Set admin roles

Role-Based Access Control

With Role-Based Access Control, you can assign specific admin roles (Full Admin, Policy Admin, Support, and Auditor) within your Zivver organization settings, streamlining user management and enhancing security. With RBAC, you can improve the efficiency of your administrative processes while safeguarding your organization’s sensitive information. On this page you can read all about using RBAC for your organization.

Advanced Administration Bundle
Role-Based Access Control is part of our Advanced Administration Bundle, containing capabilities that larger organizations require while SMBs do not. Please contact your contact person at Zivver or our support team if you are interested in this feature.

Change roles

Set admin roles by following these steps:

  1. Go to https://app.zivver.com/admin/accounts and sign in as Full Admin
    Any existing admin before RBAC was enabled will have the Full Admin role
  2. Choose the account for which you want to change the role
  3. Click Manage
  4. Scroll down to the Account Type pane
  5. Click Administrator
  6. Choose a role from the dropdown



  7. Click Save
  8. Review and confirm the change
    If this account was not an administrator yet and Single Sign-On is enabled, you need to enter a temporary password for the account

Roles

With RBAC, access to the Zivver organization settings can be granted on the basis of four common administrative roles:

  • Full admin: Edit access to everything and ability to edit roles of other admins
  • Policy admin: Edit access to all settings, apart from the most impactful settings that only need to be set up once and audit and communication logs
  • Support: Edit access to accounts, but no access to impactful account settings and sensitive data
  • Auditor: View access to everything, no ability to change anything
Access to sensitive data
In order to execute tasks for effective Zivver administration, both the Full Admin and Policy Admin need to be able to perform actions that can grant access to message data of other users (such as a password reset or delegated access). Please keep this in mind when assigning these roles.

Permission overview

In this overview, πŸ“– indicates View (or Read-only) permission and ✏️ indicates Edit (or Write) permission for a scope. If no icon is displayed a role has no permission.

Scope Full Admin Policy Admin Support Auditor
General
Get started page πŸ“– πŸ“– πŸ“– πŸ“–
Organization account information (logo, branding, name, business holder) ✏️ πŸ“– πŸ“– πŸ“–
Data export host and username (excl. password) πŸ“– πŸ“– πŸ“–
Organizational units ✏️ ✏️ ✏️ πŸ“–
Organization subscription ✏️ πŸ“– πŸ“– πŸ“–
Contact support page πŸ“– πŸ“– πŸ“– πŸ“–
User administration
Account details (name, picture, language, timezone, displayed sender) ✏️ ✏️ ✏️ πŸ“–
Email aliases ✏️ ✏️ πŸ“– πŸ“–
Delegations ✏️ ✏️ πŸ“– πŸ“–
Password reset ✏️ ✏️
Communication log πŸ“– πŸ“–
Accounts that need restoring after password reset ✏️ ✏️ ✏️ πŸ“–
Authentication factors ✏️ ✏️ ✏️ πŸ“–
Logout active sessions ✏️ ✏️ ✏️ πŸ“–
Administrator role ✏️ πŸ“– πŸ“– πŸ“–
Account type (user or functional) ✏️ ✏️ πŸ“– πŸ“–
Account status (active or suspended) ✏️ ✏️ ✏️ πŸ“–
Single Sign On settings ✏️ πŸ“– πŸ“–
Trusted networks ✏️ ✏️ πŸ“–
Insights
Insights without personal data πŸ“– πŸ“– πŸ“–
Insights with personal data πŸ“– πŸ“–
Audit log πŸ“– πŸ“–
Policies
Recipient verification ✏️ ✏️ ✏️ πŸ“–
Trusted devices allowed ✏️ ✏️ πŸ“–
Verification methods allowed ✏️ ✏️ πŸ“–
Business rules ✏️ ✏️ πŸ“–
Trusted domains ✏️ ✏️ πŸ“–
Plugin settings ✏️ ✏️ πŸ“–
Organization revocation policy ✏️ ✏️ πŸ“–
Recipient Experience
Notification message ✏️ ✏️ πŸ“–
Introduce Zivver settings ✏️ ✏️ πŸ“–
Conversation starters ✏️ ✏️ πŸ“–
Organization displayed sender ✏️ ✏️ πŸ“– πŸ“–
Custom support channels ✏️ ✏️ πŸ“–
Domain Settings
Inbound Direct Delivery settings ✏️ πŸ“– πŸ“–
List domains and (DNS) settings ✏️ πŸ“– πŸ“–
NTA-7516 sending settings ✏️ πŸ“– πŸ“– πŸ“–
Integrations
SMTP credentials ✏️ πŸ“– πŸ“–
API keys ✏️ πŸ“– πŸ“–
Google Workspace Key ✏️ πŸ“– πŸ“–
Grant users access to Chrome Extension Service Account Key ✏️ πŸ“– πŸ“–
Downloads page πŸ“– πŸ“– πŸ“– πŸ“–
Other (limited availability, not visible in menu)
Specials ✏️ ✏️ ✏️ ✏️
Connected services ✏️ πŸ“– πŸ“–

Frequently asked questions

Who can reset passwords or change primary emails from other admins?
For security reasons, only the Full Admin is allowed to reset the password or change the primary email address of any other admin. This restriction prevents the restricted admins from accessing the accounts of other admins and performing actions that require higher privileges.

Does RBAC also apply to personal settings of users?
No, this functionality is only applicable to admin settings. It is not applicable to the changes that users can make to their own personal profile settings (the personal settings are displayed on this screenshot).

What does View or Edit permission mean for (secret) keys and credentials?
Keys or credentials (API keys, SMTP credentials and Google Workspace Key) are never shown. View permission means that (a list of) the created keys can be viewed. Edit permission means that new credentials can be created, deleted and, if applicable, disabled.

What permissions do you need for data export?
This is only possible for a Full Admin, and only if the functionality was explicitly enabled for the organization. Data export requires having both Edit permission for API keys and View permission for the data export host- and username. The API key serves as a password in the FTP client, and is needed next to the host- and username. For data protection reasons the data export functionality is disabled by default, and needs to be enabled by Support before it can be used.

Why is the recommendation to have at least two Full Admins?
This is recommended to prevent a single point of failure. The Full Admin is the only role with full access to the organization and an ability to restore access for other Full Admins. Therefore, it is strongly recommended that an organization always has at least two Full Admins.

Can I change my own role?
It is not possible for an admin to change its own administrator role (or account type in general). This helps prevent a situation in which there are no Full Admins in an organization.

Why can Support not edit all user settings?
For data protection reasons, the Support role cannot add aliases or delegations, change account types or reset passwords. The reason for this is that with these functionalities the Support admin could grant itself access to the messages of other users. This is deemed an unacceptable data security risk. Certain user settings can only be edited by Full or Policy Admins.

Are API keys affected by changing an admin role?
No, the permissions only affect the ability to create new API keys in the admin portal. The API keys themselves are not affected.

At what level are the restricted admins blocked from performing certain actions?
As this is a security feature, actions that are not allowed for a role are blocked at the API endpoint level. This means that administrators cannot perform the actions from the admin portal, but also not by directly calling API endpoints via another client. Additionally, administrators that do not require cryptographic access to organization data to perform their role, will not have such cryptographic access.

Was this article helpful?

thumb_up thumb_down