Account Managers

Account Managers are users in a Virtual Service Provider account who create and manage child accounts. Account Managers can manage only child accounts, and cannot access their own account information. They can manage their own Virtual Server if they also have an Operator role.

An Account Manager can also have an External Operator role in the child account. However, they cannot have the full Internal Operator role for child Virtual Servers, because both Account Managers and operators are identified by their email address.

Account Managers can access the account management tabs and features, such as account details, services, token allocations, and so on. They can also view Account Manager reports.

Account Managers' tasks, such as viewing user details and adding, editing, and removing accounts can be performed through Account Manager Maintenance module.

Account Manager options include:

• User ID - Display the user’s detail.
• State - Suspend or activate an Account Manager to deny or allow login to the management UI.
• Edit - Change the role, scope, and access restrictions for the corresponding Account Manager.
• Remove - Remove the user as an Account Manager.

Add an Account Manager

To add an Account Manager:

1. On the SAS console, select Administration > Account Manager Maintenance.

   

2. Click Add to display a list of users eligible for promotion to Account Manager status.

   Only users that have an active authentication method in the Service Provider’s Virtual Server are eligible for promotion to Account Manager. If the user you wish to promote is not displayed in the list, go to the Virtual Server and assign or provision the user with a token, and then return to this step.

   

3. Select one or more users to promote to Account Manager, and then select Next. Keep in mind that the same Role, Scope, and Access Restrictions are applied to all selected users.

4. Select the Role role to be applied, and then select Next.

   

5. Set the Account Manager’s scope by selecting the management groups to which they will have access, and then select Next.

   

6. Set the desired time and day access restrictions where:

   • Enable Restrictions: If checked, restrictions are enabled. If cleared, no time/day/date range restrictions are applied.

   • Start date: Management UI logon is denied before this date.

   • End date: Management UI logon is denied after this date.

   • Start time: Management UI logon is denied before this time.

   • End time: Management UI logon is denied after this time.

   • On the following days: Management UI logon is permitted on checked days only.

     

     Account Manager Restrictions apply only to Account Manager management UI logins. It does not affect any other login by the user (for example, VPN).

7. Select Finish.

Change the role, scope, or access restrictions

You can change the role, scope, or access restrictions for an account manager.

1. On the SAS console, select Administration > Account Manager Maintenance.

2. Click Edit corresponding to the Account Manager you want to update.

3. Update the role, scope, or access restrictions as needed, and then click Finish.

Suspend an Account Manager

When you suspend an Account Manager, they no longer have Account Manager access. They remain on the list of Account Managers, and you can reactivate them later.

1. On the SAS console, select Administration > Account Manager Maintenance.

2. In the row for the Account Manager, in the State column, select Active.

   

3. Select the Suspend option and then select Apply.

Remove an Account Manager

When you remove an Account Manager, they are removed from the list of Account Managers. The user is not deleted, but they no longer have Account Manager access.

1. On the SAS console, select Administration > Account Manager Maintenance.

2. Click Remove corresponding to the Account Manager you want to remove.

   

3. Under Remove Account Manager, select Remove.

Provision Account Manager roles automatically

Use account role provisioning rules to automatically add an Account Manager and grant access to the SAS console based on attributes, such as Active Directory group membership. Conversely, an Account Manager can be automatically removed if the rule that promoted the user to Account Manager evaluates false.

1. On the SAS console, select Administration > Account Role Provisioning Rules.

   

2. Select New Rule.

   

3. Complete the following fields:

   • Rule name: Enter a unique name to identify the rule.

   • Auto Revoke: If selected, the Account Manager created by this rule will be automatically removed if the group membership conditions are no longer valid.

   • Account Manager Role: Select the role to assign to the Account Manager. The list includes all configured roles.

   • Scope: Select the groups that the new Account Managers can manage. Use the arrows to move highlighted groups between the lists:

     • Account Management Groups lists all configured account management groups.

     • Applied by Rule lists the groups that the Account Manager has access to.

   • Groups Filter: Filter the number of groups in the Virtual Server groups list.

   • Groups: Use the arrow keys to move highlighted groups between the lists:

     • Virtual Server groups: Lists all groups in the virtual server.

     • Used by rule: Users who are members of one or more of the groups in the list will be promoted to Account Manager.

4. Select Add.