Permission Management Roles in EasyDMARC
Understanding User Permissions and Roles within Your EasyDMARC Organisation
In EasyDMARC, every account is referred to as an Organisation. Each Organisation is anchored by a designated Organisation Owner, and there can only be one Owner at any given time. This Owner has ultimate authority over the account.
Users within an Organisation are granted specific access and management capabilities through a structured system of permissions, categorized into three distinct levels:
- Organisation Level Permissions: These roles grant broad control over the entire Organisation's settings and resources.
- Organisation Owner: Possesses complete and unrestricted access to all platform features, settings, and resources within the Organisation. This is the only role that can transfer ownership of the Organisation to another user.
- Organisation Admin: Can manage all resources, features, and settings across the platform for the Organisation. The only restriction is the inability to transfer Organisation ownership.
- Product Level Permissions: These roles provide control over selected products and their associated resources across all domains within the Organisation.
- Product Admin: Enjoys full administrative rights for specific products, including managing their settings and resources Organisation-wide.
- Product Editor: Can modify and manage the resources associated with specific products across all domains in the Organisation.
- Resource Level Permissions: These roles offer granular control over specific domain-related resources, either collectively through Domain Groups or for individual domains.
- Domain Group Admin: Full administrative control over all domains contained within a specific Domain Group.
- Domain Group Editor: Can manage and modify settings and data for all domains within a particular Domain Group.
- Domain Group Viewer: Has read-only access to view data and settings for all domains within a designated Domain Group.
- Domain Admin: Full administrative control over an individual, specified domain.
- Domain Editor: Can manage and modify settings and data for an individual, specified domain.
- Domain Viewer: Has read-only access to view data and settings for an individual, specified domain.
Key Principles of the Permissions Hierarchy in EasyDMARC:
The effectiveness of EasyDMARC's user management lies in its permissions hierarchy, which dictates how roles and access rights interact:
- Scope of Group Roles: Assigning a role at the Domain Group level (Admin, Editor, or Viewer) automatically applies those respective permissions to all domains included within that particular Group.
- Precedence of Higher Permissions: It is not possible to assign a more restrictive role for a specific domain if the user already holds a role with broader permissions at a higher level that encompasses that domain. For example, a user with "Editor" permissions for a Domain Group cannot be simultaneously limited to "Viewer" permissions for an individual domain within that same Group.
- Scope of Product Roles: Assigning a Product role (Admin or Editor) grants the corresponding permissions for that product's features and resources across all domains within the entire Organisation.
Flexibility in Role Assignments:
- Users holding high-level roles (Organisation Owner, Organisation Admin, Product Admin/Editor) possess extensive permissions. While the system allows them to be assigned other, more granular roles, this is often functionally redundant for resources already covered by their primary high-level role.
- Users can be assigned multiple Domain Group or individual Domain roles across different groups or domains. This allows for precise and tailored access configurations based on specific responsibilities for distinct sets of resources.
Managing User Invitations (Administrator Actions):
When an Administrator invites new users to join the Organisation, the following process and rules are in effect:
- Batch Invitation Limit: A maximum of five (5) users can be invited with a single invitation batch.
- Invitation Validity Period: Each invitation sent to a prospective user remains valid for 48 hours.
- Pending Status: Once invited, the user will be listed with a "Pending" status on the User Management page until they accept the invitation.
- Expiration Consequence: If an invitation is not accepted by the user within the 48-hour validity period, it automatically expires, and the pending user entry is removed from the system.
- Administrative Control over Invitations:
- Revoke Invitation: Administrators have the option to cancel an active, pending invitation using the "Revoke" feature.
- Resend Invitation: An invitation that has expired or was not initially received can be resent using the "Resend Invitation" option.
IMPORTANT: The detailed overview of all Roles and their permissions can be found here.