Application administration

Application administration allows organizations to protect sensitive application data by restricting how users acquire application-specific roles.

Application developers and administrators can use application administration to:
  • Prevent unauthorized users from accessing sensitive data such as financial records or personally identifiable information.
  • Restrict who can assign application roles.
  • Prevent admin users from:
    • Assigning themselves a protected application role.
    • Assigning themselves to a group containing a protected application role.
    • Bypassing existing access controls to a protected application by creating new access controls.
    • Changing the password of users who have a protected application role.
    • Impersonating a user who has a protected application role.
    • Inheriting a protected application roles.
    • Overriding existing access controls to a protected application.
    • Running scripts that access protected application records.

You can enable application administration from the application record and restrict the assignment of application roles from the user role record. Application developers should enable application administration after completing application development and before adding application records.

To prevent accidental lockout, the system displays a warning if you enable application administration for an application and there are no users who can assign application roles. For convenience, application developers can use the following related links to provide and remove application roles from all admins.
  • Grant application administration to all admins
  • Remove application administration from admins