Group Administrator
Overview
A group administrator is a way to delegate administrative authority. Administrators can designate group administrators and grant them certain user management permissions so they can manage members within their own groups.
Applicable Scenarios
Large enterprise groups often have many employees, complex organizational structures, and high centralized management costs. With the Group Administrator feature, enterprises with multi-level organizational structures can delegate user management permissions to branches or departments, allowing group administrators to help manage group members and child user groups while reducing the system administration burden on central administrators.
Enable Group Administrators
As an administrator, you can enable the group administrator feature on the Admin Center > User Management > Permission Rules page.
After enabling it, you can configure the following settings:
Allow Group Administrators to Create New Users: enabled by default. When enabled, group administrators can create new users and bulk-create users in the user management interface.Allow Group Administrators to Authorize Visitor Permissions for Resources: enabled by default. If you clear this option, group administrators can authorize only resources for which they have owner permissions.Allow Group Administrators to Manage Child User Groups: if group administrators are not allowed to manage child user groups, then only group administrators of user groups included in the whitelist can designate group administrators for child user groups.
Different enterprises define different boundaries for what group administrators can do. For that reason, whether group administrators are allowed to modify the organizational structure is configurable, so enterprises can decide based on their own requirements.
How Group Administrators Work
If a regular user becomes a group administrator, that user will have access to the User Management and Resource Management modules.
After logging in with a group administrator account, the following feature pages are available in the Admin Center.
User Management
Users
Prerequisite
Make sure Allow Group Administrators to Create New Users is enabled.
Procedure
-
On the
Admin Center > User Management > Userspage, clickCreate User.
-
Fill in the user information and click
Save.DescriptionGroup administrators can create only
Read-Only UsersandRegular Users. They cannot create administrator accounts.
-
Manage users within the group.
- Regular users in the group can be added, deleted, edited, and viewed freely.
- If a user in the group is an administrator or a group administrator, that user cannot be deleted, the account type cannot be modified, and the password cannot be reset, but other user attributes can still be modified.
- When changing a user's user group, group administrators can select only user groups that they manage.
-
Configure user permissions. Group administrators can edit Resources they have permission for and can also grant Dashboard, Dataset, and folder permissions in batches to members within the group.
- Group administrators can authorize Resources for which they are a Visitor or Owner. When assigning permissions downward, if they are a Visitor, they can assign only the Visitor role. If they are an Owner, they can assign both Visitor and Owner roles.
- Resources owned by group members but inaccessible to the group administrator cannot be assigned downward.
User Groups
Prerequisite
Make sure Allow Group Administrators to Manage Child User Groups is enabled.
Procedure
-
On the
Admin Center > User Management > User Groupspage, clickCreate User Group / Add Child User Group.
-
Manage user groups. Group administrators can manage only the user groups for which they serve as group administrator and their child user groups. Available operations include:
- `User Group Name`: the name of the user group where the group administrator belongs cannot be modified. For subordinate child user groups, if modification of the group structure is allowed, the name can be changed.- `Add/Delete Child User Groups`: available if modification of the group structure is allowed.- `Group Administrator`: visible but not editable.- `Roles`: roles already granted to the group administrator by an administrator can be added.- `Default User Group Page`: can be configured, but only Dashboards can be added.- `Members in the Group`: users managed by the group administrator can be added; regular members can be removed; if the member is also a group administrator, that member cannot be removed and only an administrator can remove them. -
Configure user group permissions. Group administrators can edit Resources they have permission for and can also grant Dashboard, Dataset, and folder permissions in batches to members within the group.
- Group administrators can authorize Resources for which they are a Visitor or Owner. When assigning permissions downward, if they are a Visitor, they can assign only the Visitor role. If they are an Owner, they can assign both Visitor and Owner roles.
- Resources owned by group members but inaccessible to the group administrator cannot be assigned downward.
Roles
Group administrators can see only the roles authorized to them by administrators and cannot modify them.
Resource Management
Analysis Pages
In Resource Management, only page Resources are exposed, and group administrators can see only the Resources they have permission to access.
If the user is the Owner, they can edit and delete the Resource. If the user is a Visitor, they can only view it and cannot see edit or delete entries.
When a group administrator is a Visitor, they can view page information and Resource Permissions, but cannot modify them. Clicking Resource Permissions takes you to the Resource Permission Management page.
Resource Permission Management
In Resource Permission Management, group administrators can view the Resources they have permission for and perform editing operations.
As in the authorization window for a single Resource, if the user is a Visitor, only Visitor entries can be added. If the user is an Owner, all operations are available.
