Difference between revisions of "Administrator Roles"

From WHMCS Documentation

(Undo revision 17575 by John (talk))
Line 1: Line 1:
#REDIRECT [[Administrators and Permissions]]
+
Administrator roles allow you to set the permissions for different types of admin users. You will use these when you configure the users.
 +
 
 +
You can manage administrator roles at '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > Manage Admins > Administrator Roles'''.
 +
 
 +
==Administrator Roles==
 +
 
 +
You can set up as many different administrator roles as you want and then assign your admins to them. 
 +
 
 +
WHMCS comes with three default roles: '''Full''', '''Sales''', and '''Support Only'''.
 +
 
 +
==Create or Update an Administrator Role==
 +
 
 +
To create or update an administrator role:
 +
 
 +
# Create or edit a new role:
 +
#* To create a new role, click '''Add New Role Group''' link and enter a name for it.
 +
#* To edit a role, click the edit icon for that role. A list of permissions settings will appear.
 +
# Configure the displayed options (see below). The system provides options for Admin Area actions and email receiving preferences for system emails, account emails, and support emails.<div class="docs-alert-success">For all admin roles, you '''must''' enable '''Support Center Overview''' or '''Main Homepage'''. This allows the admin to see the support center overview or admin summary pages after logging in.</div>
 +
# Click '''Save'''.
 +
 
 +
You can then assign the administrator role to an admin at '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > Administrator Users'''.
 +
 
 +
===Role Permissions===
 +
 
 +
You can configure many permissions settings when you create or update a role.
 +
 
 +
For each of these settings:
 +
 
 +
# Permissions that start with '''Manage''' allow you to manage an item.
 +
# Permissions that start with '''View''' allow you to view an item.
 +
# Permissions start with '''Create''' allow you to create a new mentioned item.<div class="docs-alert-warning"><span class="title">Access Denied</span><br />Many '''Create''' permissions require the related '''Manage''' permission. If you see '''Access Denied''' errors, add the '''Manage''' permission. For example, errors will occur for '''Create Invoice''' if you don't also enable '''Manage Invoices'''.</div>
 +
# Permissions that start with '''Configure''' are generally for settings under '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings'''.
 +
 
 +
For an admin user who works with clients and tickets, grant the '''Manage''' and '''View''' permissions for tickets, domains, and client products. If they will be processing client orders or creating new services for clients, also grant the applicable '''Create''' and '''Manage''' permissions.
 +
 
 +
If an admin will provide remote support and you only want them to view items but not change them, you can grant them the desired '''View''' permissions only.
 +
 
 +
==Recommendations and Common Role Configurations==
 +
 
 +
===Limiting access to a specific installed addon===
 +
This is commonly required for allowing third party developers limited access to the WHMCS admin area in order to debug an issue with an installed addon module. For addon modules, the '''Addon Modules''' permission will need to be enabled and then the '''Access Control''' setting on the applicable addon will need to be edited under '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > Addon Modules''' to give their admin user access to the addon under the Addons menu (if applicable).
 +
 
 +
Depending on how the addon operates, it may be necessary to enable additional permissions as well (at discretion). For example: if an addon adds a "Support PIN" number on the client summary page, enabling the '''View Clients Summary''' permission may be necessary for the developer to be able to access a test client and verify it is working as expected.
 +
 
 +
===Debugging provisioning modules===
 +
For debugging provisioning modules, it may be helpful to enable the '''Configure Servers''', '''View Clients Products/Services''', '''View Module Debug Log''', and '''Perform Module Command Operations''' permissions so that the developer is able to ensure the underlying module is correctly configured, test with a test service and obtain any module log data (if their module supports it). Further permissions, such as the ability to edit services with '''Edit Clients Products/Services''', are generally not recommended and should only be considered on a case-by-case basis.
 +
 
 +
==Managing Two Factor Authentication==
 +
Two-factor authentication adds an additional layer of security by introducing a second step to the login process. It takes something you know (for example, your password), and adds a second factor, typically something you physically have (such as your phone). Since the system will require both to log in, if an attacker obtains your password, two-factor authentication would stop them from accessing your account.
 +
 
 +
You can apply Two-Factor Authentication to staff, clients, or both. Instructions for configuring Two-Factor Authentication are on the [[Security_Modules#Configuration|Security Modules page]].

Revision as of 22:09, 12 January 2022

Administrator roles allow you to set the permissions for different types of admin users. You will use these when you configure the users.

You can manage administrator roles at Configuration () > Manage Admins > Administrator Roles.

Administrator Roles

You can set up as many different administrator roles as you want and then assign your admins to them.

WHMCS comes with three default roles: Full, Sales, and Support Only.

Create or Update an Administrator Role

To create or update an administrator role:

  1. Create or edit a new role:
    • To create a new role, click Add New Role Group link and enter a name for it.
    • To edit a role, click the edit icon for that role. A list of permissions settings will appear.
  2. Configure the displayed options (see below). The system provides options for Admin Area actions and email receiving preferences for system emails, account emails, and support emails.
    For all admin roles, you must enable Support Center Overview or Main Homepage. This allows the admin to see the support center overview or admin summary pages after logging in.
  3. Click Save.

You can then assign the administrator role to an admin at Configuration () > System Settings > Administrator Users.

Role Permissions

You can configure many permissions settings when you create or update a role.

For each of these settings:

  1. Permissions that start with Manage allow you to manage an item.
  2. Permissions that start with View allow you to view an item.
  3. Permissions start with Create allow you to create a new mentioned item.
    Access Denied
    Many Create permissions require the related Manage permission. If you see Access Denied errors, add the Manage permission. For example, errors will occur for Create Invoice if you don't also enable Manage Invoices.
  4. Permissions that start with Configure are generally for settings under Configuration () > System Settings.

For an admin user who works with clients and tickets, grant the Manage and View permissions for tickets, domains, and client products. If they will be processing client orders or creating new services for clients, also grant the applicable Create and Manage permissions.

If an admin will provide remote support and you only want them to view items but not change them, you can grant them the desired View permissions only.

Recommendations and Common Role Configurations

Limiting access to a specific installed addon

This is commonly required for allowing third party developers limited access to the WHMCS admin area in order to debug an issue with an installed addon module. For addon modules, the Addon Modules permission will need to be enabled and then the Access Control setting on the applicable addon will need to be edited under Configuration () > System Settings > Addon Modules to give their admin user access to the addon under the Addons menu (if applicable).

Depending on how the addon operates, it may be necessary to enable additional permissions as well (at discretion). For example: if an addon adds a "Support PIN" number on the client summary page, enabling the View Clients Summary permission may be necessary for the developer to be able to access a test client and verify it is working as expected.

Debugging provisioning modules

For debugging provisioning modules, it may be helpful to enable the Configure Servers, View Clients Products/Services, View Module Debug Log, and Perform Module Command Operations permissions so that the developer is able to ensure the underlying module is correctly configured, test with a test service and obtain any module log data (if their module supports it). Further permissions, such as the ability to edit services with Edit Clients Products/Services, are generally not recommended and should only be considered on a case-by-case basis.

Managing Two Factor Authentication

Two-factor authentication adds an additional layer of security by introducing a second step to the login process. It takes something you know (for example, your password), and adds a second factor, typically something you physically have (such as your phone). Since the system will require both to log in, if an attacker obtains your password, two-factor authentication would stop them from accessing your account.

You can apply Two-Factor Authentication to staff, clients, or both. Instructions for configuring Two-Factor Authentication are on the Security Modules page.