User Administrator Feature

There are scenarios where it is advantageous to have a user with limited administrative capabilities in Issuetrak, without needing to take up an agent license to do so. Beginning with Issuetrak 11.2, it is possible to give permission to an end-user account for the limited administration of other users within their organization. When a user is provided with this permission, we then refer to them as a User Administrator or User Admin. The User Administrator is capable of limited provisioning of new and existing users in Issuetrak.

In summary, a User Administrator:

  • Does not take up an Agent license
  • Has the ability to create non-AD user accounts within their own organization memberships, add them to groups, and set their password
  • Is limited to viewing and editing End User accounts that have primary membership in common with the User Admin's own organization memberships
  • Does not have the ability to edit or set user permissions directly, but can grant group membership

Necessary Permissions

The only necessary permission to make an account into a User Admin is Can access and maintain users in this user's Organizations.

However, there are two permissions that the account cannot have if they are a User Admin:

  • Allowed Read Only access to Administration information
  • Can access and maintain Administration functions

If either of the above permissions is selected for a user that already has Can access and maintain users in this user's Organizations permission, then Issuetrak will warn that the permissions are mutually exclusive.

Abilities

User Admins can perform the following actions on users within their own organization:

  • Edit user data within their own organization memberships
  • Manage membership for group types of Any within their own organization
  • Clone user accounts
  • Set and change passwords for end-users in their organization
  • Create new End User accounts
  • View user permissions
  • View user type
  • Create user administrators via group membership
  • Configure MFA methods

Limitations

User admins cannot:

  • Search AD
  • Clone AD-authenticated users
  • Change whether users are authenticated via AD
  • Clone, grant, or edit user permissions
  • Delete users
  • Change user types
  • Edit a Sys Admin or users with Can access and maintain Administration functions permission
  • Add a user to a group outside their organization
  • View users outside of their own organization
  • Close user sessions

Additional Limitations

  • All users created by a User Admin will have the No AD Authentication checkbox (pre-11.13 releases) or Issuetrak Authentication (11.13 and later) dropdown set on their account.
  • User Admins will only be able to add users to groups that already belong to the same organizations that the User Admin is a part of.
  • Although User Admins will have access to the Settings Lightbox it will have access to Users beneath Entities.
  • After clicking on the Users item from the Settings Lightbox, the items List All, Add, and Search will appear in the right context menu.
  • When viewed by a User Admin, the User Summary page will be filtered to display only those users that have membership in their Organization.
  • The Subscriptions link is not shown on the User View screen.
  • The ability to Email to User List and Email Survey Invitations User List options will not be present on the User Search screen.  

Legacy Upgrade Considerations

Customers running Issuetrak 9.9.6 or older and using the Organization Administrator feature can run a SQL script to export a list of their existing OrgAdmin users prior to upgrading. This list of users is temporarily stored in a table in the Issuetrak database that is left untouched by the intermediate 10.x - 11.1 upgrades.  The 11.2+ deployment tools have an import process that checks for this table, grants the listed users the User Administrator permission, and subsequently deletes the table.