Difference between revisions of "Administrator Roles"
m (→Create or Update an Administrator Role) |
|||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | Administrator roles allow you to set the permissions for different types of admins. You can manage roles in the WHMCS Admin Area. | + | Administrator roles allow you to set the permissions for different types of admins. You can manage roles in the WHMCS [[Admin Area]]. |
You can access this feature at '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > Administrator Roles'''. | You can access this feature at '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > Administrator Roles'''. | ||
Line 22: | Line 22: | ||
#* '''View''' permissions allow you to view an item. | #* '''View''' permissions allow you to view an item. | ||
#* '''Create''' permissions allow you to create a new item.<div class="docs-alert-warning"><span class="title">Access Denied</span><br />Many '''Create''' permissions require the related '''Manage''' permission. If you see '''Access Denied''' errors, add the '''Manage''' permission. For example, errors will occur for '''Create Invoice''' if you don't also enable '''Manage Invoices'''.</div> | #* '''Create''' permissions allow you to create a new item.<div class="docs-alert-warning"><span class="title">Access Denied</span><br />Many '''Create''' permissions require the related '''Manage''' permission. If you see '''Access Denied''' errors, add the '''Manage''' permission. For example, errors will occur for '''Create Invoice''' if you don't also enable '''Manage Invoices'''.</div> | ||
− | #* '''Configure''' permissions are generally for settings under '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings'''. | + | #* '''Configure''' permissions are generally for settings under '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings''' or, prior to WHMCS 8.0, '''Setup'''. |
# For '''Reports Access Controls''': | # For '''Reports Access Controls''': | ||
#* Select '''Unrestricted''' to allow access to all reports at '''Reports > [[Reports]]'''. | #* Select '''Unrestricted''' to allow access to all reports at '''Reports > [[Reports]]'''. | ||
#* Select '''Restrict Access''' to only allow access to specific reports. Then, check the desired reports. | #* Select '''Restrict Access''' to only allow access to specific reports. Then, check the desired reports. | ||
# For '''Email Messages''', check the email types that you want admins with that role to receive. | # For '''Email Messages''', check the email types that you want admins with that role to receive. | ||
+ | #* '''System Emails''' includes notifications of the domain sync, daily cron activity, POP/IMAP import errors, failed admin login attempts, and when the WHMCS license is nearing client limits (if they apply). | ||
+ | #* '''Account Emails''' includes notifications of new orders, client profile changes, automatic provisioning of ordered items (with any error messages), and client-initiated offline direct debit payments (when using the '''[[Direct_Debit|Direct Debit]]''' payment gateway). | ||
+ | #* '''Support Emails''' includes notifications of new support tickets, replies to existing tickets, and changes to them. The specific notifications that the system sends will depend on admins' assigned support departments, if they are watching the ticket, or if they are flagged on the ticket. For a list of notifications and who will receive them, see [[Support_Tickets#Notifications|Notifications]]. | ||
# Click '''Save'''. | # Click '''Save'''. | ||
− | You can then assign the administrator role to an admin at '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > Administrator Users'''. | + | You can then assign the administrator role to an admin at '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > [[Administrator Users]]''' or, prior to WHMCS 8.0, '''Setup > Staff Management > Administrator Users'''. |
===Role Permissions=== | ===Role Permissions=== | ||
Line 42: | Line 45: | ||
===Limiting access to a specific installed addon=== | ===Limiting access to a specific installed addon=== | ||
− | This is commonly required for allowing third party developers limited access to the WHMCS admin area in order to debug an issue with an installed addon module. For addon modules, the '''Addon Modules''' permission will need to be enabled and then the '''Access Control''' setting on the applicable addon will need to be edited under '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > Addon Modules''' to give their admin user access to the addon under the Addons menu (if applicable). | + | |
+ | This is commonly required for allowing third party developers limited access to the WHMCS admin area in order to debug an issue with an installed addon module. For addon modules, the '''Addon Modules''' permission will need to be enabled and then the '''Access Control''' setting on the applicable addon will need to be edited under '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > [[Addon Modules]]''' to give their admin user access to the addon under the Addons menu (if applicable). | ||
Depending on how the addon operates, it may be necessary to enable additional permissions as well (at discretion). For example: if an addon adds a "Support PIN" number on the client summary page, enabling the '''View Clients Summary''' permission may be necessary for the developer to be able to access a test client and verify it is working as expected. | Depending on how the addon operates, it may be necessary to enable additional permissions as well (at discretion). For example: if an addon adds a "Support PIN" number on the client summary page, enabling the '''View Clients Summary''' permission may be necessary for the developer to be able to access a test client and verify it is working as expected. | ||
===Debugging provisioning modules=== | ===Debugging provisioning modules=== | ||
+ | |||
For debugging provisioning modules, it may be helpful to enable the '''Configure Servers''', '''View Clients Products/Services''', '''View Module Debug Log''', and '''Perform Module Command Operations''' permissions so that the developer is able to ensure the underlying module is correctly configured, test with a test service and obtain any module log data (if their module supports it). Further permissions, such as the ability to edit services with '''Edit Clients Products/Services''', are generally not recommended and should only be considered on a case-by-case basis. | For debugging provisioning modules, it may be helpful to enable the '''Configure Servers''', '''View Clients Products/Services''', '''View Module Debug Log''', and '''Perform Module Command Operations''' permissions so that the developer is able to ensure the underlying module is correctly configured, test with a test service and obtain any module log data (if their module supports it). Further permissions, such as the ability to edit services with '''Edit Clients Products/Services''', are generally not recommended and should only be considered on a case-by-case basis. | ||
==Managing Two Factor Authentication== | ==Managing Two Factor Authentication== | ||
+ | |||
Two-factor authentication adds an additional layer of security by introducing a second step to the login process. It takes something you know (for example, your password), and adds a second factor, typically something you physically have (such as your phone). Since the system will require both to log in, if an attacker obtains your password, two-factor authentication would stop them from accessing your account. | Two-factor authentication adds an additional layer of security by introducing a second step to the login process. It takes something you know (for example, your password), and adds a second factor, typically something you physically have (such as your phone). Since the system will require both to log in, if an attacker obtains your password, two-factor authentication would stop them from accessing your account. | ||
− | You can apply Two-Factor Authentication to staff, clients, or both. Instructions for configuring Two-Factor Authentication are on the [[Security_Modules#Configuration|Security Modules page]]. | + | You can apply [[Two-Factor Authentication]] to staff, clients, or both. Instructions for configuring Two-Factor Authentication are on the [[Security_Modules#Configuration|Security Modules page]]. |
Latest revision as of 19:48, 17 November 2023
Administrator roles allow you to set the permissions for different types of admins. You can manage roles in the WHMCS Admin Area.
You can access this feature at Configuration () > System Settings > Administrator Roles.
For more information about creating and managing admins, see Administrator Users.
Contents
Administrator Roles
You can set up as many different administrator roles as you want and then assign your admins to them.
WHMCS includes three default roles: Full, Sales, and Support Only.
Create or Update an Administrator Role
To create or update an administrator role:
- Create or edit a new role:
- To create a new role, click Add New Role Group link and enter a name for it.
- To edit a role, click the edit icon for that role. A list of permissions settings will appear.
- For Permissions, check the desired permissions. For all admin roles, you must enable Support Center Overview or Main Homepage. This allows the admin to see the support center overview or admin summary pages after logging in.
- Manage permissions allow you to manage an item.
- View permissions allow you to view an item.
- Create permissions allow you to create a new item.Access Denied
Many Create permissions require the related Manage permission. If you see Access Denied errors, add the Manage permission. For example, errors will occur for Create Invoice if you don't also enable Manage Invoices. - Configure permissions are generally for settings under Configuration () > System Settings or, prior to WHMCS 8.0, Setup.
- For Reports Access Controls:
- Select Unrestricted to allow access to all reports at Reports > Reports.
- Select Restrict Access to only allow access to specific reports. Then, check the desired reports.
- For Email Messages, check the email types that you want admins with that role to receive.
- System Emails includes notifications of the domain sync, daily cron activity, POP/IMAP import errors, failed admin login attempts, and when the WHMCS license is nearing client limits (if they apply).
- Account Emails includes notifications of new orders, client profile changes, automatic provisioning of ordered items (with any error messages), and client-initiated offline direct debit payments (when using the Direct Debit payment gateway).
- Support Emails includes notifications of new support tickets, replies to existing tickets, and changes to them. The specific notifications that the system sends will depend on admins' assigned support departments, if they are watching the ticket, or if they are flagged on the ticket. For a list of notifications and who will receive them, see Notifications.
- Click Save.
You can then assign the administrator role to an admin at Configuration () > System Settings > Administrator Users or, prior to WHMCS 8.0, Setup > Staff Management > Administrator Users.
Role Permissions
The system provides options for Admin Area actions and email receiving preferences for system emails, account emails, and support emails.
For an admin user who works with clients and tickets, grant the Manage and View permissions for tickets, domains, and client products. If they will be processing client orders or creating new services for clients, also grant the applicable Create and Manage permissions.
If an admin will provide remote support and you only want them to view items but not change them, you can grant them the desired View permissions only.
Recommendations and Common Role Configurations
Limiting access to a specific installed addon
This is commonly required for allowing third party developers limited access to the WHMCS admin area in order to debug an issue with an installed addon module. For addon modules, the Addon Modules permission will need to be enabled and then the Access Control setting on the applicable addon will need to be edited under Configuration () > System Settings > Addon Modules to give their admin user access to the addon under the Addons menu (if applicable).
Depending on how the addon operates, it may be necessary to enable additional permissions as well (at discretion). For example: if an addon adds a "Support PIN" number on the client summary page, enabling the View Clients Summary permission may be necessary for the developer to be able to access a test client and verify it is working as expected.
Debugging provisioning modules
For debugging provisioning modules, it may be helpful to enable the Configure Servers, View Clients Products/Services, View Module Debug Log, and Perform Module Command Operations permissions so that the developer is able to ensure the underlying module is correctly configured, test with a test service and obtain any module log data (if their module supports it). Further permissions, such as the ability to edit services with Edit Clients Products/Services, are generally not recommended and should only be considered on a case-by-case basis.
Managing Two Factor Authentication
Two-factor authentication adds an additional layer of security by introducing a second step to the login process. It takes something you know (for example, your password), and adds a second factor, typically something you physically have (such as your phone). Since the system will require both to log in, if an attacker obtains your password, two-factor authentication would stop them from accessing your account.
You can apply Two-Factor Authentication to staff, clients, or both. Instructions for configuring Two-Factor Authentication are on the Security Modules page.