Custom Admin Permissions regarding Onboarding and User Management

Note: Please check our corporate site if this feature is available in your subscription plan.

 The full functionality is only available from the version 9.1.0 or higher (on mobile) so all users need to update their Beekeeper app.

Some of our customers do not want all admins to be able to manage employee data and initiate onboarding (data integrity, data protection, process consistency). This feature enables Global Admins to freely manage permissions for lower level admins (Org-unit, Location, Group admins) regarding user management capabilities and onboarding.

Limiting these capabilities is especially important for enterprises where user syncing and onboarding is centrally controlled. Such customers do not want lower-level administrators to modify this data.

Introducing this functionality will give the ability for all customers to modify these permissions for lower level admins. 

The feature is available in Dashboard for all Global Admins (Dashboard → Settings → Admin Permissions).

The planned changes enable Global admins to turn on/turn off user management and onboarding permissions for lower level admins. In particular:

User management permissions - when turned off for a given admin, every employee with that role won’t be able to:

• create users manually or through file import

• edit user profile fields

• add and remove users from Locations

• add and remove users from Group

Onboarding permissions - when turned off for a given admin, every employee with that role won’t be able to:

• suspend and activate users

• generate login codes

• send login instructions

• send personalized invitations

• set new passwords

On desktop, after turning on the Onboarding Permissions, the admin needs to reload the page in order to be able to see the option to generate login codes.

For the onboarding functionality to be available on mobile, the user needs to have the version 9.1.0 or higher of the app installed. On lower versions, Custom Admin Permissions will not be taken into account for the generation of login codes.

Edge case

Keep in mind that when roles overlap - e.g. someone is an Org-unit Admin and Group Admin at the same time - the granted permissions will affect all users seen by a given admin in the Dashboard. If, for example, the Group Admin role has "user management" permissions enabled and Org-unit Admin role has this option disabled, such a person with both roles assigned will still be able to manage all users visible in the Dashboard (i.e. those seen because of being Group Admin and those seen because of being Org-unit admin).