Staff¶
About Staff User Accounts¶
In ActionKit a staff user is anyone with administrative access to your ActionKit admin interface.
Staff users are created through the Staff tab only. From this tab you can edit staff user permissions (if you have permission to do this yourself), unlock staff accounts and reset passwords.
Adding Staff Users¶
To add staff users:
1 Click Browse All in the Staff tab.
2 Click Add user.
3 Enter a username and password. The user can later change their password using the change password link.
4 Click Save. The Change User screen displays the user personal information and permissions settings.
5 In the Personal Info section enter the user's first and last name and email address (required).
Staff Permissions¶
In the Permissions section define this staff user's level of access by selecting any or all of the following checkboxes:
Active Account - If this isn't checked the user has no permissions. Uncheck this checkbox to deactivate an account.
Admin Interface - Gives a user access to the ActionKit admin. Uncheck this checkbox to prevent users from accessing the admin web interface, while continuing to allow them to access the API.
Superuser Status - Gives the user all permissions, regardless of what's selected in the permission groups section. Access to the site-wide configuration options is only available to superusers.
(Note that the Mailings - Receive All Mailings option is not automatically selected for superusers and must be manually selected if the user should receive a copy of every sent email.)
Note
Active Account and Admin Interface must both be checked for the user to be able to log in to your ActionKit instance at all.
In the Permission Groups section, select the permission groups for staff who aren't superusers.
The permissions listed are the only ones available. You cannot currently create custom permissions. You can group the existing permissions together however you'd like though.
These permissions also grant access to the REST API for the relevant objects. To grant access to all objects in the database, add an account to the "All Models - View, Edit, and Delete" group. However, for security it's preferable to restrict an account's access to just the kinds of objects it will need.
If a user tries to do something for which they don't have permission, they'll see a big black message Permission Denied and they'll need to hit the back button to get back into the ActionKit admin.
Following is a description of the built-in permission groups:
All models
- All Models - View Only: The user can view all data but not edit or delete it.
- All Models - View, Edit, and Delete: The user can view or change any data.
Note
All Models
does not include staff management permissions.
Events
- Events - Manage: Staff users with this permission have access to all event campaigns and all the event management tools available on the Dashboard for each campaign. They can confirm, approve and delete events, email hosts, and more. They cannot create or edit event pages.
- Events - Manage plus Campaign: All the permissions included in "Events - Manage", plus the user can edit campaign settings for any event.
Languages
- Languages: The user can add and edit the language definitions. Add this permission (in combination with the others above) for any users who will be adding languages or editing translations.
Mailings
- Mailings - Edit Email (not send): The user can view the mailings tab, add a draft, edit existing drafts and view any of the related tools that aren't specifically mentioned in the other mailings related permissions below. The user cannot send mailings with this permission.
- Mailings - Edit plus Client Domains: All the permissions included in "Mailings - Edit Email", plus adding and editing client domains.
- Mailings - Edit plus Email Wrappers: All the permissions included in "Mailings - Edit Email", plus adding and editing email wrappers.
- Mailings - Edit plus Mailing Lists: All the permissions included in "Mailings - Edit Email", plus adding and editing mailing lists.
- Mailings - Edit plus Model Mailings: All the permissions included in "Mailings - Edit Email", plus adding and editing model mailings.
- Mailings - Edit and Send: All the permissions included in "Mailings - Edit Email", plus the ability to send the mailing.
- Mailings - Edit and Limited Send: Like "Mailings - Edit and Send", except the maximum size of the mailings that can be sent is limited. The limit is configurable.
- Mailings - Receive All Mailings: Users will this permission receive a copy of every sent mailing. The subject starts with {Final mailing ###} [Count N], where ### is the mailing ID and N is the number of users being sent the mailing, so you can tell that it's not a proof or an email you're receiving as a targeted recipient.
Pages
- Pages - Edit, View, Create: The user can edit, view, and create pages and edit most of the pages related tools.
- Pages - Plus Fraud Filters: All the permissions included in "Pages - Edit, View, Create", plus managing fraud filters for donation pages.
- Pages - Plus Model Pages: All the permissions included in "Pages - Edit, View, Create", plus adding and editing model pages.
- Pages - Plus Petition PDFs: All the permissions included in "Pages - Edit, View, Create", plus adding and editing delivery jobs.
- Pages - Plus Templatesets: All the permissions included in "Pages - Edit, View, Create", plus adding and editing templatesets and account tools.
Reports
- Reports: The user can permission allows you to edit, view and create reports and all of the related tools.
- Reports - View only: The user can search for and run existing reports, including downloading surveys and comparing performance by mailing or by page.
Users
- Users: The user can view the Users tab, search for users, view and edit user records (except manage donations), plus add custom user fields and reset passwords.
- Users - plus Donation Management gives permission to change donations in the individual user record.
- Users - plus Imports gives permissions to import users either from the Users tab or from an existing import page on the Pages tab.
Deactivating Staff User Accounts¶
You cannot delete a staff member, instead you deactivate them. A deactivated staff member no longer has the ability to log into ActionKit admin. This does not deactivate their SQL log in, if they have one; request that through the support form.
To deactivate/remove a staff member:
1 Click Browse All in the Staff tab.
2 Select the staff user name in the listing or click the Edit button in the right-hand column adjacent to the user name.
3 In the Permissions section, clear the Active checkbox.
4 Click Save. This user will no longer be able to access your ActionKit website.
Note
Deactivating a staff account which is used by ActBlue's webhook will prevent ActBlue from connecting to ActionKit and sharing donations data. ActionKit will try to warn you if you are editing a user account which has recently been used by ActBlue. However, it is important to always be careful that an account you are about to deactivate isn't being used by ActBlue.
Unlocking Staff Accounts¶
Your user data is a valuable organizational resource. To make sure your users' privacy is protected as well as your organizational data we require a log-in to access the ActionKit admin.
If you attempt to log in too many times with the wrong password, you and everyone who shares your IP address will be locked out. Any staff user with the superuser permission can unlock the account by clicking the Unlock Staff Accounts button on the Staff tab.
Resetting Passwords¶
You can reset your own password through the Reset Password button on the Staff tab or by clicking the Change Password link in the header bar on any tab in the ActionKit admin.
To reset another staff user's password:
1 Click Browse All.
2 Find the staff user name in the list and click Edit. You can search by name or email address. You can also use the Filters to refine your results by active, admin interface access, and superuser.
3 In the Password field, click the change password form link.
4 Enter the new password in the two fields provided and click Change password.
Two-factor Authentication¶
To provide better security for the admin interface, ActionKit now supports two-factor authentication. This does not affect API access.
How it works: Under two-factor authentication, the admin will require you to provide not only your username and password when logging in but also a special token provided by a device associated with your account (a phone or token generator). This improves security because a password, which may be obtained or guessed by an attacker, is no longer sufficient to access your account.
By default, two-factor authentication is supported for all staff users, but not required. If you set up a two-factor authentication device for your admin account, it will be required for your account, but other staff who have not set up devices for their accounts will still be able to log in with just their username and password.
On request, WAWD can add a setting to your ActionKit configuration that will require two-factor authentication for all staff accounts in your admin. We recommended that all staff set up two-factor authentication before enabling this option. See below.
You can see which staff users have two-factor authentication enabled in the relevant column on the staff list.
Account set up: From the gear menu in the top-right, click Two-Factor Auth. You'll be guided through the set up of your device. You can choose a token generator (an app like Google Authenticator or Microsoft Authenticator), or enter a phone number to receive SMS or a voice call. Enter the code generated by (or sent to) your device to confirm that the device is working. For all subsequent log-ins, you'll be prompted to enter a token from your device after you enter your username and password. We recommend setting up one or more back up devices that you can use if your primary device is unavailable.
Agent trust: "Agent trust" allows you to trust a (non-shared) computer or device for 30 days, so you don't have to re-enter your token every time you log in. (Google uses a similar approach with their two-factor auth.) If dual authorization is enabled, you'll see a new "remember me” option. You can revoke trust for a computer or device from the Two-Factor Authentication screen, by clicking forget other devices.
Two-factor profile: Once Two-Factor Authentication is enabled, the Two-Factor Auth option on the gear menu will bring you to your profile, where you can review your two-factor authentication settings, add new devices, change devices, and obtain backup codes. Backup codes are one-time passwords that can be used if you lose your phone. You can also use this interface to disable two-factor authentication for your account.
Other staff accounts: Superusers can generate a code for another staff member who has lost their two-factor authentication device and does not have backup codes. Select Get Token for User from the user's staff profile (accessible from the Staff tab by clicking Browse All, then selecting the appropriate user). Note: this effectively creates a device for a user; using it will require a user to log in with two-factor authentication ever after, even if it's not required by the instance configuration.
If your instance is configured to require all staff to log in with two-factor authentication: New staff won't be able to log in until they have set up a device. You can add new staff and generate a back up code for one-time use so they can log in and set up their device.
To add new staff:
1 Set up the staff user as usual, assigning a username and password.
2 From the detail page of the new staff user (e.g.
/admin/auth/user/10/
), click get token for user.3 Send the back up code that displays, along with their username and password, to the new user. You may want to send the backup code separately (e.g. via SMS).
4 The new user should immediately configure two-factor authentication. A link is provided on the
get token for user
page to facilitate this. The back up code only works once.