Admin Users and Roles

Describes admin users and roles.

Admin users are used to delegate administration duties in Privakey CX. Each admin user has at least one of three roles attached to their account which grants them various permissions to perform administrative duties, depending on the roles. The three roles are Company Admin, App Space Admin, and User Support.


Company Admin - This role is intended to allow for system set up and administration. After running the Bootstrap Wizard, an admin user record with the Company Admin is created. This role can create admin users with any role, can assign such roles to themselves, and can create App Spaces.

App Space Admin - This role is intended to allow for individual App Spaces to be managed. An App Space Admin is assigned to a particular App Space and can manage and configure any aspect of that App Space. The App Space Admin can manage Request Origins and their Callbacks, as well as assign User Support roles. The same user can be assigned as App Space Admins to other App Spaces but each individual App Space Admin assignment is specific to an App Space.

User Support - This role is the least privileged, and is intended to allow for App User and device management. The most basic role, User Support is allowed to revoke App User devices, and if the App Space is configured for Simple Bind, they may revoke App Users.

PermissionsCompany AdminApp Space AdminUser Support
Add / edit App Space
Add / edit Request Origin
Add / edit Callbacks
App User Administration (device and app user management)
Attach / Remove Company Role
Attach / Remove App Space Role
Attach / Remove User Support Role

Adding a New User

Adding a user for a specific role depends on the context the user is added in. For instance, to add a new Company Admin user, they must be added through the Company Dashboard. Likewise, an App Space Admin or User Support user must be added in the context of a particular App Space, from its dashboard.

To add a user, simply enter their email address, with any roles selected (if applicable). The Auth Service will send an email containing a one time use link to the address. If the link needs to be resent, it can be done from selecting their user record. Resending the email will invalidate any prior registration emails.

Following the link will take the new user to a page in the Admin Portal that will allow them to complete their registration. As part of the registration process, they are required to input their first and last name, and optionally a phone number. After they complete this step, the page will display their password and a link to the login page.

Adding a New Role to an Existing User

Adding a new role works much like adding a new user. Within the context of the role (Company dashboard or App Space dashboard), manage users and enter the email along with any roles that apply. If the user already exists in the context, their name will appear in the list, and their roles can be edited directly on their user page. The user will receive an email informing them of the update on their roles.

Reset Password

If a user loses their credential to log in to the Admin Portal, it can be reset. Navigate to their user record and select "Reset Password" - this will send an email with a one time link to the user allowing them to optionally update their user information, and receive a new password. Resetting a user's password will set their user to a suspended state, preventing them from logging in until they complete the reset password process, useful if the user's credentials have been compromised.

Removing Roles

Because an admin user's permission set are the sum of the roles attached to that user, there may be times it is necessary to remove roles attached to the admin user. As long as a user's roles allow them to do so, they can remove any attached roles to any admin user, including themself.

There are a few caveats:

  • A user cannot remove their own role if it is the last one attached to them, however users with the appropriate roles can remove another's final role.
  • There must be at least one Company Admin in the system. If there is only one admin user with the Company Admin role attached, another admin user must have the role attached before it can be removed from the original admin user.


Removing a User's Final Role

It is possible to remove all roles from another admin user. Doing so will prevent that user from being able to log in or perform any administrative actions and will essentially lock them out of the system.

Recovering the Company Admin

In the unfortunate case that the only Company Admin has been lost (such as forgotten credentials), the only way they can be recovered is through the Recovery Wizard.