions

If either of the above permissions are selected for a user that already has Can access and maintain users in this user's Organization "Additional Organizations" permission, then Issuetrak will warn that the permissions are mutually exclusive.

Abilities

User Admins can perform the following actions on users within their own organization:

  • Edit user data within their own organization (and its Additional Organizations list, regardless of Read Only, View Users, or Internal Issues Only options)
  • Manage membership for group types of “Any” within their own organization
  • Clone user accounts
  • Set and change passwords for end users in their organization
  • Create new End User accounts
  • View user permissions 
  • View user type
  • Create user administrators via group membership

Limitations

User admins cannot:

  • Search AD
  • Clone AD-authenticated users
  • Change whether users are authenticated via AD
  • Clone, grant or edit user permissions
  • Delete users
  • Change user types
  • Edit a Sys Admin or users with Can access and maintain Administration functions permission
  • Add a user to a group outside their organization
  • View users outside of their own organization or its allowed organizations.

Additional Limitations

  • All users created by a User Admin will have No AD Authentication set on their account.
  • User Admins will only be able to add users to groups that already belong to the same organization (and its allowed organizations) that the User Admin is a part of.
  • Although User Admins will have an “Administration” menu it will contain only the “Users” sub-menu.
  • After clicking on the "Users" item from the Administration menu dropdown, the items “List All”, “Add”, and “Search” will appear along the lefthand side.
  • When viewed by a User Admin, the "User Summary" page will be filtered to display only those users that have membership in their Organization (and its Additional Organizations).
  • The "Email Distribution Lists" link is not shown on the "User View" screen.
  • The ability to "Email to User List" and "Email Survey Invitations User List" options won't be present on the User Search screen.  

Legacy Upgrade Considerations

Customers running Issuetrak 9.9.6 or older and using the Organization Administrator feature can run a SQL script to export a list of their existing OrgAdmin users prior to upgrading. This list of users is temporarily stored in a table in the Issuetrak database that is left untouched by the intermediate 10.x - 11.1 upgrades.  The 11.2 deployment tools have an import process that checks for this table, grants the listed users the User Administrator permission, and subsequently deletes the table.