Set admin roles

Role-Based Access Control

With Role-Based Access Control (RBAC), you can assign specific admin roles (Full admin, Policy admin, Support, and Auditor) within your Zivver organization settings, streamlining user management and enhancing security. RBAC helps to improve the efficiency of your administrative processes while safeguarding impactful functionalities & information. On this page you can read all about using RBAC in Zivver for your organization.

Tip
Advanced Administration Bundle
Role-Based Access Control is part of our Advanced Administration Bundle, containing capabilities that larger organizations require while SMBs do not. Please contact your contact person at Zivver or our support team if you are interested in this feature.

Change roles

Follow these steps to set admin roles:

  1. Log in to the Zivver WebApp as Full Admin.
    Any existing admin before RBAC was enabled will have the Full Admin role.
  2. Click Organization Settings.
  3. Expand User administration.
  4. Click Accounts.
  5. Click next to the account for which you want to change the role.
  6. Scroll down to the Account type pane.
  7. Select Administrator.
  8. Choose a role from the Administrator role dropdown menu.

  9. Click .
  10. Review and confirm your changes.
    If this account was not an administrator yet and Single Sign-On is enabled, you need to enter a temporary password for the account

Roles

With RBAC, access to the Zivver organization settings can be granted based on four common administrative roles:

  • Full admin: Full edit access to all settings and the ability to manage the roles of other admins
  • Policy admin: Edit access to all settings, except for the most impactful settings that only need to be configured once, plus access to audit and communication logs
  • Support: Edit access to user accounts, but no access to impactful account settings or sensitive data
  • Auditor: Read-only access to all settings, no ability to make changes
Warning
Access to sensitive data
To perform tasks for effective Zivver administration, both Full admin and Policy admin must be able to perform actions that can grant access to other users’ message data (such as password resets or delegated access). Keep this in mind when assigning these roles.

Permission overview

In this overview, πŸ“– indicates View (Read-only) permission and ✏️ indicates Edit (Write) permission for a scope. If no icon is displayed, the role has no permission.

ScopeFull adminPolicy adminSupportAuditor
General
Get started pageπŸ“–πŸ“–πŸ“–πŸ“–
Organization account information (logo, branding, name, business holder)βœοΈπŸ“–πŸ“–πŸ“–
Data export host and username (excl. password)πŸ“–πŸ“–πŸ“–
List domains and (DNS) settingsβœοΈπŸ“–πŸ“–
Inbound Direct Delivery settingsβœοΈπŸ“–πŸ“–
NTA-7516 sending settingsβœοΈπŸ“–πŸ“–πŸ“–
Organizational unitsβœοΈβœοΈβœοΈπŸ“–
Organization subscriptionβœοΈπŸ“–πŸ“–πŸ“–
Contact support pageπŸ“–πŸ“–πŸ“–πŸ“–
User administration
Account details (name, picture, language, timezone, displayed sender)βœοΈβœοΈβœοΈπŸ“–
Email aliasesβœοΈβœοΈπŸ“–πŸ“–
DelegationsβœοΈβœοΈπŸ“–πŸ“–
Password reset✏️✏️
Communication logπŸ“–πŸ“–
Accounts that need restoring after password resetβœοΈβœοΈβœοΈπŸ“–
Authentication factorsβœοΈβœοΈβœοΈπŸ“–
Logout active sessionsβœοΈβœοΈβœοΈπŸ“–
Administrator roleβœοΈπŸ“–πŸ“–πŸ“–
Account type (user or functional)βœοΈβœοΈπŸ“–πŸ“–
Account status (active or suspended)βœοΈβœοΈβœοΈπŸ“–
Single Sign On settingsβœοΈπŸ“–πŸ“–
Trusted networksβœοΈβœοΈπŸ“–
Automatic account deletionβœοΈπŸ“–πŸ“–
Insights
Insights without personal dataπŸ“–πŸ“–πŸ“–
Insights with personal dataπŸ“–πŸ“–
Audit logπŸ“–πŸ“–
Policies
Recipient verificationβœοΈβœοΈβœοΈπŸ“–
Verification methods allowedβœοΈβœοΈπŸ“–
Trusted devices allowedβœοΈβœοΈπŸ“–
Outbound direct deliveryβœοΈβœοΈπŸ“–
Business rulesβœοΈβœοΈπŸ“–
Trusted domainsβœοΈβœοΈπŸ“–
Organization revocation policyβœοΈβœοΈπŸ“–
Plugin settingsβœοΈβœοΈπŸ“–
Recipient Experience
Notification messageβœοΈβœοΈπŸ“–
Introduce Zivver settingsβœοΈβœοΈπŸ“–
Conversation startersβœοΈβœοΈπŸ“–
Organization displayed senderβœοΈβœοΈπŸ“–πŸ“–
Custom support channelsβœοΈβœοΈπŸ“–
Integrations
SMTP credentialsβœοΈπŸ“–πŸ“–
DLP GatewayβœοΈβœοΈπŸ“–
API keysβœοΈπŸ“–πŸ“–
Google Workspace KeyβœοΈπŸ“–πŸ“–
Grant users access to Chrome Extension Service Account KeyβœοΈπŸ“–πŸ“–
Downloads pageπŸ“–πŸ“–πŸ“–πŸ“–

Frequently asked questions

Who can reset passwords or change primary emails of other admins?For security reasons, only the Full Admin can reset the password or change the primary email address of any other admin. This restriction prevents restricted admins from accessing other admins’ accounts and performing actions that require higher privileges.
Does RBAC also apply to users’ personal settings?No, this functionality applies only to admin settings. It does not affect changes that users can make to their own personal profile settings (as shown in this screenshot).

What does View or Edit permission mean for (secret) keys and credentials?Keys or credentials (API keys, SMTP credentials, and Google Workspace Key) are never displayed. View permission allows viewing (a list of) the created keys. Edit permission allows creating, deleting, and, if applicable, disabling credentials.
What permissions are needed for data export?Only a Full Admin can perform data export, and only if this functionality has been explicitly enabled for the organization. Data export requires both Edit permission for API keys and View permission for the data export host and username. The API key acts as a password in the FTP client and is required alongside the host and username. For data protection reasons, data export is disabled by default and must be enabled by Support before use.
Why is it recommended to have at least two Full Admins?This prevents a single point of failure. The Full Admin is the only role with full access to the organization and can restore access for other Full Admins. Therefore, it is strongly recommended that an organization always has at least two Full Admins.
Can I change my own role?An admin cannot change their own administrator role (or account type). This prevents a situation where no Full Admins remain in the organization.
Why can Support not edit all user settings?For data protection, the Support role cannot add aliases or delegations, change account types, or reset passwords. Without this restriction, a Support admin could gain access to other users’ messages, which is an unacceptable data security risk. Certain user settings can only be edited by Full or Policy Admins.
Are API keys affected by changing an admin role?No, changing an admin role only affects the ability to create new API keys in the admin portal. Existing API keys are not affected.
At what level are restricted admins blocked from performing certain actions?Actions disallowed for a role are blocked at the API endpoint level. This means administrators cannot perform these actions through the admin portal or by directly calling API endpoints via another client. Administrators who do not require cryptographic access to organization data for their role will not have such access.