How to Restrict User Access based off Environments

Document created by pete_mccoy1.3055586893899446E12 Employee on Oct 8, 2013
Version 1Show Document
  • View in full screen mode
How to set access restrictions based off Environments. Admin level User in a Development environment should not have right to see/access Production environment.
In order to do this you need to work with the custom roles functionality. An "Administrator" of an account has full access to everything - User Management, Account Management, etc. This should be limited to a select group. Instead, you should create a custom role that has every privilege EXCEPT the "Environment Management" privilege. Any user that has the "Environment Management" privilege can see all Environments, but if they do not have this privilege, they can only see Environments that they are assigned to. You can assign Roles to Environments under the Atom/Environment Management screen.

Take a look at this help documentation for some information on this:

The next question becomes:
This keeps you from deploying to a production atom but how do you keep a user from using the production endpoint credentials? For test, the user may only have access to a sandbox system with dummy data. But a production system might have real payroll data, etc. How do you handle that?

To restrict production credentials, you would use Extensions. By only placing production credentials in the Environment Extension section, then your developers and other users would never see those or be able to access them. A developer would never be able to attach an Atom to the Production environment, and therefore never be able to access the Production credentials.

If you place production credentials in your Build component, then you lose the ability to restrict. You could put sandbox credentials (or no credentials) in your Build component connections instead.
1 person found this helpful