Rights management

Rights matrix • User management

 

This article provides a rights matrix summarizing which actions are allowed or not depending on the user's role within the User management and Organization tabs. It lets you know, for each role, which operations are possible on users and on organizations.

Role glossary


Before reading the matrix, you need to know the different roles:

  • Super-admin: administrator of the parent organization, responsible for activating the license.
  • Organization administrator: administrator of the current organization (organization N).
  • Administrator of a higher organization: administrator of an organization hierarchically above the current one (organization N+1 to N+∞).
  • Organization moderator: moderator of the current organization (organization N).
  • Moderator of a higher organization: moderator of an organization hierarchically above the current one (organization N+1 to N+∞).
  • Standard user: standard user of the organization. It does not appear as a column in the matrix because standard users have no access to the User management tab.
  • User: generic term covering all user types (administrator, moderator or standard user).

"Blind" roles

A blind user (administrator or moderator) has the same rights in User management as the equivalent non-blind role. The only difference concerns LockPass: a blind user has no rights over passwords.

This is why the matrix has no dedicated column for blind roles: the difference in rights only concerns password management, not user management in User management.

Note: in all the tables below, we take the point of view of organization N (the current organization).

Actions on users


ActionSuper-adminAdmin org NAdmin higher orgModerator org NModerator higher org
Create a standard user
Delete a standard user
Move a standard user
Add a user to a group
Block a standard user
Block a moderator
Change the organization's administration
Promote a user of org N ➝ moderator of org N
Demote a moderator of org N ➝ user of org N
Set the Super-admin as blind 1
Set the admin of org N as blind 2
Set the moderator of org N as blind 3
Disable a user's MFA
Change a user's local password
Change a user's contractor status
Change a standard user's expiration date
Change a moderator's expiration date
Download a user's rights report
Disable an administrator's MFA
Disable a moderator's MFA

User group management

ActionSuper-adminAdmin org NAdmin higher orgModerator org NModerator higher org
Create a user group in org N
Rename a group in org N
Delete a user group in org N
Add one or more users to a group in org N
Remove one or more users from a group in org N

Local password and MFA management

ActionSuper-adminAdmin org NAdmin higher orgModerator org NModerator higher org
Change the local password of the moderator of org N 4
Change the local password of other moderators of org N
Change a standard user's local password

Actions impossible for all roles

Some actions on users are impossible regardless of the role:

  • Delete an administrator
  • Delete a moderator
  • Move an administrator
  • Move a moderator
  • Block an administrator
  • Change an administrator's expiration date

Actions on organizations


ActionSuper-adminAdmin org NAdmin higher orgModerator org NModerator higher org
Create an organization at the level of org N
Create a sub-organization within org N
Rename organization N
Rename a sub-organization of org N
Delete org N if it has no sub-organization

Actions impossible on organizations

The following actions are impossible regardless of the role:

  • Delete org N if it contains sub-organizations
  • Delete the parent organization

Notes


  1. A Super-admin can only set themselves as blind.
  2. An administrator of org N cannot set themselves as blind (it would amount to self-restriction). An administrator of a higher organization can do it.
  3. A moderator of org N cannot set themselves as blind. A moderator of a higher organization can do it.
  4. Currently, a moderator cannot change their own local password; this action must be carried out by another authorized role.

Updated