This article is an introduction to MyGlue roles, groups, and permissions.
A user's role determines what they can and cannot do in a MyGlue account. MyGlue has three user roles to choose from: Lite, Creator, or Editor.
Each role has a default set of permissions. In general:
|Lite||Can view assets, but not create, edit, or delete them.|
|Creator||Can view, create, and edit assets, but not delete them.|
|Editor||Can view, create, edit, and delete assets.|
Deleted items are restorable from the IT Glue activity log only, and therefore the Creator role is ideal for most users if you only want to provide access without allowing any delete actions. Note that MyGlue users can’t create or delete organizations regardless of their user role.
As well as these three roles, IT Glue Managers and Administrators are able to manage certain administrative tasks for MyGlue, including:
- Inviting people to join MyGlue
- Changing a user's role
- Resetting a user's MFA
- Resending a user's invitation
IT Glue Administrators can also restore deleted MyGlue assets (without actually seeing the asset contents).
With groups, you can create layers of permissions based on groups of users so that the right people can get to the right information without compromising data security.
MyGlue groups are configured per-MyGlue account. It's important to define one easy-to-maintain groups strategy per client. Your approach to groups can enhance collaboration and reduce requests for different levels of access.
Here are some tips to help make it easier to create and maintain different access levels:
- Each group can have its own denied asset types (configurable only by Administrators). With MyGlue, we recommend denying access to everything except passwords to start.
- Inventory all individuals who will have access to MyGlue, and then identify an appropriate access level. Your list may include owners, employees, temporary workers, HR, finance, etc.
- Set up your groups to reflect the different access levels, while keeping users segmented by group.
- Each MyGlue user is required to be a member of at least one group. If a user is a member of multiple groups, and the asset type restrictions within these groups conflict, the most restrictive setting will be used.
To give you an example, a very simple group strategy with two levels of access might look something like this:
- Create standard groups to represent two access levels: Owners and Users.
- Make most users part of the Users group.
- Limit the number of users in the Owners group.
- Only users who are trusted to access sensitive information are in the Owners group.
Granting access to IT Glue assets by group
When you create or edit a MyGlue group, you have the option of granting access to unrestricted IT Glue assets by checking a box. In this context, unrestricted refers to the default permission level for assets.
If the checkbox is selected, unrestricted assets will be accessible to members of the group that have permission to access the organization in which the asset is located. Access to these assets will stop only when an asset's permissions are explicitly set (i.e. specific groups and users only).
If this checkbox is not selected, passwords and other assets that were previously created in IT Glue will have no MyGlue user permissions by default. To give MyGlue access to new and existing assets, you will need to review and edit each item individually.
Changing default security for MyGlue passwords
If you have enabled Default Security in IT Glue then, by default, all passwords created in MyGlue will be visible only to the password creator. The original creator will need to change the security settings of their password to allow other MyGlue users to see it.
- Log into IT Glue and navigate to Account > MyGlue.
- Locate the organization that you wish to enable Default Security for. Click on the Action button and then select Edit.
- At the bottom of the Edit MyGlue Account screen in the Default Security section, choose one of the three different security permission options:
- All MyGlue users with access to the organization have access by default - Passwords created by MyGlue users will be visible to all other MyGlue users with access to the same organization. This ensures that a low-risk and widely used password is easily accessible.
- Only the creator has access by default - Passwords created by MyGlue users are visible only to that user. This ensures that a password is not exposed to an entire group or organization upon creation.
- Specific groups and/or users with access to the organization can access by default - Passwords created by MyGlue users will be automatically shared to specifically chosen MyGlue groups/users or IT Glue groups. This means that MyGlue users don’t need to remember to set those permissions each time they create a password. The password creator will still have access.
- Click Save. Once you save your preferences, all new passwords created in MyGlue will default to the selected security setting.
For guidance on deploying MyGlue, see the following articles: