All Collections
Dragones CRM
Delegating User Management of Non-sensitive User Roles
Delegating User Management of Non-sensitive User Roles

A best practice guide for delegating user management

Michael Benner avatar
Written by Michael Benner
Updated over a week ago

Dragones CRM supports the ability for a high level manager to delegate the management of users to a subordinate manager, the user administrator, in a manner that does not require or permit a full Administrator permission set for the user administrator or their subordinate users. The following steps describe the best practices in defining sensitive user roles and creating a permission set for a user role that can be used as a User Administrator.

Begin by defining the user roles that should be considered sensitive. The user roles that are defined as sensitive will not be able to be managed by the user administrator. These sensitive user roles should include the user roles used by all users that require a larger or equal permission set to the user administrator INCLUDING the user administrator role itself. You can define sensitive user roles in the Settings/User Roles menu by editing the individual user roles and marking them as sensitive.

Ensure that the permissions for the user administrator user role include the "Settings,Users" permission and that they DO NOT include the "UserRoles,Sensitive" permission. The "UserRoles,Sensitive" permission should only the highest level user roles including the administrator user role. It is absolutely CRITICAL that all permission sets for all user roles that are not marked sensitive do not include the following permissions "Settings, Permissions", "Settings,UserRoles" OR "UserRoles,Sensitive". If ANY user role not marked as sensitive has any of these permissions then the user administrator can effectively modify their own permission set to gain a full administrator permission set OR do so for their subordinate users. Permissions are defined on a user role by user role basis in the Settings/Permissions menu.

With the above combination of user roles and permissions defined properly, you will now have effectively delegated the editing and creation of subordinate user to the user administrator role that you have defined. The user administrator will be able to create new users with user roles that are not marked as sensitive. The user administrator will also be able to edit existing users that have user roles that are not marked as sensitive. This editing ability includes the ability to change the user role, reset the password, and retire users with non-sensitive user roles.

Did this answer your question?