GroupAdmins are end users who have been promoted by (organization-level) Admins or other GroupAdmins for the purpose of administering users in groups. Org Admins can define of scope of resources associated with a group. GroupAdmins can select and prune membership (user access lists) for the group.
GroupAdmins can be responsible for:
Admin users can create groups and delegate GroupAdmin permissions to a user in that group. Organizing users into groups is useful when users work out of a shared team folder (which can be configured in user settings as their collective home folder).
It is best practice to run groups out of a shared folder with group permissions.
If configured, GroupAdmins can potentially control:
There is a security/convenience tradeoff whenever you delegate user create/delete/clone and password reset to GroupAdmin users. Before you grant this authority to a GroupAdmin, ensure this is appropriate for your site policy and data security standards.
While it can be convenient to grant GroupAdmins the authority to add new users to the database, this is not best practice. If you grant GroupAdmins the ability to create/clone/delete you are empowering GroupAdmins with Admin authority, which violates the principal of least privilege recommended by most data security standards.
GroupAdmin Setting (GROUPS > Group Profile page - GroupAdmin) |
Description |
Add new users as group members and edit/delete existing members. |
Extends GroupAdmins authority to add and delete users to/from the database. Enables cloning new or existing users. |
List all users in the organization and add existing users as group members. |
Enables GroupAdmins to choose users from a list of existing org users. |
The Group Profile page opens.
GroupAdmins can also receive notifications about events that happen to the users they have control over, such as password expirations and user lockouts.
The user's profile page opens.