Rights matrix • User management
This article provides a rights matrix summarizing which actions are allowed or not depending on the user's role within the User management and Organization tabs. It lets you know, for each role, which operations are possible on users and on organizations.
Role glossary
Before reading the matrix, you need to know the different roles:
- Super-admin: administrator of the parent organization, responsible for activating the license.
- Organization administrator: administrator of the current organization (organization N).
- Administrator of a higher organization: administrator of an organization hierarchically above the current one (organization N+1 to N+∞).
- Organization moderator: moderator of the current organization (organization N).
- Moderator of a higher organization: moderator of an organization hierarchically above the current one (organization N+1 to N+∞).
- Standard user: standard user of the organization. It does not appear as a column in the matrix because standard users have no access to the User management tab.
- User: generic term covering all user types (administrator, moderator or standard user).
"Blind" roles
A blind user (administrator or moderator) has the same rights in User management as the equivalent non-blind role. The only difference concerns LockPass: a blind user has no rights over passwords.
This is why the matrix has no dedicated column for blind roles: the difference in rights only concerns password management, not user management in User management.
Note: in all the tables below, we take the point of view of organization N (the current organization).
Actions on users
| Action | Super-admin | Admin org N | Admin higher org | Moderator org N | Moderator higher org |
|---|---|---|---|---|---|
| Create a standard user | ✅ | ✅ | ✅ | ✅ | ✅ |
| Delete a standard user | ✅ | ✅ | ✅ | ✅ | ✅ |
| Move a standard user | ✅ | ✅ | ✅ | ✅ | ✅ |
| Add a user to a group | ✅ | ✅ | ✅ | ✅ | ✅ |
| Block a standard user | ✅ | ✅ | ✅ | ✅ | ✅ |
| Block a moderator | ✅ | ✅ | ✅ | ❌ | ❌ |
| Change the organization's administration | ✅ | ✅ | ✅ | ❌ | ❌ |
| Promote a user of org N ➝ moderator of org N | ✅ | ✅ | ❌ | ❌ | ❌ |
| Demote a moderator of org N ➝ user of org N | ✅ | ✅ | ❌ | ❌ | ❌ |
| Set the Super-admin as blind 1 | ✅ | ❌ | ❌ | ❌ | ❌ |
| Set the admin of org N as blind 2 | ✅ | ❌ | ✅ | ❌ | ❌ |
| Set the moderator of org N as blind 3 | ✅ | ✅ | ✅ | ❌ | ✅ |
| Disable a user's MFA | ✅ | ✅ | ✅ | ✅ | ✅ |
| Change a user's local password | ✅ | ✅ | ✅ | ✅ | ✅ |
| Change a user's contractor status | ✅ | ✅ | ✅ | ✅ | ✅ |
| Change a standard user's expiration date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Change a moderator's expiration date | ✅ | ✅ | ✅ | ✅ | ✅ |
| Download a user's rights report | ✅ | ✅ | ✅ | ✅ | ✅ |
| Disable an administrator's MFA | ✅ | ✅ | ✅ | ✅ | ✅ |
| Disable a moderator's MFA | ✅ | ✅ | ✅ | ✅ | ✅ |
User group management
| Action | Super-admin | Admin org N | Admin higher org | Moderator org N | Moderator higher org |
|---|---|---|---|---|---|
| Create a user group in org N | ❌ | ✅ | ❌ | ✅ | ❌ |
| Rename a group in org N | ❌ | ✅ | ❌ | ✅ | ❌ |
| Delete a user group in org N | ❌ | ✅ | ❌ | ✅ | ❌ |
| Add one or more users to a group in org N | ❌ | ✅ | ❌ | ✅ | ❌ |
| Remove one or more users from a group in org N | ❌ | ✅ | ❌ | ✅ | ❌ |
Local password and MFA management
| Action | Super-admin | Admin org N | Admin higher org | Moderator org N | Moderator higher org |
|---|---|---|---|---|---|
| Change the local password of the moderator of org N 4 | ✅ | ✅ | ✅ | ❌ | ✅ |
| Change the local password of other moderators of org N | ✅ | ✅ | ✅ | ✅ | ✅ |
| Change a standard user's local password | ✅ | ✅ | ✅ | ✅ | ✅ |
Actions impossible for all roles
Some actions on users are impossible regardless of the role:
- Delete an administrator
- Delete a moderator
- Move an administrator
- Move a moderator
- Block an administrator
- Change an administrator's expiration date
Actions on organizations
| Action | Super-admin | Admin org N | Admin higher org | Moderator org N | Moderator higher org |
|---|---|---|---|---|---|
| Create an organization at the level of org N | ✅ | ❌ | ✅ | ❌ | ❌ |
| Create a sub-organization within org N | ✅ | ✅ | ✅ | ❌ | ❌ |
| Rename organization N | ✅ | ✅ | ✅ | ✅ | ✅ |
| Rename a sub-organization of org N | ✅ | ✅ | ✅ | ✅ | ✅ |
| Delete org N if it has no sub-organization | ✅ | ❌ | ✅ | ❌ | ❌ |
Actions impossible on organizations
The following actions are impossible regardless of the role:
- Delete org N if it contains sub-organizations
- Delete the parent organization
Notes
- A Super-admin can only set themselves as blind.
- An administrator of org N cannot set themselves as blind (it would amount to self-restriction). An administrator of a higher organization can do it.
- A moderator of org N cannot set themselves as blind. A moderator of a higher organization can do it.
- Currently, a moderator cannot change their own local password; this action must be carried out by another authorized role.
Updated