I am a Zivver admin
Configure and manage Zivver
Set admin roles
Role-Based Access Control
With Role-Based Access Control, you can assign specific admin roles (Full Admin, Policy Admin, Support, and Auditor) within your Zivver organization settings, streamlining user management and enhancing security. With RBAC, you can improve the efficiency of your administrative processes while safeguarding your organizationβs sensitive information. On this page you can read all about using RBAC for your organization.
Role-Based Access Control is part of our Advanced Administration Bundle, containing capabilities that larger organizations require while SMBs do not. Please contact your contact person at Zivver or our support team if you are interested in this feature.
Change roles
Set admin roles by following these steps:
- Go to https://app.zivver.com/admin/accounts and sign in as Full Admin
Any existing admin before RBAC was enabled will have the Full Admin role - Choose the account for which you want to change the role
- Click Manage
- Scroll down to the Account Type pane
- Click Administrator
- Choose a role from the dropdown
- Click Save
- Review and confirm the change
If Single Sign-On is enabled you need to enter a temporary password for the user
Roles
With RBAC, access to the Zivver organization settings can be granted on the basis of four common administrative roles:
- Full admin: Edit access to everything and ability to edit roles of other admins
- Policy admin: Edit access to all settings, apart from the most impactful settings that only need to be set up once and audit and communication logs
- Support: Edit access to accounts, but no access to impactful account settings and sensitive data
- Auditor: View access to everything, no ability to change anything
In order to execute tasks for effective Zivver administration, both the Full Admin and Policy Admin need to be able to perform actions that can grant access to message data of other users (such as a password reset or delegated access). Please keep this in mind when assigning these roles.
Permission overview
In this overview, π indicates View (or Read-only) permission and βοΈ indicates Edit (or Write) permission for a scope. If no icon is displayed a role has no permission.
| Scope | Full Admin | Policy Admin | Support | Auditor |
|---|---|---|---|---|
| General | ||||
| Get started page | π | π | π | π |
| Organization account information (logo, branding, name, business holder) | βοΈ | π | π | π |
| Data export host and username (excl. password) | π | π | π | |
| Organizational units | βοΈ | βοΈ | βοΈ | π |
| Organization subscription | βοΈ | π | π | π |
| Contact support page | π | π | π | π |
| User administration | ||||
| Account details (name, picture, language, timezone, displayed sender) | βοΈ | βοΈ | βοΈ | π |
| Email aliases | βοΈ | βοΈ | π | π |
| Delegations | βοΈ | βοΈ | π | π |
| Communication log | π | π | ||
| Accounts that need restoring after password reset | βοΈ | βοΈ | βοΈ | π |
| Authentication factors | βοΈ | βοΈ | βοΈ | π |
| Logout active sessions | βοΈ | βοΈ | βοΈ | π |
| Administrator role | βοΈ | π | π | π |
| Account type (user or functional) | βοΈ | βοΈ | π | π |
| Account status (active or suspended) | βοΈ | βοΈ | βοΈ | π |
| Single Sign On settings | βοΈ | π | π | |
| Trusted networks | βοΈ | βοΈ | π | |
| Insights | ||||
| Insights without personal data | π | π | π | |
| Insights with personal data | π | π | ||
| Audit log | π | π | ||
| Policies | ||||
| Recipient verification | βοΈ | βοΈ | βοΈ | π |
| Trusted devices allowed | βοΈ | βοΈ | π | |
| Verification methods allowed | βοΈ | βοΈ | π | |
| Business rules | βοΈ | βοΈ | π | |
| Trusted domains | βοΈ | βοΈ | π | |
| Plugin settings | βοΈ | βοΈ | π | |
| Organization revocation policy | βοΈ | βοΈ | π | |
| Recipient Experience | ||||
| Notification message | βοΈ | βοΈ | π | |
| Introduce Zivver settings | βοΈ | βοΈ | π | |
| Conversation starters | βοΈ | βοΈ | π | |
| Organization displayed sender | βοΈ | βοΈ | π | π |
| Custom support channels | βοΈ | βοΈ | π | |
| Domain Settings | ||||
| Inbound Direct Delivery settings | βοΈ | π | π | |
| List domains and (DNS) settings | βοΈ | π | π | |
| NTA-7516 sending settings | βοΈ | π | π | π |
| Integrations | ||||
| SMTP credentials | βοΈ | π | π | |
| API keys | βοΈ | π | π | |
| Google Workspace Key | βοΈ | π | π | |
| Grant users access to Chrome Extension Service Account Key | βοΈ | π | π | |
| Downloads page | π | π | π | π |
| Other (limited availability, not visible in menu) | ||||
| Specials | βοΈ | βοΈ | βοΈ | βοΈ |
| Connected services | βοΈ | π | π |
Frequently asked questions
Who can reset passwords or change primary emails from other admins?
For security reasons, only the Full Admin is allowed to reset the password or change the primary email address of any other admin. This restriction prevents the restricted admins from accessing the accounts of other admins and performing actions that require higher privileges.
Does RBAC also apply to personal settings of users?
No, this functionality is only applicable to admin settings. It is not applicable to the changes that users can make to their own personal profile settings (the personal settings are displayed on this screenshot).
What does View or Edit permission mean for (secret) keys and credentials?
Keys or credentials (API keys, SMTP credentials and Google Workspace Key) are never shown. View permission means that (a list of) the created keys can be viewed. Edit permission means that new credentials can be created, deleted and, if applicable, disabled.
What permissions do you need for data export?
This is only possible for a Full Admin, and only if the functionality was explicitly enabled for the organization. Data export requires having both Edit permission for API keys and View permission for the data export host- and username. The API key serves as a password in the FTP client, and is needed next to the host- and username. For data protection reasons the data export functionality is disabled by default, and needs to be enabled by Support before it can be used.
Why is the recommendation to have at least two Full Admins?
This is recommended to prevent a single point of failure. The Full Admin is the only role with full access to the organization and an ability to restore access for other Full Admins. Therefore, it is strongly recommended that an organization always has at least two Full Admins.
Can I change my own role?
It is not possible for an admin to change its own administrator role (or account type in general). This helps prevent a situation in which there are no Full Admins in an organization.
Why can Support not edit all user settings?
For data protection reasons, the Support role cannot add aliases or delegations, change account types or reset passwords. The reason for this is that with these functionalities the Support admin could grant itself access to the messages of other users. This is deemed an unacceptable data security risk. Certain user settings can only be edited by Full or Policy Admins.
Are API keys affected by changing an admin role?
No, the permissions only affect the ability to create new API keys in the admin portal. The API keys themselves are not affected.
At what level are the restricted admins blocked from performing certain actions?
As this is a security feature, actions that are not allowed for a role are blocked at the API endpoint level. This means that administrators cannot perform the actions from the admin portal, but also not by directly calling API endpoints via another client. Additionally, administrators that do not require cryptographic access to organization data to perform their role, will not have such cryptographic access.