For MSPs who want their technical staff to have one ZeroTek system access role each, the following procedures are sufficient to configure appropriate system access:
However, MSPs with more complex user access requirements may need to modify their approach. This article describes best practices for when you want a single user to have more than one role depending on the customer they work with. For example, you can configure a ZeroTek user to have the Technician role for one customer, but the Help Desk role for a different customer.
To achieve these more layered system access configurations, ZeroTek recommends using role-based groups.
Role-based group assignment
During your ZeroTek | Okta onboarding, we created one Okta group for each of the six access roles (for example, Technician, Help Desk, Administrator, and so on) and configured them for automated provisioning.
Membership in one of these groups automatically assigns the corresponding ZeroTek role-based access privileges, and controls what each user is authorized to see and do.
MSPs with more complex user access requirements need to create additional role-based groups for each customer to be able to assign more than one role to a single user. While this can mean you are managing many groups, using groups is the clearest, most straightforward way to manage different layers of system access.
Creating and assigning additional role-based groups
Sample use case
The procedures in this article use the following sample use case.
You want Jane and Omar to have the Technician role for Customer A, and the Help Desk role for Customer B.
You want Steve and Asra to have the Help Desk role for Customer A, and the Technician role for Customer B.
1 – Create new per-customer, role-based Okta groups
In your MSP Okta org, create a new group for each customer and role. You can do this in ZeroTek in the Groups area or by logging into your Okta Admin Console directly and working in Okta's Groups area. For our sample use case, you would create the following groups:
App - ZeroTek - Technicians - Customer A
App - ZeroTek - Help Desk - Customer A
App - ZeroTek - Technicians - Customer B
App - ZeroTek - Help Desk - Customer B
Make sure you create the groups in your Okta org, not a customer org.
2 – Set up the new role-based groups as Okta push groups
If you are not there already, log into the Okta Admin Console for your MSP's org. (Note that you cannot Deep Link to your own Okta org.)
Navigate to the Applications area and search for the ZeroTek SCIM/SAML app.
In the results area, click the ZeroTek app.
In the Push Groups tab, click the Push Groups drop-down list, and select Find groups by name. Search for and select the name of a role-based group you created.
Click Save.
Repeat steps 3 and 4 to configure any remaining new role-based groups as Okta push groups for ZeroTek.
By configuring these groups as push groups in Okta, you ensure all ZeroTek Administrators can see and manage these groups in both the Groups and System Access areas of ZeroTek.
3 – Assign an access role to each new role-based group
Now it's time to assign a ZeroTek system access role to each of the new customer-specific role-based groups.
Before you begin, make sure that every user has been assigned access to the ZeroTek app itself either through group or direct assignment.
In ZeroTek, navigate to the System Access area.
On the Group Assignments tab, click Assign Group.
In the Group to link drop-down, select the role-based group you created (for example, App - ZeroTek - Technicians - Customer A).
In the System Access drop-down, select the system access role you want to assign to the group (for example, Technician) and click Assign Group for System Access.
4 – Add ZeroTek users to each new role-based group
In ZeroTek, navigate to the Groups area and select the role-based group you want to add users to.
On the group's Users tab, click Assign Users to Group, then add the ZeroTek users who you want to inherit the ZeroTek role assigned to that group.
For our sample use case, you would do the following:
Add Jane and Omar to these groups:
App - ZeroTek - Technicians - Customer A
App - ZeroTek - Help Desk - Customer B
Add Steve and Asra to these groups:
App - ZeroTek - Technicians - Customer B
App - ZeroTek - Help Desk - Customer A
5 – Assign each new role-based group to the appropriate customer
In ZeroTek, navigate to the Customers area.
Click the customer to which you want to assign the role-based group.
Click the Access tab.
Scroll down to the ZeroTek Groups Assigned to the Customer area.
Click Assign Role-Based Groups to Customer.
Click Assign beside the group(s) you want to assign to the customer and click Done.
For our sample use case, you would assign the following groups to Customer A:
App - ZeroTek - Technicians - Customer A
App - ZeroTek - Help Desk - Customer A