Role Based Access Control
Role-based access control lets you invite administrative stakeholders in to Blissfully while maintaining the principle of least privilege.
Policies contain a set of permissions that can be applied to either individual users or teams, with granular control. Blissfully has provided a core set of default policies with commonly desired permission sets, as shown below. Default and Admin policies can be updated to reflect your desired permission set or you can create entirely new policies for specific groups of users.
Any policy can be set as Organization-Wide, which means it will be automatically applied to all individuals in your primary domain. Additional policies stack on top of the permissions defined in any org-wide policy. Blissfully provides a
Defaultpolicy during initial setup that will allow everyone in your organization to see the Employee Portal and to manage the "My Stuff" section.
If you would like to like to prevent your primary domain holders from having access to the Employee Portal, you can either delete the Default Policy or adjust it to only apply to specific people or teams. All policies have the option of being set as "Organization-Wide", as you can see the the Policy Detail example below.
Access Rights are the permissions that an individual user or team holds to read, write, edit, delete or otherwise access Blissfully capabilities. The level of access rights typically depends on the user's position or supervisory role within the company. Blissfully aims to involve a cross-functional team to collaboratively manage IT, and permissions are the key.
Permission sets are managed by either editing an existing policy or creating a new one. Blissfully has a powerful permission model that allows an Administrator to carefully design granular sets of permissions, including the ability to Allow All and Deny All permissions, with exception handling.
If toggled on, all current and future permissions will be ALLOWED except those in the Access Denied list. This is an uncommon action, typically reserved for Super Admins. The primary benefit of using this method is that any new permissions that Blissfully creates will be automatically rolled in to the policy on go-forward basis.
If toggled on, all current and future permissions will be DENIED except those in the Access Allowed list. Again, the primary benefit of using this method is that any new permissions that Blissfully creates will be automatically rolled in to the denied list on a go-forward basis.
Adding individual permissions is straightforward. You can search for a specific permission, and easily select (or deselect) multiple permissions at once to apply to the policy.
Blissfully will be adding more and more granular permissions as RBAC capabilities expand. For now, we support the following permissions:
- Manage Apps
- Manage Devices
- Manage People
- Manage Teams
- Manage Apps if you're the owner
- Manage Team Apps as Team Lead
- Manage Team Details as Team Lead
- Manage Team Membership as Team Lead Workflows
- Manage Workflows
- Manage Tickets
- Manage API
- Manage Integrations
- Manage Policies
- Manage Transactions
- Manage Users
- Manage Organization (The below are part included in this permission)
- Manage general settings
- View Audit Logs
- View Google Logs
- View Labs
- View System of Record Reports
The User Access table only shows individuals who have policies in addition to any Org-Wide policies you have defined. Since everyone in your primary domain gets the Default policy after Blissfully is initially set up, they will not display in this table.
If you would like to add additional policies to an individual in your domain, tap the "Add user" button and search for them, or adjust any existing user's policy application through the action menu.