Multiple Admin Accounts causing confusion
Thursday, February 24, 2022 at 06:08amHello,
Our organization was recently setup with a Sandbox and Production account, and 3 Admin accounts in each environment.
We requested this setup as we were under the impression that this would enable us to have 3 Administrators, but did not realize this would create 3 distinct accounts. This has caused confusion, and we are now considering scaling back to only 1 Admin account. But we are wondering if these 2 Admins will lose access to functionality that we would like them to have.
Can I get some clarity around what the true delta is between an Admin account and a Manager account? I have also created a custom role called "2nd Tier Admin" which includes all available permissions in OneSpan. There appears to be a difference between all 3 of these roles.
I've attached a screenshot highlighting the differences between these 3 roles, from a permissions perspective (green is equal between all 3 roles).
Can you tell me what the true difference are between these 3 roles? Perhaps there are also other differences not captured from a permissions perspective? Can you tell me if it's best practice to just have 1 Admin?
If I'm honest, we're also considering removing the Roles & Groups functionality and reverting back to using the simpler setup (Senders only), but we are also trying to determine what the differences are here.
Thanks, ~Dee
Reply to: Multiple Admin Accounts causing confusion
Thursday, February 24, 2022 at 09:00amHi Dee,
Thanks for your post!
From your description and the screenshot, seems your account has enabled Roles & Permissions feature, in which case:
(1)You CAN have three users be granted "Admin" role.
-In previous role management system, there are only three roles "admin, manager, sender", where you'll only have one admin account.
-However in this new role-based system, #1 multiple users can be assigned Admin role #2 one user can have multiple account roles (these permissions add on) #3 users with the same account role will have the same resource access
(2)
Admin role vs Manager role
-Admin role has an additional permission "API Access", which means Admin role should be used for the integration purpose while Manager role will only manage the account via UI portal.
Admin role vs Custom role
-Admin role doesn't have the newly introduced permission "Manage users' transactions, templates, layouts (API)", which is essential for managing other user's transactions via API/SDK.
#1 If you are not integrated, this shouldn't affect your access
#2 From my perspective, I think Admin role should by default have this permission, however for the temporary, you will need to create a custom role with this permission and grant your admin user the Admin role and the Custom role at the same time
-It looks like Custom role doesn't have "Notary" permission, I will ask internal team for further clarification if this is by designed. Again, if you are not using Notarizing signing, this shouldn't affect you, and you can grant the admin user both account roles to have the permissions add on.
Duo
Reply to: Multiple Admin Accounts causing confusion
Thursday, February 24, 2022 at 09:21amHello Duo, Thank you so much for your quick and thorough response!
The main issue at hand is this: We have 3 people with Admin permissions, so indeed we know that it's possible. But it appears they all have a separate accounts (not just logins). We are still trying to wrap our head around the implications of this setup. For example, every time we've requested a feature to be enabled in an environment, we've had to have it turned on for all 3 "accounts", which is causing confusion and we're not sure if everyone is set up the same way. Add to that, the Senders / Users in each "account" appear to be distinct, which is not what we want. We just want 1 "environment" that everyone can login to, Admin or otherwise.
Yes we do have the Roles & Groups enabled, but only in our Sandbox at this stage. We were told to play around with it first, as there are implications to do this that cannot be undone... so we have 1 environment (Sandbox) using Roles, and 1 environment (PROD) using the simpler Senders model. I'm still unsure whether we need the Roles functionality, so this is another point we're trying to get clarity on.
As for integrations, just to complicate our questions a bit here :) we are indeed using the following: Active Directory (SSO), and Sharepoint. A question from our architect relates to this part: Are we able to use the same API for multiple connections to / from Sharepoint/OneSpan? And with a master account, how do the sub-accounts work? If it is not possible to use the same master account for each BU (if we are going to have multiple locations where invoices are located in Sharepoint), will we need separate accounts for each BU? This would ensure separation of business, etc.
Any guidance on these matters would be much appreciated. We've been having difficulties moving forward with our environments thus far, and have taken a step back until we sort out these questions.
Thanks,
~Dee
Reply to: Multiple Admin Accounts causing confusion
Thursday, February 24, 2022 at 10:09amHi Dee,
I see the reason why you had 3 separate accounts at the first place. If you need to make sure the transactions and signed documents are stored and managed separately within each SharePoint and OneSpan connection, you will need three accounts and three different API Keys - I am afraid simply merging 3 accounts into 1, or consuming Roles & Permissions/Groups feature won't fit your requirement, in terms of
#1 keep different transactions from each BU isolated
#2 if you are having different callback setups
#3 if you are pointing three accounts to different Active Directories
On the contrary, if you don't have these concerns, it's possible to merge senders to another account, and in turn merge 3 accounts into 1.
Talking about Sub-account feature, it's able to host the three accounts under a master account (in BackOffice, there's a functionality allows you to merge an account as a subaccount), but within each account, you may still keep the integration settings as it is (API Key, callback setups, SSO configs, etc).
I can imagine Sub-account feature could benefit you in below aspects:
(1)One user can access across subaccounts (comparing to now, one email can only access one account)
(2)Applying new features to master account would auto-apply to subaccounts, at the same time subaccounts can have their own customization and account settings.
But please be aware that the Sub-account feature is still not fully ready for integrated users, you can test on Sandbox environment first and see if this fits your use case.
Duo
Reply to: Multiple Admin Accounts causing confusion
Friday, February 25, 2022 at 11:09amHello Duo,
Again, thanks so much for your reply.
It seems we are slowly getting warmer, and closer to understanding how OneSpan works, and what sort of setup we will require as an organization.
We are trying to setup a time with our CSR and a technical resources next week, and I hope they will be able to answer these questions, especially as they relate to our particular situation.
If you would be open to joining in on that conversation, please let me know! We are in a pilot situation right now, and are considering whether or not to move forward with OneSpan Sign, given our current level of confusion on how things work from an account and architecture perspective.
Thanks,
~Dee