Console Roles and Capture Dashboard Permissions
With the debut of the new Console roles, users who also hold Capture Dashboard roles are likely to encounter permission issues. If you’re a Capture Dashboard admin you don’t have to worry about this: admin role-holders automatically have full administrative access to everything in the Console as well as full administrative access to everything in the Dashboard.
However, that is not the case for users who hold any other Capture Dashboard role; that’s because all the Capture Dashboard roles (other than admin) are being deprecated. For example, suppose you hold the operations role in Capture Dashboard. If you log on to Console, you will not automatically be given Console permissions similar to those you hold in the Capture Dashboard. Instead, you’ll be given read-only access to a limited set of Console features (and no access to user profiles):
If you hover the mouse over the red danger icon, you’ll see a message explaining why you can only access a limited set of Console features:
So how do you regain the Console permissions that, based on your Dashboard role, you might have expected to have? The only way to get an updated set of Console permissions is to have an Application Administrator or a Console Access Manager:
- Assign you a new Console-specific role (for example, User Profile Manager).
- Use the Console to remove your Dashboard role.
If you’re wondering, “What do you mean, use the Console to remove your Dashboard role?”, we’ll explain. As noted previously, if you hold a Dashboard role other than the admin role, a new, limited agent account is created for you in the Console. If an admin accesses your agent account, her or she will see a setting for your Dashboard role (for example, reports):
Before you can be assigned a new Console role, the checkbox next to the Dashboard role must be cleared. As you can see in the preceding illustration, the Save button is disabled when the Dashboard role is select. It’s only after the Dashboard role is cleared that the Save button becomes available:
At this point, you can finally log on to the Console using your newly-assigned role and newly-assigned set of permissions.
That’s the good news. The bad news (such as it is) is this: gaining access to the Console means losing access to the Dashboard, and vice-versa. For example, suppose Li Song is a Capture Dashboard admin:
This means that Li is also a Console Application Administrator, because a Dashboard admin automatically inherits that role. Now, suppose you change Li’s Console role to Console Access Manager:
That automatically changes her Capture Dashboard role as well. Not only that, but changing her Console role also removes her Capture Dashboard permissions:
The takeaway? Unless you are an admin/Application Administrator, you cannot hold roles (or at least not the more-useful roles) in both the Console and the Dashboard; for example, you cannot be a Console Access Manager and hold the Capture Dashboard operations role. If you restore Li’s operations permissions in the Capture Dashboard, her Console role will revert to the limited read-only access role (Application Configuration Viewer) and you’ll need to clear the operations role before you can assign her a different Console role:
And, of course, clearing the operations role and assigning her a new Console role will, again, remove her Dashboard permissions. There’s just no way around it.
The Capture Dashboard is scheduled for retirement by the end of the year (2018); from then on, the Console will be your primary administrative tool for managing the Console. Akamai recommends that you take the time between now and then to review who has access to your Identity Cloud applications and to update each person’s Console user role accordingly. We also recommend that you take advantage of the many new role types to employ the principle of least privilege: giving users only the permissions they need in order to do their job. Of course, in order to do that, you need to know a little bit more about the Console roles and the permissions associated with each one.