Delegation: Difference between revisions

== Officers and capacities ==

The people involved with the administration of a system are referred to as ''officers''. An officer can have one or more of the following ''capacities'':

* System owner

** Create and edit organizations

** Create and edit new officers

** Assign officers to be system owners, organization owners, and administrators

* Organization owner (for one or more organizations)

** Edit organization

** Create and edit new officers

** Assign officers to be organization owners, and administrators

* Administrator (for one or more organizations)

** Monitor events

** Manage access rights, i.e. doors, users, devices, schedules...

** Configure door groups and hardware

== Administrator views ==

The administrator GUI is separated into three different ''views'' that mirror the capacities system owner, organization owner, and administrator. For a large installation, these may be used by different people. For a smaller installation, it is likely that the same person(s) will use all three views, but for different things.

=== System owner ===

This view is accessible to officers with the ''system owner'' capacity, and is available at:

https://access.telcred.com/sys

[[File:sysowner.png|System owner]]

When creating a new organization, the system owner specifies the default time zone (can be changed for individual door controllers). In the same screen, the system owner can assign officers to be organization owners and / or administrators.

The system owner can also appoint other officers to be system owners. This is done when creating or editing an officer. In the same screen it is also possible to assign the officer to be organization owner for one or more organizations:

[[File:sysownerofficer.png|Create system owner]]

Telcred Access Manager supports two-factor authentication for officer login and we highly recommend to use it. The only method currently supported is [https://www.yubico.com/products/services-software/personalization-tools/yubikey-otp/ Yubikey OTP] (One Time Password). More information about two-factor authentication can be found [[Two-factor authentication|here]].

An officer can be temporarily blocked, in which case he or she will not be allowed to login.

=== Organization owner ===

This view is accessible to officers with the ''organization owner'' capacity, and is available at:

https://access.telcred.com/org

[[File:orgowner.png|Organization owner]]

An organization owner can edit the organization name and default time zone, and assign officers to be organization owners and / or administrators (for the current organization). Assigning officers can be done when updating the organization information OR when creating or editing officers:

[[File:createorgofficer.png|Create organization officer]]

=== Administrator ===

This is the normal administrator view, where an officer with the ''administrator'' capacity can add new users, assign access rights to users, etc. This view is available at:

https://access.telcred.com

== Switching between organizations ==

One officer can be administrator or organization owner in several organizations. In this case, the officer can switch between organizations using the selector at the top of the screen:

[[File:switch_org.png|Switch organization]]

== Sharing between organizations ==

=== Policy sharing ===

With delegation, each organization can manage their own users, doors, and access rights. However, it is common that users belonging to one organization need access rights to doors belonging to another organization. For example, in an office building with tenants, all tenants need access to the entrance doors to the building, as well as garages, and elevators.

Telcred solves this problem through ''policy sharing''. The administrator of a door can create a policy which provides access to that door, and then share it with one or more of the other organizations. The administrator(s) of those organization can then assign this policy to their own users.

[[File:policysharing.png|Policy sharing]]

Policy sharing enables fine-grained control of who, when, and how doors can be accessed. For example, the building owner may want to share the door to a common storage room with all the tenants, but only during office hours, while the same door should be available for the security company at all times.

=== User sharing ===

Coming soon