Managing Admins

This Advanced screen displays a list of all administrators (Admins) with rights on this Smartcrypt Enterprise Manager (SEM) site.

From this screen, you can:

  • Add Admins
  • Change Admin Settings
  • Enable API or RevokeAPI
  • Delete Admins

Admin Roles

When you add an admin, you must assign a role. Each role designates a set of permissions to complete tasks on SEM.

RoleDescription

Read-Only

Can access Smartcrypt Manager, including the Reporting and Event Logs. Cannot change settings or policy.
Sys AdminCan change settings in the Basics and Advanced pages, with approval from another Sys Admin. Can create a policy and set the "scope" - the users and groups who will be ruled by that policy.
Security AdminCan change the parameters in the policy except the scope. Cannot create new policies. If a security admin is assigned to a policy, then the Sys Admin cannot change that policy.
Super Sys AdminCan change any setting, create and chance any  policy. Can approve own actions.

Admin API

For more information on this API: Admin API

ItemDescription
EnableAPIWhen clicked, an API key is generated and displayed once.
RevokeAPIUsed to revoke the current in use API Key for an admin.

Admin MFA

You can set up a separate Multi-Factor Authentication account for Admins. 

Admin MFA Setup

When you are logged in with your Admin account, click MFA in the upper right corner. You'll see the MFA Setup Options page.

Smartcrypt menu for MFA

Click Setup MFA. You’ll be asked to open your mobile device and scan a QR code to send to your Authenticator.  You can also type the secret code directly into the Authenticator. Enter the code generated by the Authenticator into the MFA Code box. You should then name the device that you are Pairing with. Save to confirm the TOTP setup.

Linking Admin Account to User Account

After setting up your Admin account, you may link the Admin MFA credential to a user account. Return to the MFA Setup Options page and click Link to an End User Account. Enter the username and password for the account you want to link to, and you’ll be asked to generate another Authenticator code. Click Login.

Unlinking a User Account: If you don’t want your user account connected to the Admin account, Go to Advanced > Admins and Edit the local user to unlink. Check Unlink MFA and click Save. This action must be approved by another admin.

Linking to a Common Admin Account

Instead of each admin linking MFA to their own user account, your admin team can choose to create an Admin account called Auth, for example, and then have each admin link to the Auth user, using the same process described in the previous section.

Adding Admins

Smartcrypt Enterprise Manager needs at least one Sys Admin to manage accounts. The first system administrator account created during the installation (described in the Installation and Setup Guide) holds the role of Super Sys Admin. We recommend creating a new, less powerful Sys Admin for day-to-day tasks. From the Advanced tab, go to Admins.

Admins can be created from:

  • Domain Users: Individual Active Directory users with accounts connected to Smartcrypt.
  • Domain Groups: You can assign an entire Active Directory Group as Admins.
  • Local Users: If you want an admin that can access SEM without an Active Directory account, you can assign a username or email address with a password.

Changing an Admin's Settings

To change an existing Admin's password or role:

  1. Go to Advanced > Admins. The Admins page appears with the current list of Admins.
  2. Click Edit for the Admin's settings.
  3. You can replace a Domain User's email address, or the Domain Group attached to this Role. Delete the existing email address or group name. Add the new address/group.
    You can also use the drop-down menu to change the Role of this Admin.
  4. Click Save.

Deleting an Admin

To delete an Admin from the database:

  1. Go to Advanced > Admins. The Admins page appears with the list of Admins.
  2. Click Delete for the Admin you want to remove.
  3. Click Confirm - Delete.

Unless you hold the Super Sys Admin role, another admin must confirm the deletion.