This article is an introduction to MyGlue roles, groups, and permissions.
A user's role determines what they can and cannot do in a MyGlue account. MyGlue has three user roles to choose from: Lite, Creator, or Editor.
Each role has a default set of permissions. In general:
|Lite||Can view assets, but not create, edit, or delete them.|
|Creator||Can view, create, and edit assets, but not delete them.|
|Editor||Can view, create, edit, and delete assets.|
Deleted items are restorable from the IT Glue activity log only, and therefore the Creator role is ideal for most users if you only want to provide access without allowing any delete actions. Note that MyGlue users can’t create or delete organizations regardless of their user role.
As well as these three roles, IT Glue Managers and Administrators are able to manage certain administrative tasks for MyGlue, including:
- Inviting people to join MyGlue
- Changing a user's role
- Resetting a user's MFA
- Resending a user's invitation
IT Glue Administrators can also restore deleted MyGlue assets (without actually seeing the asset contents).
With groups, you can create layers of permissions based on groups of users so that the right people can get to the right information without compromising data security.
MyGlue groups are configured per-MyGlue account. It's important to define one easy-to-maintain groups strategy per client. Your approach to groups can enhance collaboration and reduce requests for different levels of access.
Here are some tips to help make it easier to create and maintain different access levels:
- Each group can have its own denied asset types (configurable only by Administrators). With MyGlue, we recommend denying access to everything except passwords to start.
- Inventory all individuals who will have access to MyGlue, and then identify an appropriate access level. Your list may include owners, employees, temporary workers, HR, finance, etc.
- Set up your groups to reflect the different access levels, while keeping users segmented by group.
- Each MyGlue user is required to be a member of at least one group. If a user is a member of multiple groups, and the asset type restrictions within these groups conflict, the most restrictive setting will be used.
To give you an example, a very simple group strategy with two levels of access might look something like this:
- Create standard groups to represent two access levels: Owners and Users.
- Make most users part of the Users group.
- Limit the number of users in the Owners group.
- Only users who are trusted to access sensitive information are in the Owners group.
Granting access to IT Glue assets by group
When you create or edit a MyGlue group, you have the option of granting access to unrestricted IT Glue assets by checking a box. In this context, unrestricted refers to the default permission level for assets.
If the checkbox is selected, unrestricted assets will be accessible to members of the group that have permission to access the organization in which the asset is located. Access to these assets will stop only when an asset's permissions are explicitly set (i.e. specific groups and users only).
If this checkbox is not selected, passwords and other assets that were previously created in IT Glue will have no MyGlue user permissions by default. To give MyGlue access to new and existing assets, you will need to review and edit each item individually.
For guidance on deploying MyGlue, see the following articles: