Using Groups to Set Control Administrator Roles

  • Published on Jul 16, 2024
  • 2 minute(s) read
  • d

Overview

You can assign Control Administrator roles based on users’ AD group membership. One group may be assigned the Control Helpdesk Administrator role, another the Full Administrator role, and so on.

Highlights

  • Runs on AD-enabled deployments using Workspot Enterprise Connector. 

  • This is a selective feature: contact Workspot to have it enabled.

  • All three recommended Control Administrator roles are supported: (Full) Administrator, Support Administrator, and Helpdesk Administrator.

  • The two deprecated roles are also supported (but not recommended): Infosec Administrator and Performance Administrator.

  • When enabled, only the Full Administrator Group is mandatory; the others are optional.

Configuration

This feature is controlled by the new “User Management > Account Synchronization” section of “Setup > Configuration” in Control. To use, fill in the section as follows:

Sync Admin Users

This acts as a global enable/disable toggle for the group admin role feature. If set to “No,” no other fields can be edited. If set to “Yes,” 

Note: If you disable synchronization after enabling it, the users’ administrative roles are frozen, not deleted.

Control polls the specified groups on the AD Domain Controller via Enterprise Connector at the specified Sync Interval.

Admins with existing Control accounts: Existing administrators whose group memberships have changed have their Control Admin privileges set to the highest-level Control Admin group they still belong to, or to “end-user” if they belong to none of these groups. If their accounts have been deleted or disabled on AD, their accounts are deleted from Control.

Admins without Control accounts: Control creates accounts for newly discovered members of the Admin Groups and sends email invitations to them, informing them of this.

Sync Interval (Hours)

Control polls for changes in the AD Admin Groups every 1, 2, 3, 6, 12, or 25 hours, as set by the Sync Interval.

The “Sync Now” button lets you request an immediate sync.

Groups

Only the Administrator Group is mandatory. The others (Infosec Administrator, Performance Administrator, Support Administrator, and Helpdesk Administrator) are optional. 

Note: Once a Group is enabled for an Admin Role, you can select a different Group but you cannot revert to having no Group.

Note: The same Group cannot be selected for two different roles.

To set one of these groups:

  1. Click the “Search” button next to the Admin Category to open the “Select an AD Group” popup.

  2. In “-- Select Private Cloud --” choose the Private Cloud that contains your Enterprise Connector.

  3. Choose the appropriate email domain for your Admin users under “-- Select Domain --”.

  4. Enter an optional search string to filter the group names that will be returned.

  5. Press “Search.”

  6. Press “Select” on the desired group.

  7. Press “Save” to enable using Groups for Control Administrator Roles.