Platform Manager role, how is it determined if it's necessary?

Dave Levin
Dave Levin
Ninth Anniversary Name Dropper Participant Facilitator 1
in Core

Good afternoon,

It certainly seems like best practice to drastically limit the number of “platform managers” within an organization, though the “impersonate user” function is proving to be coveted by members of our Communications department as a means to see different user experiences on our site, and quickly get a glance at what parents of a 3rd grader, or 11th grader, might be seeing on a week to week basis.

How are other schools determining if a person or position should be granted platform manager rights? In this specific scenario, impersonating users is the only access that's actually desired.

Have you figured out a different way to allow members of your professional community to have better insight into the parent, student, or employee experiences in Blackbaud's products?

Thanks for any suggestions,
Dave

Comments

  • Kathy Hannon
    Kathy Hannon
    Tenth Anniversary Kudos 5 Name Dropper Participant

    In our organization, only Senior Admin (4) and IT have impersonate rights. If someone that does have rights, needs to see what a parent/student/faculty view, they contact me and I screenshot or sit with them to show. Platform Manager (impersonate role) gives the rights to change and alter throughout the system. In my opinion this role should be given out sparsely or you lose data integrity. BB doesn't have change logs that we can accessed easily.

  • Brian Gray
    Brian Gray Community All-Star
    Eighth Anniversary Kudos 5 Name Dropper Participant

    We have 5 people with the Platform Manager role.

    We find it helpful for the a couple of other people involved in user support to be able to impersonate users, so we we cloned the role to create Platform Assistant Manager. That role has Impersonate User permission (plus a handful of others). Two people have that role.

  • Bryan Lorenzo
    Bryan Lorenzo Blackbaud Employee
    Tenth Anniversary Kudos 5 Name Dropper Participant

    @Dave Levin we're pretty strict with our permissions and only have two platform managers. We have 2 others with platform manager lite (a cloned role) that is very watered down.

  • David Gillespie
    David Gillespie
    Tenth Anniversary Kudos 2 Name Dropper Participant

    We also have a cloned role for that access. All division assistants (Lower, Middle Upper, etc.) have access, as well as the nurses and a handful of other administrators/staff. No faculty. Impersonating preserves SSO connections as well so people really find it valuable to check a parent's forms status, for example, which is in 3rd party software but connected by SSO. Although impersonate allows you to edit data, if you restrict it to people who already have access to editing biographical data, then the risk isn't increased much. The other roles we have cloned from Platform Manager are: Calendar Manager, Emergency Notification Manager, Logo & Watermark Manager, Resource Board Editor, and Student & Profile Manager.

  • Jess Moxsky
    Jess Moxsky
    Kudos 5 Fourth Anniversary Name Dropper Participant

    Seconding what folks have said about creating a new cloned role with limited rights. Keep in mind that impersonation can allow users to see information that would not otherwise be published to them. I try to be very cautious about who gets these kinds of permissions, but I think it's leagues better to clone and dilute than to have more than 3 Platform Managers in the system. Too many cooks in the kitchen.

  • Jamie Cross
    Jamie Cross
    Ninth Anniversary Kudos 2 Name Dropper Participant

    How about creating test students and then having them be the parents of the test students?

  • Kathy Hannon
    Kathy Hannon
    Tenth Anniversary Kudos 5 Name Dropper Participant

    We stopped using “test” students - everyone running student reports, mailing list and admission numbers had to remember to remove the test student account(s) or subtract that test student from that class of numbers. We went from 12 (1 for each grade) test students in EE to none - Test Z-fictional's were receiving a lot of mail at the school - lol

  • Geoffrey Goodfellow
    Geoffrey Goodfellow
    Tenth Anniversary Kudos 5 Name Dropper Participant

    Wouldn't someone with “just” the impersonate ability given to them selectively be able to then impersonate a full-fledged administrator and have access to absoluately everything?

  • Jamie Cross
    Jamie Cross
    Ninth Anniversary Kudos 2 Name Dropper Participant

    Geoffrey Goodfellow:

    Wouldn't someone with “just” the impersonate ability given to them selectively be able to then impersonate a full-fledged administrator and have access to absoluately everything?

    There are some safeguards in place to prevent that ;)

    https://kb.blackbaud.com/knowledgebase/articles/Article/101206

  • Geoffrey Goodfellow
    Geoffrey Goodfellow
    Tenth Anniversary Kudos 5 Name Dropper Participant

    Good to know! Thanks, @Jamie Cross

  • Reshma Berryman
    Reshma Berryman
    Eighth Anniversary Kudos 1 Facilitator 1 Loyalty Badge

    We do the same thing. I feel impersonation should be used sparingly because it can be easily abused. BB does have some safeguards in place but they are not that great.

  • Erin Aiston
    Erin Aiston
    Sixth Anniversary Name Dropper Facilitator 1

    @Jamie Cross
    There are not useful safeguards in place. Users 100% can impersonate an admin with more permissions and grant themselves additional permissions. It's a HUGE problem.

  • Bryan Lorenzo
    Bryan Lorenzo Blackbaud Employee
    Tenth Anniversary Kudos 5 Name Dropper Participant

    Hi @Erin Aiston

    Users with a cloned Platform Manager role cannot impersonate users with the Platform Manager role or users who have a cloned Platform Manager role. Only users with the full Platform Manager role can impersonate other users with the Platform Manager role or a cloned version of it.

  • Bryna Gleich
    Bryna Gleich Blackbaud Employee
    Tenth Anniversary Kudos 3 Name Dropper Participant

    More information about clones

    Help:

    Blog:

  • Kathleen Peak
    Kathleen Peak
    Seventh Anniversary Kudos 2 Name Dropper Facilitator 1

    @Dave Levin - We have so quite a few cloned PM roles and it's not great, but there's no way around it. We have distributed much of our data administration the business units and you can't. use Core unless you are a PM or a cloned PM. Word out there is that BB is overhauling permissions next year, so let's hope this gets addressed.

    Also - as a fail-safe, we gave all our senior leadership a cloned PM role with no tasks so that no one can impersonate them. We did this with Finance too, since we don't totally trust that users won't be able to impersonate a Billing Clerk.

    The other issue we have with impersonate access, right now, is that you can impersonate parents and see their financial statements in Billing Management. This is a BIG deal for us and something BB thought they had resolved.

    Thanks to everyone for sharing on this topic. Understanding roles in BB is a mind warp :)

  • Kathleen Peak
    Kathleen Peak
    Seventh Anniversary Kudos 2 Name Dropper Facilitator 1

    @Dave Levin I should also have said - in order to get access as a cloned PM, you have to place a help desk ticket with the Information and Innovation team. The IT leadership evaluates the request and does a deep investigation into the implications. We then decide based on impact to other business units. Right now our primary concern is keeping financial data secure.

  • Deborah Potter
    Deborah Potter
    Seventh Anniversary Name Dropper Participant Facilitator 1

    @Bryan Lorenzo What tasks do you assign to PM Lite?

Categories