Application Managers, Account Admins, and Realm Admins… Oh my!
The responsibilities and permissions of the admin roles in Quickbase
Within the Quickbase platform there are several admin roles that you may come across. Each has their own set of permissions and entitlements. Knowing which role (or roles) you are in, and what the capabilities of each role are can make a big difference in how you use the platform. We’d like to start with explaining the three most common admin roles that we have: Application Managers, Account Admins, and Realm Admins.
Bobby – Application Manager with Full Administrator Permissions
River – Account Admin with Full Management Permissions
Joyce – Realm Admin/Account Admin with Full Management Permissions
Intro
The first step to understanding each of the roles is knowing that the roles are additive. You can be one of the three, or all three, or any combination in between. For most accounts, it is common for your Realm Admins to also be Account Admins, and quite often Account Admins are Application Managers as well, and this is where the confusion can come in. What permissions belong to which admin role, and what level of permissions do I want to grant to my users to govern their access and security, while not restricting them to the point that it impacts whether they can do their job.
Here are some good bullet points to remember with some more real-world examples below:
Application Manager:
- Ability to assign roles to users within the application
- Ability to Transfer/Delete the application
Account Admin:
- Manage users on the account (create new, and deny)
- Access to view/edit billing information
- Ability to see all apps/users on the account
- Point of contact to discuss renewal/changes to the account
Realm Admin:
- Manage security policies on the realm
- Enable SSO for the account (Business level plans and above)
- Access to Audit Logs
- Ability to see other user’s Pipelines
- Ability to appoint Super Users
- Access to Custom Encryption (Business level plans and above)
Our Help Document goes over in more detail the rights of each Admin Role
Quickbase built-in admin roles
We’ll take a look at a couple of admins and discuss what access levels they have on their accounts to give you a good idea of what to expect on your own accounts.
Bobby – Application Manager with Full Administrator Permissions
(We do not often see Application Managers that do not have Full Administrator Permissions)
Bobby is an Application Manager for his company, and his role in the application has full administrator permissions. He is not an Account Admin or a Realm Admin, so his admin responsibilities are limited to just the application that he manages.
When a user creates a new application, they are automatically assigned as the Application Manager with Full Administrator Permissions for that application. Application Managers can access the application at any time, even if they are in the “none” role in the application.
Bobby has full access to his application(s). He can add and remove users, update user roles, look in at notifications on the tables, and is the go-to resource for end users when they have issues in the application. Bobby can copy the application, adjust forms, add/edit/remove fields, and in general make decisions about the structure of the application and the data within the application. Bobby shares these responsibilities with every other App Administrator in the application. Using role permission Bobby can promote other users to share in the building and maintenance of the application, but Bobby’s abilities only extend to the application(s) that he manages.
As the Application Manager, Bobby does have some access that is unique. He has the capability to delete the application, or to transfer the application to another user/account. These functions are not possible for a user in the Administrator role and are only available to the Application Manager. These capabilities are the reason that many Account Admins are chosen to be the Application Managers, but you can have any user be an Application Manager if it makes sense for your organization.
One of the few application-specific tasks that an Application Manager cannot complete on their own is a restore or backup request. Even for their own applications Application Managers will need to work with an Account Admin to request this from our Technical Support Team.
Bobby’s permissions only extend within the application(s) he manages. He can’t make decisions for the Account such as talking about their yearly renewal, or increasing their total number of users. For those sorts of tasks, he would have to reach out to his Account Admin.
River – Account Admin with Full Management Permissions
(There are also Support Level Account Admins. These are not as common and will be covered in another article)
River is one of the Account Admins. Full Management Account Admins have access to the Admin Console and are the primary “owners” of the account.
River has access to the Billing Information of the account, so if a new credit card needs to be supplied or if your billing address changes, they are the person to do it. They have the ability to transfer any application in the account, even without being the Application Manager of that app (useful if your Application Manager leaves without first transferring the app to someone else). River has control over the users in the account, this goes for provisioning new users, as well as denying users that have left the company for any reason. They can also create/manage user groups to help control access to the applications. And they have access to the Permissions Tab of the Admin Console which is vital to controlling which users have Account Admin permissions, which users can create applications, and which users can create pipelines.
The Admin Console is your best place to manage your account as a whole. Account Admins can see every user on the account, whether they are in 1 app or 20. They can see every application on the account, even ones that they don’t have direct access to. And they have access to Platform Analytics, which can show the usage of the account and some key metrics to manage the account.
Since this role is so vital to the governance of your users and data it is recommended that you always maintain multiple Account Admins. For some organizations this may mean that you have 2, for some organizations we see 5+. We recommend this so that if any issue comes up there is always an Account Admin available, if your Account Admin leaves for a two-week vacation who is going to put the new hire in the system? Who would update your billing information if there was an issue with the credit card we have on file? There are many situations where an Account Admin will need to be involved, so it is important to make sure that there is a fallback plan.
Joyce – Realm Admin/Account Admin with Full Management Permissions
(We do not often see Realm Admins that are not also Account Admins, but you may have this situation in your organization.)
Joyce is another Account Admin, but Joyce is also a listed Realm Admin. The Realm Admin is responsible for several realm wide areas like SSO, security, and UTF-8 encoding, to name a few.
Audit Logs are a great feature we’ve rolled out to all our plans that allow you to track changes to the data in your applications. Joyce has access to these logs and can review them to track down which user changed a record, or see the last time a user logged in to a specific application.
Another level of access that Joyce has is the ability to see other user’s pipelines. Most users can only see their own pipelines, but Joyce can “Switch to user” and access any pipelines on the account. Joyce also has the ability to enable Super Users on the account and promote users to this role. Super users have access to every application on the account, without being added to them purposefully. This is a great tool for service accounts and admins who need to easily be able to access any app at any time.
Depending on the level of your plan, Realm Admins also have access to the Policies Tab of the Admin Console. This allows them to set password requirements for their Realm, how many characters, do you need letters and numbers, etc. Joyce also is the point of contact for her company’s single sign-on connection (SSO). Only Realm Admins will be able to work with our Technical Support Team to setup/maintain your SSO connection. We also offer Custom Encryption on our higher level plans that Realm Admins have access to set up and control.
With both of these Admin roles, Joyce has full access to all areas of the account, it’s applications, and the data within. As with Account Admins we do recommend maintaining at least 2 Realm Admins, the largest difference is that Account Admins can assign new Account Admins at any time, but in order for a Realm Admin to promote another user to Realm Admin they must open a support case so that our Technical Support Team can assign the user to the role.
It takes a team of people to ensure that your applications are running smoothly, your data is safe, and your users can get the most out of Quickbase. Knowing the admin roles at your disposal and putting the right people in them is the first step to helping you see, connect, and control your data.