Making Use of the User Administrator

Introduction

The introduction of the User Administrator feature in Issuetrak 11.2 allows you to designate end user accounts that will have limited governance over other end user accounts within the same Organization (and its Allowed Organizations).  One of the limitations of the User Administrator is that it cannot edit or set permissions on user accounts, and is instead reliant on the use of pre-configured Groups to provide permissions to users.  It is necessary for Issuetrak sysadmins to collaborate with end users that will be acting as User Administrators in order to ensure that the Issuetrak instance is configured for them to be effective at managing users and make sure their needs are met.

Example Scenario and Setup

Let's put together a use scenario to show how the User Administrator feature can be used.  

In this scenario, one Issuetrak site is shared between two Organizations that we'll call Org1 and Org2.  

Each Organization has end users that will need different combinations of the following permissions:

  • Can view and add Private Notes in Issues
  • Can add, edit and delete Knowledge Base articles

User Administrators can only use Groups to manage permissions.  Additionally, each Group can only be associated with one Organization.  In this simple scenario, each Group will only grant one permission to allow for granularity (although it is possible to have a Group grant as many permissions as needed).  

It is helpful to have Groups with descriptive labels that will allow a User Administrator to easily infer what Organization and permission the Group is for.  A Group for the Support Organization that provides the "Can view and add Private Notes in Issues" permission could be called "Org1 Private Notes".  The table below displays easy-to-identify Group labels that can be used in this scenario to show the Organizations and permissions that they are associated with.  

Org1 Org2
Can view and add Private Notes in Issues Org1 Private Notes Org2 Private Notes
Can add, edit and delete Knowledge Base articles Org1 KB Editors Org2 KB Editors

If an Issuetrak site is configured according to the table above, then:

  • A User Administrator in Org1 will be able to add users to the groups with "Org1" in their name, but not those prefixed with "Org2".  
  • A User Administrator in Org2 will be able to add users to the groups with "Org2" in their name, but not those prefixed with "Org1". 

Note that all of these Groups must be configured before a User Administrator can be effective at managing permissions.  

Multiple User Administrators

As mentioned above, Groups can only be associated with one Organization.  This also applies to user accounts in Issuetrak, and by extension, the User Administrator.  Since one User Administrator can only have membership in one Organization, the account can only be used to administer that Organization and its "Additional Organizations".  If there is just one person that needs the ability to manage users in multiple Organizations, but should not have sysadmin privileges, then that person will need a User Administrator account for each Organization.  

There is no limit to the number of User Administrator accounts that can be used on either the Organization or site level.  A dedicated User Administrator account for each Organization can be provided to a single person, if desired.  As with the Group labeling in the scenario above, it is wise to give such accounts descriptive UserIDs.  Assuming that the base userid is JDoe, the User Administrator userid for each Organization could variously be:

  • JDoe_Org1_UserAdmin
  • UserAdmin_JDoe_Org2
  • Org1_JDoe_UserAdmin