Administrators and Permissions

From WHMCS Documentation

Revision as of 20:07, 28 April 2021 by Lawrence (talk | contribs) (Limiting access to a specific installed addon)

The Staff Management menu contains three sections: Administrator Users, Administrator Roles, and Two Factor Authentication. These allow for control over access to the WHMCS admin area. You can create new staff members on the Administrator Users page, set their permissions on the Administrator Roles page, and enhance login security by configuring Two Factor Authentication.

Managing Administrators

To set up additional admins, go to Configuration () > Manage Admins > Administrator Users. From here, you can view and edit existing operators as well as adding new ones. When editing an operator you can change all the details of the operator, including resetting their password. It also allows you to see any notes they have made for themselves.

Admin usernames should use the following format:

  • Begin with a letter [A–Z, a–z]
  • Alphanumeric characters only.
  • No blank spaces.

Assigning to Support Departments

To assign an admin to a support department, perform the following steps:

  1. Go to Configuration () > Manage Admins > Administrator Users.
  2. Click the edit icon next to the administrator you would like to assign to a department.
  3. About halfway down the page, you will see a list of all the support departments in the system. Check the boxes next to the ones you want this admin account to be a member of.
  4. Click Save Changes.

After you assign an admin account to a department, the user will be able to view and respond to tickets in that department.

Please note that if the admin is assigned to a role that has "Access All Tickets Directly" enabled, they will be able to access tickets that are not in their assigned department(s) if they have a direct link.

Managing Administrator Roles

The administrator roles allow you to fine tune exactly what each of your admin users can do within your WHMCS administration area. You can set up as many different role groups as you want and then assign your admins to them as you need to. WHMCS comes with three default roles: Full, Sales, and Support Only.

Information on Role Group Permissions

One of the most important features of the admin area is being able to control what particular admins are able to access and manage. For example, you may want to give support operators less access to make changes than the business owner. WHMCS uses administrator roles to implement this. You can set up administrator roles under Configuration () > Manage Admins > Administrator Roles.

For these settings:

  1. Those whose names start with Manage allow you to manage an item.
  2. Those whose names start with View allow you to view an item.
  3. Those whose names start with Create allow you to create a new mentioned item.
  4. Those whose names start with Configure are generally for settings under the Setup menu. Disable them unless you want admins in that role to be able to change the mentioned sections.

Many of the Create permissions require the related Manage permission, so if you get Access Denied errors when you have the Create permission set, add the Manage permission and it should resolve this. For example, errors will occur for Create Invoice if you don't also enable Manage Invoices.

For all of your admin roles, you should enable, at least, Support Center Overview or Main Homepage. This allows the admin to see the support center overview or admin summary pages after logging in.

For an admin user that will be working with clients and tickets, you will likely want to give them any Manage or View permissions for tickets, domains, and client products. If they will be processing client orders or creating new services for clients, give the applicable Create and Manage permissions as well.

Alternatively, if you are having someone provide remote support and you only want them to be able to view items, but make no changes, you can give them the desired view permissions only.

Ultimately, you can configure the permissions to be as open or restricted as you need, based on your requirements.

Setting Role Group Permissions

To set role group permissions:

  1. Navigate to Configuration () > System Settings > Staff Management > Administrator Roles.
  2. If you want to set up a new role group, click the Add New Role Group link and enter a name for it. To edit the permissions on existing group, click the edit icon next to it. A complete list of the permissions settings for the group you're creating will appear.
  3. Configure the displayed options. The system provides options for each admin area page and individual controls like whether the admins can edit values.You can also set the email receiving preferences: system emails, account emails, and support emails.
  4. Click Save.

Assign an Admin to a Role

To assign an admin to a role:

  1. Navigate to Configuration () > System Settings > Staff Management > Administrator Users.
  2. Click the edit icon next to the admin you want to change.
  3. In the Role Group menu, choose the role you want to assign the admin to.
  4. Click save. The change will take effect immediately.

Common Role Configurations

Limiting access to a specific installed addon

This is commonly required for allowing third party developers limited access to the WHMCS admin area in order to debug an issue with an installed addon module. For addon modules, the Addon Modules permission will need to be enabled and then the Access Control setting on the applicable addon will need to be edited under Configuration () > System Settings > Addon Modules to give their admin user access to the addon under the Addons menu (if applicable).

Depending on how the addon operates, it may be necessary to enable additional permissions as well (at discretion). For example: if an addon adds a "Support PIN" number on the client summary page, enabling the View Clients Summary permission may be necessary for the developer to be able to access a test client and verify it is working as expected.

Debugging provisioning modules

For debugging provisioning modules, it may be helpful to enable the "Configure Servers", "View Clients Products/Services", "View Module Debug Log", and "Perform Module Command Operations" permissions so that the developer is able to ensure the underlying module is correctly configured, test with a test service and obtain any module log data (if their module supports it). Further permissions, such as the ability to edit services with "Edit Clients Products/Services", are generally not recommended and should only be considered on a case-by-case basis.

Managing Two Factor Authentication

Two-factor authentication adds an additional layer of security by introducing a second step to the login process. It takes something you know (for example, your password), and adds a second factor, typically something you physically have (such as your phone). Since the system will require both to log in, if an attacker obtains your password, two-factor authentication would stop them from accessing your account.

You can apply Two-Factor Authentication to staff, clients, or both. Instructions for configuring Two-Factor Authentication are on the Security Modules page.