The App Roles configuration allows you to create application roles with required permissions and apply the role to application users and groups.
From the App Designer (Settings > Applications > App Designer), click the App Roles option (under General) to open the configuration:
The Manage app roles screen is shown below:
Ref | Option | Description |
A | App Roles List | All existing App Roles are listed here. You can use the (I) Filtering options to narrow down the listed roles. This list includes the following details:
|
B | New | Create a new App Role |
C | Edit | Edit a selected App Role from the App Roles List |
D | Manage Users/Groups | Grant roles to various users/groups |
E | Permissions | Manage the permissions granted with the selected App Role |
F | Dashboard | Manage the dashboards available to a selected App Role |
G | Delete | Delete a selected App Role |
H | Show System Roles | Click to show System-generated roles. These cannot be edited or deleted, however Permissions can be viewed and managed for these system-generated roles:
|
I | Filtering | Use the Case Types and Scope dropdown lists to filter the (A) App Roles listed below. |
These options are described in the following sections in this chapter.
Casepoint Support Role
Overview
The CP Support role, also known as the Support Admin role, is a built-in application role that allows authorized Casepoint support personnel to access a client system for troubleshooting purposes. The role is constrained by a fixed permissions matrix and is governed entirely by the Client Administrator. This article is intended for Client Administrators of the eCase Platform.
How the Role Works
Client Administrators cannot create, edit, delete, or reassign the role from the standard user management interface. The role and any user accounts assigned to it are provisioned by Casepoint operations.
Access to the role is controlled by a toggle named Enable Support Admin, located on the Support Admin Access page within the Administration menu. The toggle is disabled by default. When the toggle is disabled, no Support Admin user can sign in. When the switch is enabled, provisioned Support Admin users can sign in through the dedicated Support Admin sign-in Uniform Resource Locator (URL).
NOTE: Support Admin user accounts are not counted against your eCase user license total.
Roles and Permissions
The CP Support role grants limited access to a defined set of configuration modules. Areas accessible by the role suppress any Personally Identifiable Information (PII) such as email addresses. The following module categories are accessible to the role:
Module Category | Access Level |
|---|---|
Scheduled Jobs | Read and Write (limited actions only) |
Email Log | Read |
Scheduler Configuration | Read and Write (limited actions only) |
Services Configuration | Read |
Sign-On Mode (eCase Database Configuration) | Read |
System Settings | Read |
Security Settings | Read |
SAML SSO Configuration | Read |
Audit Configuration | Read |
Report Scheduling | Read |
Application Licenses | Read and Write (limited actions only) |
Connectors | Read and Write (limited actions only) |
Modules that are not listed are not visible to Support Admin users. Actions that are designated as disabled in the permissions matrix are blocked even within accessible modules.
Provisioning and Access Restrictions
The CP Support role enforces the following restrictions at all times:
Casepoint operations provisions Support Admin user accounts directly. Client Administrators cannot create, edit, delete, or reassign these accounts from the standard user management interface.
The Support Admin role does not appear in the role selection list when a Client Administrator creates or edits any standard user account.
The system blocks the creation of any duplicate role whose name matches Support Admin in any letter casing.
Support Admin users do not appear in user assignment dropdowns such as Assign to Action Office, Assign to Group, request assignment, or any other assignment field.
A Support Admin user may be assigned only to the Support Admin role.
Internet Protocol Address Whitelisting
The CP Support role can be further restricted to a defined list of Internet Protocol (IP) addresses through the Allowed IP List field on the General Settings page. When the Allowed IP List contains one or more entries, sign-in attempts from any address outside the list are rejected, and the rejected attempts are logged for review. When the Allowed IP List is empty, no IP-based restriction is applied.
Audit Behaviour
All actions taken by Client Administrators to enable or disable Support Admin access, and all actions taken by Support Admin users while signed in, are recorded in the standard eCase audit log. The audit entries include the user identifier, the source IP address, the action performed, and the date and timestamp. Sign-in and sign-out events, including unsuccessful attempts, are recorded.
Single Sign-On (SSO) attribute mismatches are also recorded. When an SSO assertion does not match the provisioned Support Admin user record, the system logs the SSO-supplied attributes and the eCase user attributes, marks the sign-in attempt as failed, and returns the user to the sign-in page.
Sign-In and Session Lifecycle
Support Admin users sign in through a dedicated Support Admin sign-in Uniform Resource Locator (URL). Standard application sign-in URLs do not accept Support Admin credentials. Sign-in is permitted only through SAML SSO; direct username and password sign-in is not allowed for Support Admin users.
When the Client Administrator disables Support Admin access, the system terminates active Support Admin sessions the next time the user takes an action that contacts the server. Sign-in attempts made at the exact moment access is being disabled are not granted; the user is returned to the Support Admin sign-in page.