Managing Administrator Roles

View by role when you want to see an overview of all roles relative to the roles from which they were derived. Each role name is a link to the record for that role. You can click the name to open the record and edit the role.

Subordinate roles are indented beneath the roles from which they were derived. Subordinate roles inherit their operations and scope from their parents; they can never have a greater scope or more operations than their parent.

• Users in This Role — Shows how many users are assigned this Administrator role.

• Managed Users — Shows the number of users in the OUs and domains that make up the scope of this role.

• Managed Sites — The sites at which an Administrator with the role can act.

View by site when you want to see if each site has the intended complement of Administrator roles. Each site name and role name is a link to the record for that site or role. You can click the name to open the record and edit the role.

Administrator roles are organized by site:

• Computers Belonging to Site — Shows how many computers have IP addresses within the range assigned to this site.
• Administrator Roles — The roles that include that site in their scope. A role that includes all sites appears in each site listing.

View by domain to see if each domain and OU has the intended complement of Administrator roles. Administrator roles are clustered by OU within each known domain.

• Domains and OUs — A hierarchical list of the domains and OUs known to Imprivata Enterprise Access Management.

• Administrator Roles — The roles that include that OU or domain in their scope. A role that includes all sites is listed at the domain level.

• If a role is assigned to an OU within a domain, then the role name is repeated beside the OU. Imprivata domains have no OUs, so they cannot be expanded. See Creating Imprivata Accounts for Non-Domain Users

1. On the Administrator roles page from the gear icon, click Add Role.
2. Select a parent Administrator role from which the new role will inherit its operations and scope.

3. NOTE: If you change the role on which this role is based, all the operations for this role get updated to those of the base role. For more information, see Administrator Roles (Delegated Administration).

4. Example: Administrator Role Inheritance — The role Single Sign-On (SSO) Specialist can perform all SSO operations, but no other operations. If you want to create an SSO Help Desk role with some SSO operations but also with user policy operations, then do not start the SSO Help Desk role from SSO Specialist, because the new role can have only the operations available to the parent role.
3. Select the operations that the role can perform.

4. NOTES:

   • Administrator roles are typically derived from other Administrator roles, and inherit the operations available to them from the parent.
   • The Synchronize to User Directory operation (on the Users page) is a highly privileged operation. Administrators with this operation can synchronize with user directories (adding and removing Imprivata accounts in the process) change user synchronization settings and view OUs outside their scope. For this reason it is colored red, and if you create a role that includes that operation you get a warning before continuing.
5. Example: Compliance Officer HQ role based on Compliance Officer role — In this example, the Properties and Tokens operations are disabled; they are unavailable to this role because they are not available to the Compliance Officer parent role. In addition, this role does not have the authority to delete reports or make any changes to the notifications. Even though those activities are available to the parent, the Super Administrator is deselecting them for this role.
4. Click Next.
5. Define the scope of the role by selecting the users and sites this role can manage.

6. NOTE: Administrator roles inherit their scope from the parent.

7. Example: Compliance Officer HQ role based on Compliance Officer role, continued — In this example, the Compliance Officer HQ role can act only within the Headquarters site, even though all sites are subject to the Compliance Officer parent role.
6. Click Add a user beneath Users in this role.
7. Search for the user you want to add to the role, and then click select next to the user's name.
8. Example: Compliance Officer HQ role based on Compliance Officer role, continued — In this example, two users are being assigned to the role. The only limit to the number of Administrators in a role is the number of users in your user directories.

9. NOTE: You cannot assign the Super Administrator role to any users from this page. The Super Administrator role can only be assigned to a user from the user’s User Details page.

1. On the Administrator roles page from the gear icon, open the Administrator Role that you want to modify.

2. Edit the operations available to this role by selecting and deselecting the options as needed. The options for some activities are grayed-out if the role is based upon another role that does not include those activities. Click Next.

3. Redefine the scope of operations as needed and click Save.

1. Open the role.

2. Click the trash can icon in the upper right corner (this is only displayed for saved roles; newly created roles that are not yet saved do not show the trashcan icon).