Do I need to approve each time a user wants administrator access?
No. You can use a setting after sign in to allow elevation without approval. In this case, you still get the benefits
of auditing; who elevated, when and an auditlog of installed software and executed applications. In auto-approval mode,
you can (and should) require the user to document a reason for administrator elevation, which you can later use to cross-reference actual activity.
You can (and should) also enable the Code of Conduct message/screen that will appear just before the session starts.
The Code of Conduct is a screen/message that is used to inform the end user of company policy and penalties for abusing
administrator elevation.
Are other customers typically using auto-approval mode?
Yes. The most typical pattern we see for new customers is that they start with approval required. Then after an initial period,
when the psychological effects on end users are clear and there is reassurance end users do not violate rules (see previous question),
they shift to auto-approval mode combined with reason requirement and Code of Conduct screen. This is the point, where the whole administrator
access issue is truly solved, because now the system and administrator access rests with end users without any administration work on the server side.
Can I add more IT people to approve requests and see the auditlog?
Yes, in the portal, you can create more logins for more people. You can also define, which roles
they have, such as access to audit log and if the person is allowed to approve requests.
How would I set up an external auditor?
You can create a portal user account that can only see the auditlog and optionally the inventory. No other data will be visible.
What if I want a manager IT to approve some requests?
You can set a scope for portal logins to only see part of the data based on the end
users or computers groups and/or Organizational Units. For example, a sales manager can be
set up to only see users and computers in sales. He will then only get approval requests from his
own staff. You can also set up the manager to not have approval ability, but only ability to
see the auditlog for his own staff.
Can I set up sub-administrators to only see part of the data?
Yes. You can set a scope for portal logins to only see and approve part of the data based on the end
user or computers groups or Organizational Units. For example, an administrator in a region could
be set up to only see and approve requests and data from computers in his own scope, assuming
for example that all computers are in a specific Organizational Unit.
I am an MSP - how can I give my customer a limited view?
You simply create a user account that cannot approve requests. This way, your customer can see
the data you choose without the ability to approve requests.