Account managers are users in a virtual service provider account who create and manage child accounts. Account managers can manage only child accounts, and cannot access their own account information. They can manage their own virtual server if they also have an operator role.

An account manager can also have an external operator role in the child account. However, they cannot have the full internal operator role for child virtual servers, because both account managers and operators are identified by their email address.

Account managers can access the account management tabs and features, such as account details, services, token allocations, and so on.

You can also view account manager reports.

Add an account manager

When you add an account manager, you promote an existing user to account manager status. To be eligible for promotion to account manager, the user must meet the following requirements:

• They must belong to a virtual service provider account.

• They must have an active authentication method.

If the user you want to promote is not listed, assign or provision the user with a token, and then return to this step.

To be able to add account managers, you need the following:

• an account manager role that includes edit permission for the Accounts Manager Management module

• access to the account management group that includes the tenant account that the users you want to promote belong to

When you add account managers, you select their account manager role, scope or account management group, and access restrictions.

1. On the STA Token Management console, select Administration > Account Manager Maintenance.

   

2. Click Add to display a list of users who are eligible to be promoted to account manager.

   

3. Select one or more users to promote to account manager, and then select Next.

   The same role, scope, and access restrictions are applied to all the users that you select.

4. Select the Role for the new account managers, and then select Next.

   

5. Select the account management Groups that the new account managers can access, and then select Next.

   

6. Restrict access to the account management features on the STA Token Management console, as required.

   These restrictions apply to only the account management features. These restrictions do not affect any other login by the user, such as a login against any configured auth node.

   

   • Enable Restrictions: Select this option to apply the specified access restrictions. If you don't select this option, the settings are ignored.

   • Start date: Access is denied before this date.

   • End date: Access is denied after this date.

   • Start time: Access is denied before this time.

   • End time: Access is denied after this time.

   • On the following days: Access is allowed on only the selected days.

7. Select Finish.

Change the role, scope, or access restrictions

You can change the role, scope, or access restrictions for an account manager.

1. On the STA Token Management console, select Administration > Account Manager Maintenance.

2. In the row for the account manager that you want to update, select Edit.

3. Update the role, scope, or access restrictions as needed, and then select Finish.

Suspend an account manager

When you suspend an account manager, they no longer have account manager access. They remain on the list of account managers, and you can reactivate them later.

1. On the STA Token Management console, select Administration > Account Manager Maintenance.

2. In the row for the account manager, in the State column, select Active.

   

3. Select the Suspend option and then select Apply.

Remove an account manager

When you remove an account manager, they are removed from the list of account managers. The user is not deleted, but they no longer have account manager access.

1. On the STA Token Management console, select Administration > Account Manager Maintenance.

2. In the row for the account manager that you want to remove, select Remove.

   

3. Under Remove Account Manager, select Remove.`

Add account managers automatically

Use account role provisioning rules to automatically add an account manager and grant access to the STA consoles based on group membership. Conversely, an account manager can be automatically removed based on group membership.

1. On the STA Token Management console, select Administration > Account Role Provisioning Rules.

   

2. Select New Rule.

   

3. Complete the following fields:

   • Rule name: Enter a unique name to identify the rule.

   • Auto Revoke: If selected, the account manager that this rule creates is automatically removed if the group membership condition is no longer valid.

   • Account Manager Role: Select the role to assign to the account manager. The list includes all configured roles.

   • Scope: Select the groups that the new account managers can manage. Use the arrows to move highlighted groups between the lists:

     • Account Management Groups lists all configured account management groups.

     • Applied by Rule lists the groups that the account manager has access to.

   • Groups Filter: Filter the number of groups in the Virtual Server groups list.

   • Groups: Use the arrow keys to move highlighted groups between the lists:

     • Virtual Server groups: Lists all groups in the virtual server.

     • Used by rule: Users who are members of one or more of the groups in the list will be promoted to account manager.

4. Select Add.