Co-Author : Rama Grandhi
Overview:
IBM Security MaaS360 with Watson offers the capability for multiple administrators to manage devices and users across an organization/account. However, there will be use cases where some administrators should manage only a subset of users or devices.
Let's take a real-world use case where an organization is spread across two geographies, the APAC and Europe regions. Each region's business unit will have a local administrative team to help deploy and manage their devices. An administrator from one of these business units should not be able to view or manage the devices of the other business unit. There might be documents that need to be made available to only one of these business units. Similarly, there will be some settings (i.e. stricter rules) that need to be enforced on users of only one business unit. Departmentalization is a feature offered by MaaS360 that allows customers to help with all the above requirements. It essentially limits the scope of an administrators' access within the portal and also limits the scope of some of the entities (policies/apps/rules).
A customer who enables this feature will have two different types of administrators.
- Global Administrator - An admin who has access to all users, devices, and entities.
- Business Unit Administrator (BU Admin) - An admin with a limited scope (as discussed above).
This feature's bedrock is a user group. When a customer enables this feature, the global administrator will need to create user groups and mark them for "Admin Access Control". The administrator can either use local user groups or leverage the already imported groups from their AD/LDAP. Once imported or created, these "Admin Access Control" enabled user groups can be assigned to the respective Business Unit Administrators. These Business Unit administrators will now be able to view only those users (and their devices) who belong to this user group. For the use case discussed here, the global administrator will need to create two user groups, "Europe" and "APAC", and add the users to those respective user groups.
When an admin navigates to the "App Catalog" to add a new application, they will be able to see an additional option, "Available for". This dropdown will contain the list of all user groups with "Admin Access Control" enabled. If we select the relevant user group, administrators will not be able to distribute this app to other user groups. Even if they distribute it to a device group, the app will reach only those users who belong to the same user group, with which this app is tied. There are similar workflows in the "Doc Content Library" and "Rules" workflows.
There will be administrators who can manage multiple user groups. However, the administrator might want to manage a single user group at a time i.e. view users only belonging to one user group or view apps only available to one user group. We have a button at the top right-hand side corner of the screen to help with these requirements. Over here, the administrator can toggle between the different user groups they manage. This selection will ensure that the portal shows only the relevant users or devices or applications or documents on any screens they visit post the selection.
The below screenshots give a detailed step-by-step guide to enable and use the feature.
Step 1 - Enable the feature.
Navigate to Setup -> Administrators -> Access Control Settings
Step 2 - Create the relevant user groups
Navigate to Users -> Groups -> Create/Edit group -> checkbox for "Admin Access Control"
Step 3 - Assign groups to an admin
- Navigate to Setup -> Administrators
- Click on "Add Administrator" or "Edit" under an existing administrator.
- Provide the basic details like the username and the email address. Click on "Continue".
- Check the box against "Limit portal administrator access to specified Managed User Groups".
- The section against "Managed User Groups" will show all available user groups which have "Admin access control" enabled. Select the relevant group and click on the right side arrow button to assign the group to this admin.
- Continue with the selection of the other attributes and complete this process.
Note: If we need to change the user groups linked to an administrator, either assigning new groups or un-assigning the existing groups, please follow the same steps mentioned above.
Step 4 - Create an app and limit its scope to a specific group
- Navigate to Apps -> Catalog.
- Click on Add -> iOS -> iTunes App Store.
- Select the relevant group against "Available for".
- Click on the other details to complete the App creation.
- This application is now going to be available only for that group which was selected.
Filter for a specific group
- On the top right hand corner, beside the help button (question mark symbol), we can see the filter button
- Upon clicking the button, it will open a screen to search and select one group for which "Admin Access Control" is enabled.