Delegating cross-account access using GlueConnect

This article explains how to give cross-account access to your IT Glue account, so that you can share information in your account with users of another IT Glue account (a "delegate account").

With GlueConnect, you don't have to set up individual users from the delegate account in your account. In addition, users of the other account don't have to sign out of their account and sign in to yours in order to access the shared information.

GlueConnect.png

There are a number of ways you can use this feature. For example, imagine you hire a third-party NOC to support your clients outside of business hours. If the third-party also uses IT Glue, you can invite them to your account. You don't have to create or manage individual accounts. Users in the other account have permission to work in your account and access information there.

To configure access, there are three basic steps:

Step 1 - Choose a maximum role

The maximum role is an upper limit. Each user account in the delegate account will have an effective role that may be different than the maximum role you choose, but not higher than the maximum role.

For example, let's say you set the maximum role to Editor:

If in the primary account the user has a... Then their effective role is...
Manager or Administrator role Editor
Editor role Editor
Creator role Creator
Read-only role Read-only

Note that Lite users in the delegate account will not be able to access your account. Also note that users of the delegate account can't add or modify any item-specific security permissions like they can in their primary account.

Step 2 - Grant access

At this point, the delegate account doesn't have access to any information in your account. You will need to grant access by assigning group memberships and adding specific organizations like you would for any user of your account. If you assign all groups and add all organizations, anything that your team can see in your IT Glue account, the users in the delegate account can as well.

You do not need to have any groups created specifically for GlueConnect, but you may wish to review your security design. For example, do you want the other account to have access to everything your senior tech team can access or do you want them to only have access to what a level 1 tech can access? Are your groups configured for this?

Note: If you are just getting started with groups, we recommend reading Controlling access with security permissions. With GlueConnect, you can control third-party access only at the group level, not at the user level.

Step 3 - Send invitation email

After you specify a maximum role and grant access, the last step is to send an invitation to the users of the other account. We send an invitation email to all users with an Administrator role. Users can access your account only after one of these Administrators accepts the invitation.

Prerequisites

  • You must be an Administrator to complete the following steps.

Instructions

  1. Click Account from the top navigation bar.
  2. Click GlueConnect from the sidebar.
  3. Click + New.

    new_button.png

  4. Click an option to invite another IT Glue account or a Certified Provider: Inbay or Global Mentoring Solutions (GMS).
  5. Enter the subdomain of the delegate account. For example, if the URL is mydocs.itglue.com, mydocs is the subdomain. Note: If you invite a Certified Provider, the subdomain is entered automatically.

    glueconnect_subdomain.png

  6. Choose a maximum role.

    glueconnect_max_role.png

  7. On the next screen, select the relevant groups and add any organizations that you want all users to have access to.

    glueconnect_group_org_access.png
    Important. You must add at least one organization before leaving this screen. Check the Allow All Organizations box if you want to give the other account access to all current and future organizations.
  8. On the last screen, enter a message to the Administrators to include in the invitation email.

    glueconnect_invitation.png

  9. Click Send.

After you send the invitation, it is pending until an Administrator of the other account clicks the link in the invitation email. After accepting the invitation, users of the delegate account will have immediate access.

Switching between accounts

From the viewpoint of the delegate account's users:

Sign in with the same URL, email address, and password that you use to access your primary IT Glue account. 

To access another account, click your user icon in the upper right-hand side of the screen. Then, in the GlueConnect section of the user name drop-down menu, choose the account you wish to access:

username_drop-down_GlueConnect.png

In the top navigation bar, you will see a GlueConnect header. When you GlueConnect into a GlueConnect account, the GlueConnect header will change color and the name of the account is displayed:

Screen_Shot_2017-06-07_at_4.21.27_PM.png

You can return to your own account at any time by clicking the GlueConnect header.

Common Questions

Will the other account be billed as an "active" user?

No, when you add another IT Glue account using GlueConnect, the other account does not count as a user and is not billed. Users of the other account also won't count against the number of users you are allowed to have in your pricing plan.

Can I see what the users of the other account are doing in my account?

Everything that happens within your IT Glue account is tracked in the activity logs. To view them, go to Account > Activity Logs and you'll be shown a list of all action events (create, read, update, delete). You can filter by the action, the account, and the user. Note: The Account column is only displayed after you start giving other accounts access to your account.

Can I turn on enforced multi-factor authentication (MFA) on my account?

Yes, but the users of the delegate account will not be prompted to use MFA. They will still have direct access to your account after they authenticate in their primary account. You can't enforce MFA for accounts you let in through GlueConnect but, for added security, you can request that they enforce it on their end.

Was this article helpful?
3 out of 3 found this helpful