This article will introduce you to the Privileges tool in BetterCloud. Role based privileges will allow you to grant access to the BetterCloud app, and customize that access for users and admins at different security and operational levels on your domain.
If you're looking for Access Controls in BetterCloud for G Suite, please click here.
Access Privileges Tool
The Privileges section of the app can be accessed via the left side navigation bar. When you click on "Privileges" from this bar, you'll be presented with two dropdown options: "New" and "Manage".
"New" will direct you straight to the "Create A Role" tool. "Manage" will direct you to the "Roles and Privileges" page, where you can manage existing roles and folders. On the "Roles and Privileges" page, you'll find:
- Existing folders into which your existing roles are organized, as well as the ability to create a new folder
- A list of all existing roles based on folder assignment
- Access Requests* which grants admins the option of allowing End Users the ability to request access to BetterCloud
- The option to create a new role
In your role view, you can:
- Display roles contained in certain folders
- See a description and member count for each role
- Sort roles alphabetically by name or numerically by member count, and hide the Description column to customize your view.
From the dropdown "carrot" next to each role's listing, you'll find further options for managing that specific role and its assignees.
Please note that the "Super Admin" role is a default option specific to BetterCloud, and cannot be edited or deleted. Users granted this role will have full access to all tools in the BetterCloud app, including data from all enabled integrations.
For more information about role behavior in BetterCloud, please see the Important / Requirements section of this article.
Create New Folder
Folders are a great way to organize and locate specific roles, especially for larger domains or those with many granular levels of security or required access.
You have two available options for creating a new folder: clicking on the "+" sign next to your Folders list, or the "All Folders" dropdown selector at the top of your role list, which will prompt you with a "+ Add Folder" option.
After selecting either of these options, a right side slide-out tab will open. This tab will allow you to enter a folder title and create your new folder, or cancel to return to the Privileges page below. Clicking the "x" marker on the tab will also cause the tab to retract and return you to the page below.
Clicking on the folder name you wish to manage from your list of folders will auto-select it in your role viewer. You can also select it by name from the folder dropdown at the top of your role viewer.
Once the folder you wish to manage is reflected at the top of your role viewer, clicking on it will provide a dropdown menu of available options:
- "Rename" will provide the same right side slide-out tab you used to create your folder, and allow you to edit its title.
- "Add Folder" will allow you to create a nested sub-folder, beneath the one you previously selected.
- "Delete" will automatically delete the folder in question.*
*If the folder you wish to delete contains existing roles and/or sub-folders, a right side slide-out tab will warn you that all folder contents will also be deleted and cannot be retrieved, once this folder is deleted.
All users must be assigned a Role when attempting to access BetterCloud. The configured Access Requests feature gives end users the opportunity to request access from their IT Admins.
If a user attempts to log into BetterCloud with no access, they will see this page below and will need to submit a request.
Once a request has been sent to the IT Admin(s) configured in your settings, the end user will see a Request Sent confirmation:
Admins can either grant a user access to BetterCloud via the request that is sent to their email inbox or they can deny access with a pre-drafted email response.
- When an admin selects the “Login to Manage Privileges” button they are redirected to the Roles and Privileges page in BetterCloud.
If an Admin denies a user access to BetterCloud via the red button in the Access Request email, the user will see this email response:
In the Roles and Privileges section of the platform, you can manage the list of Admins that will be included on all Access Requests emails.
Each admin email address must be separated by commas when configured in the Access Request settings:
Create New Role
When you select "Privileges" > "New" from the left navigation menu, or click the green "Create Role" button from the "Roles and Privileges" page, you'll be brought a new right side flyout tab containing the role creation tool. Here, the process of role creation will be broken down into several steps.
- Name: Give your role a name
- Description:Add an option description that describes the role’s function
- Template: You can create roles based on premade templates. Choosing an integration will automatically populate the role with all applicable permissions for the selected integration. Choosing a user will copy the permissions from a user’s current role
- Privileges: Here, you can select the level of access you’d like to give to users on this role. You can give users access to only view groups across all integrations. Additionally, you can further scope down the role by giving users access to only view groups across a specific integration.
As you select different access items, note that our tool will occasionally auto-select other items that are required. For example: if you want a role to be able to edit groups, the role must also be able to view groups.
To help distinguish these items, black check boxes will denote items you've chosen, and grey check boxes will denote required items.
Assigning Users to Roles
Select the "Assigned Users" section, to the right of "Privileges” to assign users to this role. This will switch your view, and here you can add users to this new role by clicking the "Assign User" button; a pop-up box will appear below, where you can enter multiple users at a time.
Names will auto-populate as you type, and if you enter a user who is already assigned an existing role, you will be warned that adding them to this role will remove them from the other.
Additionally, you have the option of notifying users of their new role. Please note that users may only be assigned one role at a time.
Once assigned, you'll be able view your added users and and remove them, if necessary. The "Added Date" will display the date the user was added to the role.
Finally, you can cancel to exit out of this tool without saving, or save your changes to commit the role to your BetterCloud instance.
Scheduling a role allows you to control the days of the week and the time that users can access BetterCloud. For example, if your company has several offices is in different regions of the world, you can limit users’ access to BetterCloud only during work hours in their timezone.
Here you can select the timezone in which you want to schedule the roles for. You can then set the schedules for specific days of the week.
- Anytime: The users will be able to access BetterCloud at any time during the day
- No access: The users will not be able to access BetterCloud at any time during the day
- Custom time: The user will only be able to access BetterCloud during the chosen time of the day
If the user tries to access BetterCloud outside of the time allowed, they will be presented with this page:
Setting Expiration Dates for Role Assignments
When assigning users to roles, you have the option of setting an expiration date for the assignment. This allows you to ensure that no user has access to BetterCloud for longer than necessary.
You can view your users’ roles’ expiration dates by navigating to the “Assigned Users” tab.
When a user’s role assignment expires, they’re removed from the role. This removal is recorded in the Audit Logs:
Manage Existing Roles
In your role view, you can display the roles contained in certain folders, see more information that has been entered for each role, sort existing roles alphabetically by name, and show or hide other columns to customize your view.
From the dropdown "carrot" next to each role's listing, you'll find quick link options for managing that specific roles and its assignees:
- "Configure" will allow you to view and make changes to the selected role's current settings and permissions
- "Clone" will create a new, duplicate role with the same settings
- "Delete" will delete the role
- "Move" will allow you to move the role to a different folder or sub-folder
By clicking on a role's name in blue from this view, or by selecting "Configure" from the dropdown menu of available options, you will receive a right side flyout tab, where you can review the settings of the role. Clicking the green "Edit" button in the top right corner of the tab will make all settings, permissions and assigned user sections editable. Clicking on the tab's "X" marker or clicking on the page below it will close out the tab.
Important / Requirements
- Please note that the "Super Admin" role is a default option specific to BetterCloud, and cannot be edited or deleted. Users granted this role will have full access to all tools in the BetterCloud app, and full permissions over all integrated user and application data.
- When the Privileges tool in BetterCloud was launched on February 16, 2017, all existing G Suite users with Super Admin roles in the Google Admin Console automatically inherited Super Admin access to the new BetterCloud app. However, going forward, these roles will not be inherited. All end users and new admins must have a role assigned to them via this Privileges tool in BetterCloud, before they will have access to our app.
- Roles created and assigned in the Access Controls tool in BetterCloud for G Suite will not be inherited in BetterCloud.
- While it is possible for a user to be assigned multiple roles via Access Controls in BetterCloud for G Suite, a user may have only one role in BetterCloud at a time.
- If you unassign a user from a role they will lose access to app.bettercloud.com. The user account will not revert back to a role they were previously assigned.