Kaseya Community

How do I fine-tune an admin account's access so they can't "see" other admins?

  • We would like to start reselling nodes to companies and provide them with administrator access to their machine group only, and so they can only see their own admin account/role, and not see any other groups/accounts/roles on the KServer.

    This would look something like this:

    Bob Hope is the IT guy at a company called Unitech.
    We create an admin role called Unitech.
    We create an admin account called BobHope.
    We assign BobHope to the Unitech admin role.
    We create a machine group called UnitechMachines.
    We give the Unitech admin role access only to the UnitechMachines machine group.

    We give Bob his username and password, and when he logs in he can only access his own machine group (and any subgroups underneath it). This is all working fine.

    However, on Bob's Dashboard under Tasks -- Assigned to: dropdown, and the Messages - to: dropdown, Bob can select the other admin accounts that we have created (for ourselves, other customers, etc.).

    How can I restrict BobHope's access so he cannot assign tasks or send messages to users outside his own Admin Role?

    And is there any other place where Bob may "see" other admin accounts, roles, machine groups, etc. that I should be aware of?

    Thanks!!

    ~Tony

    Legacy Forum Name: How do I fine-tune an admin account's access so they can't "see" other admins?,
    Legacy Posted By Username: TonyJ
  • Check the System > Membership page. He should be the only member of his assigned role and should not be a member of any other roles.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: T2Craig
  • Thanks for the reply Craig (by the way, loved you in that TV show "Coach" Wink )

    I made sure that BobHope is a member of the Unitech admin role and -only- the Unitech admin role. And no one else is a member of that admin role. However, other admins are a member of the master admin role. But we also have a "standard" admin role, and BobHope can see admins in that role in the dropdown boxes I mentioned in the original post as well.

    The problem is that when we have several customers using this product, we don't want them to be able to see the names of all the other admin accounts for all the other customers. We want to give the illusion that they are in their own separate IT Management Software, and only have access to their own account/groups/machines/usernames/admin accounts/etc.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: TonyJ
  • I too am working on the same issue without success yet.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: iamnet
  • Hi there,

    I too had this problem and the general resolve from Kaseya was that you cannot hide this information - in future release perhaps.

    The only way I had to get around it was to remove those areas that had the listing in them.

    The ticketing is another one - you can see all admins, only way around that was that you set every ticket to be automatically assigned to an admin and they could not change it - but not great.

    Michael

    Legacy Forum Name: How-To,
    Legacy Posted By Username: mmartin
  • We assign client administrators to their specific group. We also assign our own people to Master Admin or a Junior Admin and then assign Junior Admin only to those groups which they should interact with.

    We do not allow end customers to assign tickets, so they don't see a support persons name on a ticket unless it has been assigned to that support person.

    We do let client administrators assign tickets to our own people if it's something they do not have the skills or time to deal with. Of course they may have to pay extra for that time.

    The only problem area is with Chat where a user can see any adminsitrator that may have access to their site.

    You can avoid the issue of Master Admins if you simply keep Master Admins limited to an account for configuration and not nessecarily daily work. If a person is not assigned as Master Admin and not assigned to membership in a group that group won't be visible to them, nor will they be visible to the group.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: doug.jenkins@ispire.ca
  • Anyone figure this out yet? The only thing we have been able to do so far is hide the assignee choice all together. However, we have a client that wants to be able to assign to other workers underneath him and we do not want him to see ALL of our techs and other clients, only the ones he needs to.

    Thanks

    TonyJ
    We would like to start reselling nodes to companies and provide them with administrator access to their machine group only, and so they can only see their own admin account/role, and not see any other groups/accounts/roles on the KServer.

    This would look something like this:

    Bob Hope is the IT guy at a company called Unitech.
    We create an admin role called Unitech.
    We create an admin account called BobHope.
    We assign BobHope to the Unitech admin role.
    We create a machine group called UnitechMachines.
    We give the Unitech admin role access only to the UnitechMachines machine group.

    We give Bob his username and password, and when he logs in he can only access his own machine group (and any subgroups underneath it). This is all working fine.

    However, on Bob's Dashboard under Tasks -- Assigned to: dropdown, and the Messages - to: dropdown, Bob can select the other admin accounts that we have created (for ourselves, other customers, etc.).

    How can I restrict BobHope's access so he cannot assign tasks or send messages to users outside his own Admin Role?

    And is there any other place where Bob may "see" other admin accounts, roles, machine groups, etc. that I should be aware of?

    Thanks!!

    ~Tony


    Legacy Forum Name: How-To,
    Legacy Posted By Username: tbuckley
  • Hi all,

    Something to watch out for is the line between hosting K agents to IT Departments, and providing services where they have the ability to log in to your system.

    The Kaseya license agreement stipulates that it will not be used in an Application Service Provider fashion. Only a couple companies like SecureMyCompany (now Cloud Services Depot) and Virtual Administrator have entered into special agreements with Kaseya to offer Kaseya in an ASP fashion. Offering hosted Kaseya agents to others is a breach of the license and some people have been shut off for doing so.

    The fine line I referred to is the difference between offering hosted Kaseya vs. you deliver services to that customer. If you are delivering services to that customer (e.g. "I'll be responsible for patching your environment and triaging monitoring alarms" etc) then offering them access to log in (e.g. they want to run their own reports, you escalate alarms you triage to their internal staff, etc) is within the software license agreement.

    I'm not sure which side of the line any of you fall on, but I just wanted to make sure everyone was aware. If you have any questions about your situation, feel free to raise them to your Account Manager.

    Jason Paquette
    Director - IT Service Provider Sales - North America
    Kaseya Corporation
    Bothell, WA, USA

    Legacy Forum Name: How-To,
    Legacy Posted By Username: jason.paquette@kaseya.com
  • In my scenario, we are providing the high end tech support for the company. They are providing lower end support from within. We are in no way reselling so that our client can do all of the work and we just host the system.

    With that settled, do you have any input into the original question?

    jason.paquette@kaseya.com
    Hi all,

    Something to watch out for is the line between hosting K agents to IT Departments, and providing services where they have the ability to log in to your system.

    The Kaseya license agreement stipulates that it will not be used in an Application Service Provider fashion. Only a couple companies like SecureMyCompany (now Cloud Services Depot) and Virtual Administrator have entered into special agreements with Kaseya to offer Kaseya in an ASP fashion. Offering hosted Kaseya agents to others is a breach of the license and some people have been shut off for doing so.

    The fine line I referred to is the difference between offering hosted Kaseya vs. you deliver services to that customer. If you are delivering services to that customer (e.g. "I'll be responsible for patching your environment and triaging monitoring alarms" etc) then offering them access to log in (e.g. they want to run their own reports, you escalate alarms you triage to their internal staff, etc) is within the software license agreement.

    I'm not sure which side of the line any of you fall on, but I just wanted to make sure everyone was aware. If you have any questions about your situation, feel free to raise them to your Account Manager.

    Jason Paquette
    Director - IT Service Provider Sales - North America
    Kaseya Corporation
    Bothell, WA, USA


    Legacy Forum Name: How-To,
    Legacy Posted By Username: tbuckley
  • Wow, from 2009, and no information on how to make this happen within the service agreement?

  • I think the problem with Bob's account is that "LegacyPoster" Tony gave Bob Master Admin access or that he used the same role for Bob that other users where part of.

    Kaseya has a hidden ability to separate access in the VSA by partitioning however this is not available to Kaseya's standard customer base.