Elevated privilege roles
-
- UpdatedFeb 1, 2024
- 3 minutes to read
- Washington DC
- Now Platform Security
Elevated privilege roles require you to manually accept the responsibility of using the role before you can access the features of the role.
By default, you do not have elevated privilege roles upon login. You must manually elevate to the privilege of the role. An elevated privilege role lasts only for the duration of your user session. Session timeout or logout removes the role.
You can designate any role as an elevated privilege role, and then assign that role to one or more users. Do this when you want to restrict users from having access to the rights that the role provides immediately after login. You can designate the privilege role on the Role form. See Create a role for instructions.
- The elevated role must be assigned to you.
- You must manually elevate to a specific elevated role to get its privileges, even if you are
already elevated to a second elevated role that contains the first elevated role.
For example, if elevated role A contains elevated role B, even if you elevate to role A, you must still elevate to role B to get its privileges.
The admin role
- Non-admin users cannot add a user to a group that contains the admin role.
- To grant the security_admin role to a user, the granting user must also have the admin role and must elevate to the security_admin role before granting the security_admin role to other users. A user with only the admin role cannot grant the security_admin role to other users.
- A user without the security_admin role cannot add a user to a group that contains the security_admin role.
The security_admin role
In the base system, the security_admin role is the only role that has elevated privileges. This role is automatically assigned to the user who is the default System Administrator (admin) user. It provides access to ACLs and High Security Settings.
