The Customer Enabled Support Admin feature allows you to optionally provide Casepoint Support Representatives with limited, controlled access to your eCase platform for troubleshooting purposes. This provides customers with technical support that is seamless, faster, and more efficient, while keeping you in full control of when and how that access is granted.
NOTE: This feature is entirely optional and is disabled by default. Enabling and clearing this setting does not affect your application or your existing users. This article is intended for Client Administrators of the eCase Platform.
Key Details about Customer Enabled Support Admin
Any of the areas that Support Representatives can access will not contain Personally Identifiable Information (PII) such as email addresses, or other sensitive data.
Support Representatives cannot take direct action on your data; they are constrained by a fixed permissions matrix.
Support Representatives are required to use SAML SSO to sign in. Direct username and password sign-in is not allowed for Support Admin users.
Support Representatives sign in only through a dedicated Support Admin sign-in URL. Standard application sign-in URLs do not accept Support Admin credentials.
All actions taken by Support Representatives are fully logged for complete transparency. Logging includes the name of the Support Representative, the source IP address, the action performed, and the date and timestamp.
Support Representative accounts are not counted against your eCase user license total.
Support Representatives are assigned to the built-in Support Admin role (also known as the CP Support role). This role has limitations that restrict assigning higher-level permissions, and it is not available to be assigned from User Management.
Support Representatives are not displayed in dropdowns for assigning requests, assigning to action offices, assigning to groups, or any other role assignment that would give them higher-level access. This prevents accidental assignment of such permissions.
You have the flexibility to enable or disable this feature as you please. For example, you may enable the feature to address an ongoing issue you require support with, and then disable the feature once the issue is resolved, thereby revoking the Support Representative's access.
General Settings
The Support Admin controls are configured from the General Settings page. The relevant fields are described below.
Field | Description |
|---|---|
Maximum Attachment Size | Use this option to configure the maximum allowed attachment size in MBs. This affects the size of files accepted by the eCASE system as attachments. |
Application URL | Enter the URL for the eCASE application with a proper server or DNS name that is accessible for all users. This is the web address that eCASE users will need to access eCASE. |
Enable Support Admin | Select this checkbox to create an internal Casepoint Support Admin user for support access only. Enabling and clearing this setting does not affect your application or your existing users. |
Allowed IP List | Enter the list of Internet Protocol (IP) addresses that are permitted to sign in as a Support Admin user. Separate multiple addresses with a semicolon (;). When this field is empty, no IP address restriction is applied to Support Admin sign-in attempts. |
Steps to Enable Support Admin
Only a Client Administrator can enable this feature.
Sign in to the Administrator application with your Client Administrator credentials.
From the Administration menu, select Support Admin Access.
On the Support Admin Access page, locate the Enable Support Admin toggle.
Toggle ON Enable Support Admin.
Review the confirmation dialog, then click Yes to proceed, or No to cancel.
Click Save.
When you enable Enable Support Admin and click Save, the system displays a confirmation pop-up. Review the message and click Yes to confirm or No to cancel. Confirming the change activates the Support Admin user and allows that user to sign in through the dedicated Support Admin sign-in URL.
NOTE: Enabling and disabling the Support Admin user does not affect your application or your existing users.
Additionally, please raise a ticket with the Casepoint Support Team requesting them to add the support user(s) that will leverage the Support Admin functionality once enabled. These steps are not sequential, but it is important that both are performed.
Steps to Disable Support Admin
To disable Support Admin access, toggle OFF the Enable Support Admin toggle and click Save when you're done.
When access is disabled, the system terminates active Support Admin sessions the next time the user takes an action that contacts the server. Sign-in attempts made at the exact moment access is being disabled are not granted; the user is returned to the Support Admin sign-in page.
Allowed IP List
Use the Allowed IP List field to restrict Support Admin sign-in to a defined set of Internet Protocol addresses.
When the list contains one or more entries, only sign-in attempts originating from a listed address are granted. Sign-in attempts originating from any other address are rejected and recorded in the audit log with the source Internet Protocol address.
When the field is empty, no IP-based restriction is applied.
Separate multiple addresses with a semicolon (;), with no spaces between entries.
About App Roles - Casepoint Support Role
Overview
The CP Support role, also known as the Support Admin role, is a built-in application role that allows authorized Casepoint support personnel to access a client system for troubleshooting purposes. The role is constrained by a fixed permissions matrix and is governed entirely by the Client Administrator.
How the Role Works
Client Administrators cannot create, edit, delete, or reassign the role from the standard user management interface. The role and any user accounts assigned to it are provisioned by Casepoint operations.
Access to the role is controlled by a master switch named Enable Support Admin, located on the Support Admin Access page within the Administration menu. The switch is disabled by default. When the switch is disabled, no Support Admin user can sign in. When the switch is enabled, provisioned Support Admin users can sign in through the dedicated Support Admin sign-in URL.
NOTE: Support Admin user accounts are not counted against your eCase user license total.
Roles and Permissions
The CP Support role grants limited access to a defined set of configuration modules. Areas accessible by the role suppress any Personally Identifiable Information (PII) such as email addresses. The following module categories are accessible to the role:
Module Category | Access Level |
|---|---|
Scheduled Jobs | Read and Write (limited actions only) |
Email Log | Read |
Scheduler Configuration | Read and Write (limited actions only) |
Services Configuration | Read |
Sign-On Mode (eCase Database Configuration) | Read |
System Settings | Read |
Security Settings | Read |
SAML SSO Configuration | Read |
Audit Configuration | Read |
Report Scheduling | Read |
Application Licenses | Read and Write (limited actions only) |
Connectors | Read and Write (limited actions only) |
Modules that are not listed are not visible to Support Admin users. Actions that are designated as disabled in the permissions matrix are blocked even within accessible modules.
Provisioning and Access Restrictions
The CP Support role enforces the following restrictions at all times:
Casepoint operations provisions Support Admin user accounts directly. Client Administrators cannot create, edit, delete, or reassign these accounts from the standard user management interface.
The Support Admin role does not appear in the role selection list when a Client Administrator creates or edits any standard user account.
The system blocks the creation of any duplicate role whose name matches Support Admin in any letter casing.
Support Admin users do not appear in user assignment dropdowns such as Assign to Action Office, Assign to Group, request assignment, or any other assignment field.
A Support Admin user may be assigned only to the Support Admin role.
Internet Protocol Address Whitelisting
The CP Support role can be further restricted to a defined list of Internet Protocol (IP) addresses through the Allowed IP List field on the General Settings page. When the Allowed IP List contains one or more entries, sign-in attempts from any address outside the list are rejected, and the rejected attempts are logged for review. When the Allowed IP List is empty, no IP-based restriction is applied.
Audit Behaviour
All actions taken by Client Administrators to enable or disable Support Admin access, and all actions taken by Support Admin users while signed in, are recorded in the standard eCase audit log. The audit entries include the user identifier, the source IP address, the action performed, and the date and timestamp. Sign-in and sign-out events, including unsuccessful attempts, are recorded.
Single Sign-On (SSO) attribute mismatches are also recorded. When an SSO assertion does not match the provisioned Support Admin user record, the system logs the SSO-supplied attributes and the eCase user attributes, marks the sign-in attempt as failed, and returns the user to the sign-in page.
Sign-In and Session Lifecycle
Support Admin users sign in through a dedicated Support Admin sign-in URL. Standard application sign-in URLs do not accept Support Admin credentials.
Sign-in is permitted only through SAML SSO; direct username and password sign-in is not allowed for Support Admin users.
When the Client Administrator disables Support Admin access, the system terminates active Support Admin sessions the next time the user takes an action that contacts the server. Sign-in attempts made at the exact moment access is being disabled are not granted; the user is returned to the Support Admin sign-in page.