Delegating cross-account access using GlueConnect

This article explains how to delegate cross-account access to your IT Glue account, so that you can share information in your account with users of another IT Glue account (an "invited account").

With GlueConnect, you don't have to set up individual users from the invited account in your account. In addition, users of the invited account don't have to sign out of their account and sign in to yours in order to access the shared information.

GlueConnect.png

This is supported between North America to North America, and EU to EU to EU accounts. North America to EU, and EU to North America accounts are not supported.

There are a number of ways you can use this feature. For example, imagine you hire a third-party NOC to support your clients outside of business hours. If the third-party also uses IT Glue, you can invite them to your account. You don't have to create or manage individual accounts. Users in the invited account have permission to work in your account and access information there.

To configure access, there are three basic steps:

Step 1 - Choose a maximum role

The maximum role is an upper limit. Each user in the invited account will have an effective role that may be different than the maximum role you choose, but not higher than the maximum role.

For example, let's say you set the maximum role to Editor:

If in the primary account the user has a... Then their effective role is...
Manager or Administrator role Editor
Editor role Editor
Creator role Creator
Read-only role Read-only

Note that Lite users in the invited account can't access your account. Also, users of the invited account can't add or modify any security permissions like they can in their primary account.

Step 2 - Grant access

At this point, the invited account doesn't have access to any information in your account. You will need to grant access by assigning group memberships and adding specific organizations like you would for any user of your account. If you assign all groups and add all organizations, anything that your team can see in your IT Glue account, the users in the invited account can as well.

You do not need to have any groups created specifically for GlueConnect, but you may want to review your security design. For example, do you want the invited account to have access to everything your senior tech team can access or do you want them to only have access to what a level 1 tech can access? Are your groups configured for this?

If you're new to groups, we recommend reading Adding groups / group members.

Step 3 - Send invitation email

After you specify a maximum role and grant access, the last step is to send an invitation to the users of the invited account. We send an invitation email to all users with an Administrator role. Users can access your account only after one of these Administrators accepts the invitation.

Prerequisites

  • You must be an Administrator to complete the following steps.

Instructions

  1. Click Account from the top navigation bar.
  2. Click GlueConnect from the sidebar.

    account-sidebar-glueconnect.png

  3. Click the + New button in the top-right corner.

    new-button.png

  4. On the next screen, click an option to invite one of the existing third-party provider accounts shown (Inbay and Global Mentoring Solutions) or a different account.
  5. Enter the subdomain of the invited account. For example, if the URL is insight-tech.itglue.com, insight-tech is the subdomain. Note: If you invite a Certified Provider, the subdomain is entered automatically.

    glueconnect_subdomain.png

  6. Choose a maximum role.

    glueconnect_max_role.png

  7. On the next screen, select the relevant groups and add any organizations that you want all users to have access to. Organization names populated by a group are grayed out because the permissions are inherited.

    glueconnect_group_org_access.png
    Important. Each user must have access to at least one organization. Select the Allow All Organizations checkbox if you want to give the invited account access to all current and future organizations.
  8. On the last screen, enter a message to the Administrators to include in the invitation email.

    glueconnect_invitation.png

  9. Click Send.

After you send the invitation, it is pending until an Administrator of the invited account clicks the link in the invitation email. After accepting the invitation, users of the invited account will have immediate access.

Switching between accounts

From the viewpoint of the invited account's users:

Sign in with the same URL, email address, and password that you use to access your primary IT Glue account. 

To access another account, click your user icon in the upper right-hand side of the screen. Then, in the GlueConnect section of the user name drop-down menu, choose the account you want to access:

username_drop-down_GlueConnect.png

In the top navigation bar, you will see a GlueConnect header. When you GlueConnect into another account, the GlueConnect header will change color and the name of the account is displayed:

Screen_Shot_2017-06-07_at_4.21.27_PM.png

You can return to your own account at any time by clicking the GlueConnect header.

Common Questions

Will the invited account be billed as an "active" user?

No, when you use GlueConnect, the invited account does not count as a user and is not billed. Users of the invited account also won't count against the number of users you are allowed to have in your pricing plan.

Can I see what the users of the invited account are doing in my account?

Everything that happens within your IT Glue account is tracked in the activity logs. To view them, go to Account > Activity Logs and you'll be shown a list of all action events (create, read, update, delete). You can filter by the action, the account, and the user. Note: The Account column is only displayed after you start giving delete accounts access to your account.

Can I turn on enforced multi-factor authentication (MFA) on my account?

Yes, but the users of the invited account will not be prompted to use MFA. They will still have direct access to your account after they authenticate in their primary account. You can't enforce MFA for accounts you let in through GlueConnect but, for added security, you can request that they enforce it on their end.

Was this article helpful?
3 out of 3 found this helpful
Have more questions? Contact us