Under some configurations, a lower-privileged administrator, for example, an administrator assigned the default Help Desk Administrator role, may be able to modify the account of a higher-privileged administrator. To audit the permissions assigned to administrators and verify that lower-privileged administrators do not have permissions that allow them to modify the accounts of higher-privileged administrators, use the following procedure.
Before you begin
You must be a Super Admin.
In the Security Console, click Identity > Users.
Use the search fields to find Administrators.
Click the name of the administrator and select Available Permissions from the context menu.
The user's assigned administrative roles are displayed. For each role, the following information displays:
Security Domain. The security domain of the administrators who are allowed to manage the assigned role.
Security Domain Scope. The scope of the administrator's role, i.e., where the administrator can perform the tasks for this administrative role.
Identity Source Scope. The identity sources the administrator may access, if her administrative role includes managing users or user groups.
Permission Delegation. Whether the assigned administrator can create new administrative roles that include this role's permissions.
Administrative Tasks and Permissions. The permissions the administrator has to modify objects in the system, for example, permission to add users, or just view them.
After you finish
If you find that an administrator has scope or permissions that give more privileges than appropriate, you can do the following:
Add or remove roles from the set of roles assigned to the administrator. For more information, see Assign an Administrative Role.
Edit one or more of the administrator’s roles to change the scope, set of permissions or both that role includes. This affects all administrators assigned the role. For more information, see Edit an Administrative Role.
Create a new role having the correct scope and the exact set of permissions required, and assign it to the administrator. You can create a new role or duplicate an existing role and modify it. For more information, see Add an Administrative Role.