This article helps you understand Applixure user accounts and related permissions when using the Applixure Web UI.
What's in this article:
- Good to know about authentication hierarchy
- User accounts in Applixure
- How to decide user account ownership?
- Managing user accounts
- Adding new user account to Environment
- Adding new user account to Applixure Account
- Removing user accounts
- User account permissions for Applixure Account
- Preventing inheritance to Environment
- User account permissions for Environment
Good to know about authentication hierarchy
Each Applixure subscription consists of at least one Applixure Account and one or more Applixure Environments.
An Applixure Account represents the end-user organization who has subscribed to the Applixure service. In case of service provider companies who partner with Applixure, Applixure Account represents the partner organization. An Applixure Account may have multiple user accounts for different users belonging to the organization. Each subscription to the Applixure service is tied to an Applixure Account and the limits of the subscription apply to all Environments under that account.
An Applixure Environment is a collection of Applixure Agent installations that report data to that environment. Each environment forms a single reporting entity. Each environment has exactly one owner Applixure Account, but each Applixure Account can own several environments.
By default, the Applixure Account created during sign-up will have exactly one environment available for reporting purposes. However, it is possible to link multiple environments to the same account:
- Service providers can manage multiple customer organization environments through the service provider's central Applixure Account.
- Large corporations can utilize multi-environment setups to separate larger entities (such as country organizations or sub-companies) of the whole enterprise as their own reporting domains. Multi-environment setups require a separate agreement with Applixure.
User accounts in Applixure
Applixure user accounts can be associated with either Applixure Accounts or Environments. User accounts can also be directly authorized to specific environments in addition to the hierarchy they belong to.
In addition to this, depending on the permissions applied to the user account at the Applixure Account level, user accounts may also have an inherited - or implicit - access privileges to all Environments owned by the parent Applixure Account.
For security reasons, any user accounts that are owned by the Environment will not see any of the user accounts that have implicit access to that same environment as they are coming from a higher authentication level. Only if the user account having implicit access also has some explicit permissions set for that Environment it will be visible to other user accounts owned by that environment.
User accounts coming from the Applixure Account, however, will see all Environment-related user accounts as well as any user accounts possible having inherited access, as long as they themselves have user management permissions to that Environment.
How to decide user account ownership?
Each user account in Applixure is logically owned by a certain Applixure Account or Environment. Ownership has a direct effect on what permissions that user account can have by default. Also, the lifecycle of the user account is linked to the Applixure Account or Environment that owns it.
In other words, if a certain Applixure Account is removed by ending the subscription to Applixure for it, all user accounts owned by that Applixure Account, as well as all user accounts owned by the Environments owned by the Applixure Account, will also be removed. Likewise, all user accounts owned directly by an Environment will be removed if the Environment is closed (but in multi-environment scenarios the owning Account and all other Environments owned by that Account – with their respectively owned user accounts – could still continue on as normal).
This means that if you are operating in the multi-environment scenario, you should make a consideration about which entity (Applixure Account or Environment) should own them based on the intended future access needs for those user accounts.
As general guidance - for service provider partner scenario especially - Applixure recommends creating user accounts for your own personnel into your Applixure Account, and then authorizing those user accounts to individual [end-customer] Environments as needed basis. For user accounts belonging to the users in the end-customer organisation that only need to see and access their own Environment's data in Applixure, natural owner for those user accounts would be the Environment in question.
For other types of Applixure customers having multi-environment access enabled, the owning entity of the new user accounts should also be considered based on access needs.
For reduced maintenance overhead of making authorizations those select user accounts that would need organisational-wide access are more natural to be owned by the Applixure Account and be automatically authorized to access all owned Environments through inheritance, whereas those user accounts that needs to see only a subset of the whole organisation could be owned by their respective Environments. In case of occasional cross-Environment authorization needs, you can still authorize access across Environments if so required.
Managing user accounts
You can access User account management from Settings. Accessing user management requires appropriate permissions for either the Applixure Account or the environment being viewed.
Once either Account or Environment related user accounts are shown, can add new users with the Add new user account button.
Adding new user account to Environment
When adding a new user account, first enter the email address of the new user that you want to grant access to the Environment.
After giving the email address, Applixure validates the address and checks if that email address is already used as a logon name for an existing Applixure user account.
If an existing logon is not found, you can continue creating the new user account by specifying the rest of the required fields.
If your own user account is part of the owning Applixure Account, you can additionally specify that instead of creating new user account being owned by the Environment, it actually should be owned by the Account and only specific explicit permissions be assigned against the Environment. This way you do not need to first go and create a new user account in the Account's user accounts management, and then separately authorize it to the intended Environment.
Once you press Add user account, the new user account will be created and an automatic email sent to the new user about the login credentials. For security reasons, Applixure will assign a random password for newly created user accounts instead of allowing you to specify it manually.
If the user account already exists elsewhere in the Applixure platform - owned by some other Account or Environment - then you can choose to just authorize that user account explicitly into Environment.
Please note that for any user accounts only authorized to the Environnment, as opposed to creating it under the Environment's direct ownership, you cannot edit any user account parameters besides permissions related to that Environment.
Adding new user account to Applixure Account
Likewise with the user accounts created in the Environment ownership, when you add new user account for an Applixure Account, you first need to specify the logon email address.
Unlike with the Environment, if the user account already exists somewhere else, you cannot only authorize it to the Applixure Account. All user accounts created against an Applixure Account may not already exist and have to be owned by that Applixure Account.
Otherwise the process is the same as with Environment's user accounts, besides having a different set of permissions for Applixure Account than what is shown for Environment. Please note that no email is sent automatically to the authorized user for newly available Environment in their dashboard.
Removing user accounts
In the list of user accounts, you can delete the user account completely if it is owned by that Environment (or Applixure Account). In case of explicitly authorized user accounts (Environments only) you can remove explicit permissions/authorization from the user account.
This can be done with the Remove user account, Remove explicit permissions and Remove authorization buttons next to the user account, depending on the type of user account and its origin.
User account permissions for Applixure Account (owned by Applixure Account)
For user accounts owned by an Applixure Account, you can set following permissions against the owning Applixure Account.
Full account administrator |
This is the highest permission level in Applixure. Account administrator has all the privileges against the Applixure Account and automatically full administrative permissions to all Environments owned by the Applixure Account, including the ability to change Applixure Account's information and subscription related parameters. It is recommended that user accounts with Account Administrator permissions are limited to only small number of people. |
Manage user accounts |
User accounts with this permission can manage other user accounts for the Applixure Account - including creating, deleting and modifying permissions. Users with this permissions cannot however enable or disable Full account administrator permission for any user account – including their own, unless they readily hold the full account administrative rights themselves as well. Users with this permission will automatically be enabled with Access all environments as user -permission. |
Create new environments for account |
User accounts with this permission can provision/create new Environments under the Applixure Account owning the user account. New Environment creation can be done from the Environments -screen. Users with this permission will automatically be enabled with Access all environments as user -permission. This permission is only available for user accounts in Applixure Account having multiple environments enabled, and for Applixure partners. |
Close account's existing environments |
User accounts with this permission can close and delete any Environment besides the last one under the Applixure Account owning the user account. Closing of Environment can be done from the Environment's settings. Users with this permission will automatically be enabled with Access all environments as administrator -permission. This permission is only available for user accounts in Applixure Account having multiple environments enabled, and for Applixure partners. |
Access all environments as user |
User accounts with this permission can automatically access all Environments owned by the Applixure Account as a regular user (i.e. with read-only permissions), giving the user account an implicit or inherited authorization for each Environment. |
Access all environments as administrator |
User accounts with this permission can automatically access all Environments owned by the Applixure Account as a full Environment administrator, giving the user account an implicit or inherited authorization for each Environment. |
Please note: any Applixure Account's user account that does not have access to any Environment - either through inherited access permissions or through explicit permissions against one or more Environments - will not be able to log on to the Applixure UI as there are no Environments available for it. |
Preventing inheritance to Environment
While user accounts having Access all environments as user and/or Access all environments as administrator -permissions have automatic access to all Environments owned by the Applixure Account, in certain restricted-access scenarios you might want to prevent this implicit permissions inheritance and specify only those users that should have access by having explicit permission entries.
For this scenario, you can turn Disable user account permission inheritance from parent account -setting to on from the Environment's main settings.
In order to change this configuration settings for Environment, your user account needs to have full administrative access to the Environment, along with being owned by the Applixure Account that owns the Environment. User accounts owned by the Environment, even if they are full administrators, cannot access the setting as it restricts access from higher authentication level.
User account permissions for Environment (owned by Environment or authorized to Environment)
For Applixure user accounts owned by the Environment, or explicitly authorized to the Environment, you can set following permissions.
Full administrative rights | This is the highest permission level in Environment. Environment's full administrator has all the privileges against the Environment, including the ability to change Environment's information. |
Manage user accounts |
User accounts with this permission can manage other user accounts for the Environment - including creating, deleting and modifying permissions. Users with this permissions cannot however enable or disable Full account administrator permission for any user account, unless they also hold the full environment administrative rights themselves as well. |
Manage Applixure Agents |
User accounts with this permission can access Applixure Agent installer packages for Environment, and remove Applixure Agents from the UI through individual device asset or as mass operation. |
Manage asset properties |
User accounts with this permission can change asset -related taggings and manually defined parameters, such as Approval or Lifecycle settings for software assets. |
0 Comments