Previous Topic

Next Topic

Book Contents

Book Index

GroupAdmins

GroupAdmins are end users who have been promoted by (organization-level) Admins or other GroupAdmins for the purpose of administering users in groups. Org Admins can define of scope of resources associated with a group. GroupAdmins can select and prune membership (user access lists) for the group.

GroupAdmins can be responsible for:

Admin users can create groups and delegate GroupAdmin permissions to a user in that group. Organizing users into groups is useful when users work out of a shared team folder (which can be configured in user settings as their collective home folder).

TIP It is best practice to run groups out of a shared folder with group permissions.

If configured, GroupAdmins can potentially control:

There is a security/convenience tradeoff whenever you delegate user create/delete/clone and password reset to GroupAdmin users. Before you grant this authority to a GroupAdmin, ensure this is appropriate for your site policy and data security standards.

Consider this Before Delegating Admin-like Settings for GroupAdmins

While it can be convenient to grant GroupAdmins the authority to add new users to the database, this is not best practice. If you grant GroupAdmins the ability to create/clone/delete you are empowering GroupAdmins with Admin authority, which violates the principal of least privilege recommended by most data security standards.

GroupAdmin Setting (GROUPS > Group Profile page - GroupAdmin)

Description

Add new users as group members and edit/delete existing members.

Extends GroupAdmins authority to add and delete users to/from the database. Enables cloning new or existing users.

List all users in the organization and add existing users as group members.

Enables GroupAdmins to choose users from a list of existing org users.

GroupAdmins can also receive notifications about events that happen to the users they have control over, such as password expirations and user lockouts.