This article will outline the steps needed to setup up SafeConsole into separate groups that can be managed by individual users. This can be beneficial if your organization is structured in a way that you would like certain admins to only manage the users and their respective devices that they are responsible for.
Step 1: Setup SafeConsole. Login as the SafeConsole account owner and perform the following steps:
- Configure the Default Policy, this policy will not be used if this guide is followed correctly, however it is still important that the policy be set. A recommendation can be to configure a very restrictive policy that blocks device connection just in case a device is incorrectly registered at some point. An example would be the device state set to always and geofence set to Block all possible connections. See the SafeConsole Admin Guide for instructions on how to configure the default policy and the individual settings.
- Configure the following Registration setting found in Server Settings -> General
- Disable Machine ownership - checked
- Require a unique token for all registrations: Devices and SafeCrypt Drives - checked
- Require registration approval from Administrator - Unchecked
Step 2: Enable Custom Roles and Allow Creating Group Admins
Note: This must be completed by the SafeConsole Owner
- Access the Admins page in SafeConsole.
- Scroll to the bottom and check "Enable Custom Role-Based Security System". For more information on Custom Roles, see the following Knowledge Base Article.
- Click "OK" > the SafeConsole will refresh and you will need to log back in.
- Return to the Admins Page and check "Allow Creating Basic Group Admins".
Step 3: Create the top-level groups and the initial Group Admins
- In 'Manage Policies' click the Add New Path button in the top right then enter the name of the first group. Repeat for each group that will be added.
- Locate the newly added group and click the wrench icon, this will bring up the menu to Add New User
- Enter the user's name and email address and click Add
- After the user is created, you will be given the option to Promote to Group Admin, click the marked button to continue.
Add this point the user will be sent an email to create a login, password, and enable 2-factor authentication if enforced.
Note: If testing different admin permission sets on the same computer it is critical that you log out of the super admin profile before logging in as the new Group Admin. Failure to do so will show incorrect permissions. Try on a different system or in a new incognito browser if you experience this issue.
Continue Configuration: The promoted users, now Admins for their respective group can create additional users either manually or via CSV import. These will be the end-users that devices will be assigned to. They will not have access to the console. Once these end-users are created devices will need their Unique Token. This is included in the Endpoint Setup Guide, which can be sent after the user is created or after importing users from a CSV file.