Role-based access control
Secure Private Access uses a role-based access control model to manage user permissions and access levels. This means that each user is assigned a specific role, and that role determines what they can and cannot do within the system. This model helps to ensure that users have the appropriate level of access to perform their tasks, while also preventing them from accessing sensitive data or functions that they must not have access to.
The following four main roles are available for Secure Private Access admins. Each of these roles has a different set of permissions, which are designed to match the needs of different types of users.
- Full Access Administrator
- Read Only Administrator
- Full Monitor Administrator
- Helpdesk Administrator
Note:
To monitor Secure Private Access using DaaS Monitor, administrators must be assigned the DaaS role in addition to one of the Secure Private Access roles.
The following table provides a brief description of each role:
| Role | Description |
|---|---|
| Full Access Administrator
|
Intended for individuals who need complete control over the configuration, management, and operation of the Secure Private Access environment. The Full Access Administrator has the following privileges. |
| Access to all Secure Private Access functionalities. | |
| Permissions to create, edit, and modify apps, policies, and settings within the Secure Private Access console. | |
| Read Only Administrator
|
Intended for individuals who need to monitor and analyze the Secure Private Access activities and system performance. The Read Only Administrator has the following privileges. |
| Access to the Secure Private Access dashboard. | |
| Ability to view all Secure Private Access application configurations and settings. | |
| The Read Only Administrator does not have the privileges to any of the create/update/delete functionality. | |
| Full Monitor Administrator
|
Intended for users responsible for monitoring Secure Private Access activity and performance in the Monitor console. The Full Monitor Administrator has the following privileges. |
| Access to all monitoring dashboards and reporting tools within Secure Private Access. | |
| Ability to view all Secure Private Access configurations and settings. | |
| The Full Monitor Administrator does not have permissions to create, edit, or modify Secure Private Access configurations, policies, or settings. | |
| Helpdesk Administrator
|
Intended for Helpdesk personnel responsible for troubleshooting and triaging user access issues. The Helpdesk Administrator has the following privileges. |
| Limited visibility into Secure Private Access configurations and settings, focusing on information relevant to troubleshooting in the Monitor console. | |
| Access to specific troubleshooting tools and diagnostic utilities within the Secure Private Access console. | |
| View the troubleshooting and the Monitor dashboard. | |
| The Helpdesk Administrator does not have permissions to create, edit, or modify Secure Private Access configurations or policies. |
Roles and privileges
The following table summarizes the roles and privileges:
| Full Access Administrator | Read Only Administrator | Full Monitor Administrator | Helpdesk Administrator | ||
|---|---|---|---|---|---|
| Create/edit/delete apps | Yes | No | No | No | |
| Create/edit/delete policies | Yes | No | No | No | |
| Edit configurations/settings | Yes | No | No | No | |
| View configurations/settings | Yes | Yes | Yes | Limited | |
| View the logging and troubleshooting widget in the Secure Private Access dashboard | Yes | Yes | Yes | Yes | |
| Search for users | Yes | Yes | Yes | No | |
| Retrieved configured domains | Yes | Yes | Yes | No | |
| View the Users, Applications, Access Policies widgets in the Secure Private Access dashboard | Yes | Yes | Yes | No | |
| View the sessions and applications in the Monitor dashboard | Yes | Yes | Yes | Limited | |
| Access reporting tools | Yes | No | Yes | Limited | |
Enable role-based access to admins
Perform the following steps to enable role-based access to admins:
- After signing in to Citrix Cloud, select Identity and Access Management from the menu.
- On the Identity and Access Management page, click Administrators, and then click Add administrator/group. The console displays all the current administrators in the account.
- In Add an administrator or group, select the identity provider from which you want to select the administrator. Sometimes, Citrix Cloud might prompt you to sign in to the identity provider first (for example, Azure Active Directory).
- If Citrix Identity is selected, enter the user’s email address, and then click Next.
- Select Custom access, and then click the > icon in Secure Private Access.
- Select one of the following roles and click Next.
- Full Access Administrator
- Read Only Administrator
- Full Monitor Administrator
- Helpdesk Administrator
- Click Send invitation.
Note:
The Analytics and General services must be enabled for all Secure Private Access roles. The Analytics service is necessary for monitoring and reporting, while the General services are required for authentication, domains, authorization, traffic routing, and other functionalities.
