Delegating cross-account access using GlueConnect

This article explains how to delegate access to your account to other IT Glue accounts, so that you can share information in your account with users of a different account.

By setting up cross-account access, you don't have to create individual users in your account. In addition, users of the other account don't have to sign out of their account and sign into yours in order to access the shared information.

There are a number of ways you can use this feature. For example, imagine you hire a third-party NOC to support your clients outside of business hours. If the third-party also uses IT Glue, you can invite them into your account. You don't have to create or manage individual accounts. Users in the other account have permission to work in your account and access information there.

To delegate access, there are three basic steps:

Step 1 - Choose a maximum role

The maximum role is an upper limit. Each user account in the third-party account will have an effective role that may be different than the maximum role you chose, but not higher than the maximum role.

For example, let's say you set the maximum role to Editor:

If in the primary account the user has a... Then their effective role is...
Manager or Administrator role Editor
Editor role Editor
Creator role Creator
Read-only role Read-only

Note that Lite users in the third-party account will not be able to access your account. Also note that users of the third-party account can't to add or modify any item-specific security permissions like they can in their primary account.

Step 2 - Grant access

At this point, the third-party account doesn't have access to any information in your account. You will need to grant access by assigning group memberships and adding specific organizations like you would for any user of your account. If you assign all groups and add all organizations, anything that your team can see in your IT Glue account, the users in the third-party account can as well.

You do not need to have any groups created specifically for the third-party access, but you may wish to review your security design. For example, do you want the third party to have access to everything your senior tech team can access or do you want them to only have access to what a level 1 tech can access? Are your groups configured for this?

Note: If you are just getting started with groups, we recommend reading Controlling access with security permissions. With GlueConnect, you can control third-party access only at the group level, and not at the user level.

Step 3 - Send invitation email

After you specify a maximum role and grant access, the last step is to send an invitation to the users of the other account. We send an invitation email to all users with an Administrator role in the third-party account. Users of the third-party account can access your account only after one of these Administrators accepts the invitation.

Prerequisites

  • You must be an Administrator to delegate access to your account.

Instructions

  1. Click Account from the top navigation bar.
  2. Click GlueConnect from the sidebar.
  3. Click + New.

    new_button.png

  4. Click an option to invite another IT Glue account or a Certified Provider.
  5. Enter the subdomain of the third-party account. For example, if the URL is mydocs.itglue.com, mydocs is the subdomain. If you do not know the subdomain, please contact an administrator of the third-party account. Note: If you invite a Certified Provider, the subdomain is entered automatically.

    glueconnect_subdomain.png

  6. Choose a maximum role.

    glueconnect_max_role.png

  7. On the next screen, select the relevant groups and add any organizations that you want users of the third party to have access to.

    glueconnect_group_org_access.png
    Important. You must add at least one organization before leaving this screen. Check the Allow All Organizations box if you want to give the third-party account access to all current and future organizations.
  8. On the last screen, enter a message to Administrators of the third-party account to include in the invitation email.

    glueconnect_invitation.png

  9. Click Send.

After you send the invitation, it is pending until an Administrator of the other account clicks the link in the invitation email. After accepting the invitation, users of the third-party account will have immediate access.

Switching between accounts

From the viewpoint of the third-party users:

Sign in with the same URL, email address, and password that you use to access your primary IT Glue account. In the top navigation bar, you will see a GlueConnect header.

To access another account, click your user icon in the upper right-hand side of the screen. Then, in the GlueConnect section of the user name drop-down menu, choose the account you wish to access.

username_drop-down_GlueConnect.png

When you GlueConnect into a GlueConnect account, the GlueConnect header will change color and the name of the account is displayed.

Screen_Shot_2017-06-07_at_4.21.27_PM.png

You can return to your own account at any time by clicking the GlueConnect header.

Common Questions

Will the third-party account be billed as an "active" user?

No, the other account does not count as a user and is not billed.

Users of the third-party account also won't count against the number of users you are allowed to have in your pricing plan.

Can I see what the users of the other account are doing in my account?

Everything that happens within your IT Glue account is tracked in your activity logs. To view them, go to Account > Activity Logs and you'll be shown a list of all action events (create, read, update, delete). You can filter by the action, the account, and the user. Note: The Account column will only be displayed when you have allowed third-party access to your IT Glue account.

Can I turn on enforced multi-factor authentication (MFA) on my account?

Yes, but the users of the delegate account will not be prompted to use MFA. They will still have direct access to your account after they authenticate in their primary account. You can't enforce MFA for accounts you let in through GlueConnect but, for added security, you can request that they enforce it on their end.

Was this article helpful?
3 out of 3 found this helpful