AX2592

About subsystem administrators

When a user is assigned as a subsystem administrator, that user can access security for the purposes of managing users and roles that belong to the subsystem.

Subsystem administrators are not administrator-level users. The behavior is similar to being granted the Administer Security permission, except that the subsystem administrator can only work with users and roles within the subsystem.

Subsystem administrators can do the following:

• Create, edit, and delete users and roles within the subsystem.

• Assign roles to users in the subsystem. The users can be assigned to subsystem-specific roles or to "global" roles (roles that do not belong to any subsystem).

• Remove locks held by users in the subsystem. This applies to document and table locks, and save data locks, where the subsystem administrator has some level of access to the locked item.

• Use Log in as selected user to test the permissions of any user in the subsystem by logging in as that user. (Note that if a system administrator is assigned to the subsystem, the subsystem administrator cannot log in as that user.)

Subsystem administrators cannot edit the subsystem settings, except to assign users and roles to the subsystem. It is assumed that the subsystem is created by a system administrator (or delivered as part of an installed product), and then the subsystem administrator simply manages the users and roles within that predefined framework.

The subsystem administrator can be any user. The subsystem administrator may belong to the subsystem as a user if desired, but that is not a requirement. If the subsystem administrator is also a member of the subsystem, then the subsystem administrator can edit his or her own user permissions, but overall those permissions are restricted by the limits of the subsystem.