This article explains SSProtect Accounts, associated User Identities, and assignable Roles.
The SSProtect :Foundation Client uses a Login Session that defines configuration and policy for execution. Login is not required until you access protected content or use product capabilities.
Account (User) Identity
SSProtect Login uses an Account that identifies you as a unique User. Your identity is a unique email address you provide when Provisioning an Account. You must have control over this email account to work with information SSProtect sends, like the temporary credentials used for Account Registration.
Changing your Account Identity
You cannot change the email address associated with an Account, though you can provision a new Account, using a different email address, then migrate data.
SSProtect supports Accounts that operate independently, and Accounts that operate within the context of an SSProtect Organization.
Individual Accounts operate without any additional oversight from others - you are the master of your own domain, so to speak, and manage both your configuration and protected content. It's worth noting that managing protected content differs from accessing and working with secure data. This will become more evident as you discover more about the system.
Individual Accounts do not have default trust relationships for data sharing, though you can use Third Party Trusts to create and manage them.
Organization Accounts operate within the context of an SSProtect Organization. This is a collection of Accounts (Users) that use the same set of features managed by a set of Privileged Users (a single Administrator and one or more assigned Delegates, described below). Some changes to an Organization affect all Accounts, though many items are individually managed.
Organization Accounts have built-in trust associations with one another, which provides for zero-configuration data sharing between members. Third Party Trusts govern sharing permissions for Accounts outside the Organization.
Each Account operates in one of three distinct Roles:
- Non-Privileged User
- Privileged User; Administrator
- Privileged User; Delegate
A Non-Privileged User is able to work with, protect, and access managed content, and can also access data shared by Organization peers or Third Party Trusts - as can Administrators and Delegates.
Non-Privileged Users cannot modify their own configuration beyond a few simple adjustments, which generally modify configurable thresholds or switch between operating modes.
Every Organization has one single Administrator. This is the first provisioned Account, typically resulting in a Registration Email to the Administrator email address. For more information, continue to the Deployment Section's Admins and Organizations article.
Delegates manage Organizations on behalf of an Administrator, and have almost the same permissions. The only differences are:
- Delegates cannot modify an Organization's configuration for Enhanced 2FA
- Delegates do not generate Organization Keys
Delegates only exist for Organizations, and the Administrator - and other Delegates - can promote and demote individual Accounts to and from Delegate status.
Individual Account Administrators
Users who operate as Individuals, without an Organization, usually as a result of Creating an Account without an Organization, serve as the single Administrator to an un-named one-User Organization. Though the User Interface is slightly different from that of an Organization Administrator, the managing capabilities are the nearly the same.
Individuals can at a later time create an Organization. This is achieved my Migrating the Account to that of a full Organization Administrator. This procedure is detailed in the article, Migrating to an Organization Account.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to email@example.com, and our staff will respond to your needs as soon as possible.
This article was updated w/ v8.5.1 of the :Foundation Client