Separating System Administration from Content Administration

One of the key objectives I've had as a PM at OpenText is working to separate the Administration role and the Content Manager role. This has been vital for our cloud solutions and some of our larger customers who have firm segregation of duties.

The primary objective is to have two main buckets. 'content' administration, which deals with the day to day operations of handling permissions, reserved documents, moving large sets of content, etc. Then 'system' administration which is maintaining the site wide settings, and service availability. This has been an on-going process that has been accomplished over a series of updates.

Business Administration

The first main step in the process started with the introduction of the Business Administrators group, and permission set. This allowed Administrators to grant specific users limited access to the Administration Pages. The access granted here was mainly around cosmetic changes, and configuration with how content is managed in the system. With the general rule of thumb being that pages that involve server restarts, hostnames, and security settings should not be in this bucket.

Content Manager

The next large step on the road to segregation of duties was the introduction of the 'Content Manager'. This mode allowed specific users the ability to elevate their permission level to 'bypass' which enables them to see and interact with all content in the system where needed. The 'bypass' permission is also granted by default to users with the 'System Administrator' privilege on their account.

All actions taken by a user in Content Manager mode are audited highlighting that they were in an elevated state, additionally the user must insert a reason for elevating their access which is written to the audit logs.

Restricting System Administrators

On the path to creating a full solution, we added in a feature to restrict users with the System Administrator privilege from being able to see specific subtypes. This allowed users in the Business Administrators group to prohibit System Administrators from seeing content. This feature can be enabled / disabled and the list of subtypes can be manipulated by the Business Administrators allowing for some control over the access level.

If the Business Administrator enables this option, System Administrators are effectively pigeon-holed into the Administration Pages as they may not have access to see the Enterprise Workspace, or even their Personal Workspace.

Tenant Administrators

After the 'Restricting System Administrators' feature we added a new user type called a Tenant Administrator. Tenant Administrators have some key advantages over using a System Administrator: They do not appear in user pickers, they are always limited to the Administration Pages, and they do not require or take up a seat from your license.

This feature was primarily designed with the OpenText hosted cloud in mind, however it exists for all customers to leverage.

To create a Tenant Administrator account, in OTDS you can configure the OTType mapping to be TenantAdminUser and oTDepartment as [Tenant Administrators Group]. When these users sync in they will be synced in as the special Tenant Administrators type.

Back to post listing