Recommended account manager role settings
The roles that you need to create depend on your business requirements. However, there are a number of roles that are commonly required:
-
Account manager role: This role is preconfigured by default and cannot be modified. It is a service provider role that grants access to all STA console functionality and all account management groups. Account managers are automatically assigned to this role if no other roles are created. In general, only a few and trusted account managers should have the default role.
-
On-boarding role: Most service providers separate the business functions of creating and provisioning accounts from the day-to-day help-desk type of support functions provided to accounts. These functions typically include creating or updating accounts, adding or modifying services, and allocating inventory (tokens and capacity). If your subscriber accounts manage their own service, this role may also be responsible for creating operators. When you add an account manager with this role, you can select an account management group to restrict their management scope to specific groups of subscribers.
-
Help desk role: This role is generally performed by technical support personnel who must have access to a subscriber’s virtual server, from which they can perform functions such as issuing or revoking tokens, adding users, and resolving authentication issues. Essentially, the aim of this role is to allow access to a range of subscriber virtual servers based on scope, but to disallow access to most other functionality available in the Dashboard, On-Boarding, and Administration tabs, such as the ability to add, modify, or remove account managers. You can combine this role with group management to restrict various members of the help desk role to managing specific groups of subscribers.
Note that the management functionality available in a subscriber’s virtual server is controlled by the role and scope configured for external operators. This means that although the help desk role may have access to a subscriber’s virtual server, the functions they can perform may vary, depending on the role or scope configured for he external operator in each subscriber’s virtual server.
-
Audit and reporting role: This role is essentially read-only, allowing access to view information displayed in the Dashboard and On-Boarding tabs, and certain functions on the Administration tab, including generating and running usage, audit, inventory, and billing reports. Depending upon your business requirements, you can limit this role to running a specific set of reports or allow it to create a range of reports. This role is generally not allowed to access any subscriber virtual servers.
-
Sales representative role: This role provides sales representatives with access to the STA consoles for the purposes of demonstration and creating evaluation accounts, while denying access to production accounts. When you create an account manager with this role, you can select account management groups to restrict the management scope of this role to specific groups of evaluation accounts. Note that sales managers who are members of this role and who have access to a range of management groups have the ability to view and monitor the activity of all members of this role.
Account manager role
The default account manager role provides unrestricted access to all service provider tabs, modules within tabs, and actions within modules, and allows access to all management groups. Access to the virtual servers tab means that this role is able to access the virtual servers for every subscriber account.
On-boarding role
This role is responsible for and allows access to the following functions:
-
Dashboard tab: View, acknowledge, close, and remove alerts.
-
On-Boarding tab: Add, modify, suspend, and remove subscriber accounts.
-
Virtual Servers tab: Access to this tab is denied.
-
Administration tab: Access is limited to running and viewing preconfigured reports. Access to all other modules on this tab is denied.
-
Enabling, disabling, or modifying the subscribers service, including start or stop dates and number of allowed auth nodes.
-
Allocating and deallocating inventory, including tokens, capacity, and SMS credits.
-
Adding, modifying, and deleting subscriber accounts.
-
Adding, modifying, and deleting auth nodes.
-
Adding, modifying, and deleting additional contacts.
-
Adding, modifying, and deleting delegation codes.
On-boarding role example
Example of on-boarding role settings
-
Clearing the Virtual Servers option hides this tab and denies access to all virtual servers.
-
In the Administration tab section, clearing the access options as shown hides and denies access to the Roles Management, Groups Management, Accounts Manager Management, Available Reports, Role Alert Management, External Alerts Recipients, Alert Event Thresholds, Customize References, Account Role Provisioning Rules, and Auto Remove modules and functions.
-
Service providers that manage all aspects of their clients' services and virtual servers may opt to remove access to the Create Operator, Auth Nodes, and Delegation Nodes functions.
-
The Create Operator function is relevant only when the subscriber manages their own virtual server.
-
The Auth Nodes module is used to enable or disable RADIUS clients, such as subscriber VPNs. Often, this functionality is not part of business functions and is offloaded to the help desk or the subscriber. Auth node configuration is available within each subscriber’s virtual server and help desk, or the subscriber can manage this functionality without having access to the on-boarding module.
-
Delegation codes are used to add third-party subscriber accounts, such as those created by an intermediary service provider (for example, a grandchild account), to the Virtual Servers tab.
-
Help desk role
This role is responsible for providing technical assistance to subscribers, and typically involves functions such as sorting authentication issues, configuring auth nodes, creating auto-provisioning and pre-authentication rules, configuring custom reports, and possibly managing users and issuing tokens.
All of the above functions are conducted from within the subscriber’s virtual server via the Virtual Servers tab. The actual functionality available to this role is determined by the role associated with the external operator account in each subscriber’s virtual server.
In general, the help desk tasks are separate from on-boarding tasks and administrative functions, and therefore access to the On-Boarding tab and the Administration tab is typically restricted.
Example of help desk role settings
-
Clearing the Edit, Delete, and Add options for all modules on the On-Boarding tab allows the help desk to view customer information such as service start or stop, number of Auth Nodes, and all other selected modules but denies the ability to modify any settings.
-
Clearing the Create Account option prevents the help desk role from adding subscriber accounts.
-
Clearing the various Administration options restricts this role to running and viewing reports to which they are entitled.
-
Access to the Auth Nodes and Create Operator modules are not required. Similar functionality can be accessed via the subscriber’s virtual server.
Help desk role example
Audit role
This role provides view-only access to all tabs and modules, and allows members to run and view reports. Because customized reports can be restricted to intended recipients, it is not normally necessary to divide this role into separate audit and reporting roles.
Using intended recipients, members of the same role may be denied access to reports that do not coincide with their function, such as billing reports and the audit function.
Example of the audit role page and applicable settings
-
Clearing all Edit, Delete, and Add options restricts this role to view-only access.
-
Clearing the Virtual Servers tab option prevents access to subscriber virtual servers.
-
Enabling the View Log options allows this role to view detail related to up to the last five configuration changes applied in each module without running reports.
-
This role is able to run and view reports to which they are entitled.
Audit and reporting role example
Sales representative role
The purpose of this role is to provide sales representatives with the ability to demonstrate the functionality of the STA consoles and to on-board accounts that want to evaluate the service. The important aspect of this role is to combine it with management groups, generally by restricting each member of the role to a specific group. By doing so, all subscriber evaluation accounts created by a member are automatically created in the specific group, effectively hiding them from any other role or member that does not have the management group in their scope.
Typically, upon converting an evaluation account to production, it is moved from the representatives management group to a production group, denying the sales representative any further access to the account. Likewise, a sales manager with all evaluation management groups in their scope will be able to monitor the activity of each sales representative and each subscriber evaluation account.
Note that alerts can be used to automatically advise members of various roles or events, such as adding or modifying a subscriber account, changes to services, and upcoming events, such as an evaluation period expiration or service period expiration.
Example of sales representative role settings
-
Only access to the Administration tab and therefore all modules and functions therein are denied.
-
It is critical that scope be applied when elevating a person to the sales representative role, limiting each individual to a reduced number of management groups. In particular, they should always be denied access to the default management group and any production management groups.