Access Management is your go-to tool for controlling what users can do in our app. It's a key feature that lets you give your team members the exact permissions they need to do their jobs.
With Access Management, you can:
- Improve security: Ensure only authorized users can access sensitive data and features.
- Streamline workflows: Give team members the access they need without any unnecessary hurdles.
- Maintain data integrity: Protect your data from accidental changes or unauthorized access.
Managing access is flexible and easy to scale. It works independently from external directories, so you have complete control over who can access what, no matter how your team is structured.
What is Access Management?
Access Management is our internal system for managing user permissions within Gopher for Chrome Premium. Unlike previous methods that might have relied on your external directory roles (such as a Google Super Admin), our system lets you create custom roles and user groups to define exactly what each person can and can't do.
This design makes it easy to adjust permissions as your team grows or changes, without needing to update external systems. Plus, it creates a complete audit trail so that you can track every action taken by delegated authority.
Key Components of Access Management:
Roles (What)
- Purpose: Roles define specific permissions that dictate what a user can do.
- Configuration: You can create custom roles tailored to your organization. Each role includes a detailed list of permitted actions across different application modules.
- Use Case: A Tier 1 Support role might grant permission to view device information and perform basic troubleshooting, while a System Administrator role would have broader configuration capabilities.
User Collections (Who)
- Purpose: User Collections are flexible groupings of users. Unlike rigid organizational units, you can group people by functional teams, departments, or job titles (e.g., Librarians, Faculty), or any other logical grouping that simplifies permission assignment.
- Configuration: You populate these collections by selecting specific users from your directory.
- Use Case: If a user’s job changes, you simply move them to a different collection, and their permissions update automatically through the associated designation.
OU Collections (Where)
- Purpose: OU Collections define the scope or boundaries of an action. They are administrative groupings of Organizational Units (OUs) from your connected directory.
- Configuration: You populate an OU Collection by selecting one or more OUs from your directory tree. Any device within these OUs falls under this administrative scope.
- Use Case: This is critical for large-scale management. For example, you could create an Elementary Schools OU Collection. When linked to a role, the user's authority is limited strictly to the devices or accounts within those specific elementary school OUs.
Designations:
- Purpose: Designations are the connectors. They link a User Collection (the people) to a Role (the actions) and an OU Collection (the scope).
- Configuration: You create a designation by selecting one of each component to complete the permission logic: Who + What + Where.
- Use Case: By designating the Librarians (User Collection) as the Tier 1 Support (Role) for the Elementary Schools (OU Collection), librarians can perform troubleshooting actions only on devices located within the elementary school OUs.
How Your Actions Are Handled Securely
When you use Gopher for Chrome Premium, a secure service account performs actions in the background. Think of this service account as a trusted assistant with the technical permissions to get things done.
However, what you can actually do is always determined by your assigned roles and scopes. The system ensures:
The service account ensures that:
- Actions are properly controlled:Â You can only perform tasks you're authorized to do.
- Accountability is maintained:Â The system tracks who initiated each action, creating a robust audit log for every operation.
Getting Started
- Navigate to the Administration section in the left-hand navigation menu.
- Select Access Management.
- Creating Access Points:
- Establish Designations to link your User Collections and OU Collections to Roles.
By leveraging Access Management, you can safely empower your team without the security risk of granting access to the Google Admin console. This fosters a well-governed environment where you can assign granular permissions for specific tasks, like wiping profiles or moving OUs, without exposing your entire domain’s sensitive settings.
Comments
Please sign in to leave a comment.