User administrators use the User Admin policy.
As a user administrator, you can use the Administration console to:
- Create an internal user account
- Enable or disable internal user accounts
- Add a user to, or remove a user from, a workspace
- Manage visiting user access in your tenant.
You can be provisioned with the User Admin role if you are an internal user (your user account is established in your native tenant). If you are a visiting user (you are assigned to a workspace outside of your native tenant) the User Admin role is not available to you.
Note that you can manage user access to workspaces in three ways:
- A user administrator can create users and assign them to, or unassign them from, a workspace in the Administration console.
- A workspace administrator can add or remove users from the Users pane in a model.
- A workspace administrator can import a list of users to add users and update user details.
If a user administrator and workspace administrator input conflicting changes for a user, the most recent transaction determines the user account status.
To avoid user status conflicts, we recommend that your organization use the user administrator role to provision user access. Workspace administrators can then refine model-level access from the Users pane within a model.
User Administrator Policy
| Resource Type | CREATE | READ | UPDATE | DELETE |
| User | true | true | true | true |
| Tenant | false | true | false | false |
| Model | false | true | false | false |
| Workspace | false | true | false | false |
| Role | false | true | false | false |
| Role Membership | false | true | false | false |
| Policy | false | true | false | false |
| Permission | true | false | false | true |