How to: Create Sub Administrators using ‘Restrict Visible Roles’ functionality

Have you ever had the need for a restricted Administrator role? Perhaps a "Sub Administrator" capable of creating new users in a system, but only able to grant them a set list of role permissions? Then the new function "Restrict Visible Roles" could be for you.

Designed for a Client Org Structured environment, a Yellowfin Administrator can define a list of restricted User Roles in the system that only Administrators can assign. From here, the main Administrator can create a new role, designed as a Sub Administrator, with permission to only create users assigned role types that have not been restricted.

This allows for Sub Administrators to be created to manage users within their own Client, where before this would have had to be performed by a central Administrator.

To implement this in a system it only takes two easy steps!

Step One

Navigate to Administration > Role Management. Edit the role (or create a new one) that you wish to restrict. Select the "Restrict Visible Roles" function, and deselect the "Roles Managment" function, in the User Administration section. This means that the Sub Administrator will be able to assign only unrestricted roles, and they will not have access to adjust role permissions (including their own).

For this example, I have copied the standard Administrator role and renamed it "SubAdmin".

Step Two

Navigate to Administration > Configuration. Under the Authentication tab, highlight the roles you wish to restrict from the list. Click on the ’Select’ link to add these to the restricted list, then click the ’Save’ button to complete your changes.  In the following example, we’ve restricted the SubAdmin’s access to only manage their own Client Org by restricting their ability to create ’Admin’ or ’Sub Admin’ roles.

Note: As you’d expect, when logged in with the new SubAdmin role, this Configuration option is not visible.


Now, when logged in as the SubAdmin, you’re unable to create a user who has the roles that were restricted. You also cannot use the User Import function to import users with restricted roles.

When looking at the User Management page, you cannot see or edit the users that are restricted.

Also, when creating a new group, you cannot see restricted roles to add them to the group.