Delegated granular administration¶
 Available on Enterprise and Enterprise Advanced plans
Mattermost supports the creation and customization of system administration roles with specific granular permissions and System Console access. This allows senior administrators in large organizations to delegate and de-centralize specialized administration and administrative tasks with specific admin roles.
These admin roles permit granular access to specific areas of the System Console and related API endpoints. These roles enable users to perform certain administrative tasks without requiring access to all system administration areas. These system roles never supersede the user’s original role or the user’s permissions configured by the Permissions scheme.
Warning
Even when a role is set to No Access or Read Only for a System Console page, granting Can Edit on any System Console page enables access to the underlying configuration endpoint (PUT /api/v4/config/patch). This means a user with write access in one area can modify configuration values across all areas. Administrators should assign Can Edit permissions with caution.
Available roles¶
A system admin can configure the following delegated granular administration roles in the System Console. Each role has a set of default permissions, which can be adjusted as needed.
- System Manager: This role can be configured to have read/write permissions in different management areas. 
- User Manager: This role can be configured to have read/write to all the user management areas and to authentication 
- Custom Group Manager This role has permissions to create, edit, restore, and delete custom user groups. This role can be used to assign individual users the ability to manage custom groups when Custom Groups permissions are removed for All Members via System Console > Permissions > Edit Scheme > Custom Groups. 
- Viewer: The Viewer role can view all areas of the System Console, and can be configured with write access where needed. 
When a user is assigned a system role, they have role-based access to the System Console and the underlying API endpoints. Each role has a different set of default permissions, and what users can access or view depends on the role they’ve been assigned.
The table below lists the default permissions for each role. Admins should carefully review and configure these settings to align with their organization’s needs. Particular caution should be exercised with Permissions write access, as it enables modifications to the permissions of any role, except for the delegated granular administrator roles.
| System role | Read/Write access | Read Only access | 
| System Manager | 
 | 
 | 
| User Manager | 
 | 
 | 
| Custom Group Manager | Custom User Groups | N/A | 
| Viewer | N/A | 
 | 
Assign admin roles¶
There are two ways to assign roles:
- In the System Console under User Management > Delegated Granular Administration. 
- Using the mmctl tool. This can be done either locally or remotely. 
| You want to | Using the System Console | Using mmctl | 
| Assign roles | Go to System Console > User Management > Delegated Granular Administration > Assigned People | 
 | 
| Grant the System Manager role to a user | 
 | 
 | 
| Grant the User Manager role to two users | 
 | 
 | 
| Grant the Viewer role to a user | 
 | 
 | 
| Grant the Custom Group Manager role to two users | 
 | 
 | 
| Remove the System Manager role from a single user | 
 | 
 | 
Edit privileges of admin roles (advanced)¶
System admins can grant read/write access to other areas of the System Console, as well as remove read/write access (including default access), for all system roles except the Custom Group Manager role.
There are two ways to assign roles:
- In the System Console under User Management > Delegated Granular Administration. 
- Using the mmctl tool. This can be done either locally or remotely. 
| You want to | Using the System Console | Using mmctl | 
| Edit role privileges | 
 Note If you set privilege subsections to different access levels, then the privilege access level displays as Mixed Access. | 
 | 
| Grant write access to the Authentication section of the System Console for all users with the User Manager role | 
 | 
 | 
| Grant read-only access to the Authentication section of the System Console for all users with the User Manager role | 
 | 
 | 
| Remove write access to the Authentication section of the System Console for all users with the User Manager role | 
 | 
 | 
| Reset a role to its default set of permissions | This is completed using the mmctl tool only. | 
 | 
Admin roles and privileges¶
Roles¶
- system_manager
- system_user_manager
- system_custom_group_admin
- system_read_only_admin
Privileges¶
| System Console section | Permissions | 
|---|---|
| About | 
 | 
| Reporting | 
 | 
| User Management | 
 | 
| Environment | 
 | 
| Site Configuration | 
 | 
| Authentication | 
 | 
| Plugin | 
 | 
| Integrations | 
 | 
| Compliance | 
 | 
| Experimental | 
 | 
Frequently Asked Questions¶
Can a User Manager or System Manager reset an administrator’s email or password without their knowledge?¶
This is not possible with the default privileges of these roles. The ability to reset passwords or email addresses of administrators is limited to system admins.
Can a User Manager or System Manager access the configuration file?¶
Yes. However, they will only have access to read actual values and modify values in accordance with their permissions. If appropriate read permissions do not exist, the default key values will be displayed.
Are all actions of admin roles logged?¶
Every change made by any admin is included in the audit log.
Can a System Manager change their own permissions or elevate their role?¶
No. System Managers can’t elevate their role, and aren’t able to elevate other members’ roles.
Can any of the new roles view API keys/passwords or other sensitive information within the System Console (such as SMTP, AWS, Elastic Search)?¶
No, password information is only visible to system admins and is obfuscated for other roles.
If download links for compliance exports are enabled in the System Console, can a Read Only Admin download the reports?¶
Only roles that are explicitly granted access to System Console > Compliance have access to download compliance reports.
Can any of the new roles force-join Private channels?¶
Yes at this time they can, however, we will be improving on this behavior in the future with a prompt that lets them know they are entering a private channel. We are also planning on adding a permission which would remove the ability to access Private channels.
Can I create a new role or clone an existing role?¶
No, but we are actively seeking feedback on this capability.
Can I use an LDAP filter to assign these roles?¶
No, but we are considering this functionality for a future enhancement.
Can I rename the roles?¶
This is being considered for future development.
Can a System Manager or User Manager demote or deactivate another Admin or Manager?¶
A System or User Manager can demote or deactivate another System or User Manager, but can’t demote or deactivate a system admin.
Can a System Manager or User Manager assign or unassign admin roles?¶
Only the system admin has access to edit system roles.
 
													 
													 
													 
													 
													 
													 
													