Administrative and privileged accounts
Relevant requirements: FRR-RSC-01, FRR-RSC-02, FRR-RSC-03, FRR-RSC-06
Related articles: Permission Groups
Hypercell uses permission groups to define general user authorization. These permission groups contain sets of permissions that allow you to limit user access to application functionality based on their use cases and requirements.
For more information on individual permissions and those assigned to specific permission groups by default, see Permission Groups.
System Admin
Relevant requirements: FRR-RSC-01
Related articles: Permission Groups, Potential Layout Variations
Top-level administrative account holders are users who belong to the pre-defined System Admin permission group. This group is the most privileged default permission group, with access to all permissions and data within the Hypercell instance.
Only users within the System Admin permission group can carry out the following:
Administration
Change system settings, including session timeouts
Import and export (in JSON format) system settings
Manage trainer jobs
View jobs (via the Jobs page)
Retry halted jobs (via the Jobs page and via Flows > Flow Runs)
View and edit translations of UI text
Flows
Insert and manage connections in Input Blocks and Output Blocks
Insert and update secrets required for Input Blocks and Output Blocks
Import flows into Hypercell
Library
View and edit the contents of the field dictionary
View and edit data types and values within those data types
Submissions
Run Layout Triage Clustering jobs, as well as download the output of those jobs
User Management
Manage users (where an external authentication provider is not used)
Manage permission groups
Access all flows and layouts in the instance, regardless of any flow- or layout-specific restrictions
Business Admin
Relevant requirements: FRR-RSC-03
Related articles: Permission Groups
User accounts within the pre-defined Business Admin permission group are primarily responsible for managing layouts. They are also able to view system reporting, along with the management of submissions. As a result, they are more privileged than other permission groups (but not more than those within the System Admin permission group).
Ignoring those within the System Admin permission group, only users within the Business Admin permission group can carry out the following:
Administration
Change system settings
Retry halted jobs (via Flows > Flow Runs)
Flows
Manage and manually execute flows
Manage flows and flow runs
Library
Manage layouts
Manage releases
Manage model training data
View the field dictionary
View data types
View reporting on Layout Variation Performance
Reporting
View reports on Hypercell usage
View reports on Hypercell health and model accuracy
Submissions
Delete submissions
Delete cases
Access submissions that were not automatically matched to an existing layout
User Management
View users
View permission groups
Edit Layout Task Restrictions
Initial Hypercell configuration and maintenance
Relevant requirements: FRR-RSC-01, FRR-RSC-02
Related articles: Permission Groups
To follow security best practices, after initial configuration has completed any accounts that are part of the System Admin or Business Admin permission groups should be assigned to a less privileged group, unless they are owned by users who require their elevated permissions as part of their expected work.
Configuring administrative and privileged accounts
Relevant requirements: FRR-RSC-01, FRR-RSC-02, FRR-RSC-03
Relevant articles: Permission Groups, Managing Authentication Groups
In FedRAMP and other instances where an external authentication provider is configured, user management is carried out through that external provider.
Hypercell maps permission groups to groups within the external provider’s system. As such, the assignment of users to groups with privileged permissions is handled through the external authentication provider.
For more information on mapping Hypercell permission groups to external authentication provider groups, see Managing Authentication Groups.
Importing and exporting system settings and permissions
Requirements addressed: FRR-RSC-06
Related articles: Importing & Exporting Settings, Managing Permission Groups
The system allows you to import and export the system settings of your choosing. This includes settings such as session duration or PII-data-retention periods.
To learn more about importing and exporting system settings, see Importing & Exporting Settings.
Similarly, you can import and export any or all of the permission groups in your instance. For more information, see Managing Permission Groups.
Settings and permissions are exported in JSON format.
Comparing your permissions to recommended secure defaults
Requirements addressed: FRR-RSC-05, FRR-RSC-08
Related articles: Permission Groups, Managing Permission Groups
You cannot change the permissions for any of the pre-defined permission groups, including System Admins and Business Admins. However, you can create your own permission groups to meet the needs of your organization.
When you create a custom permission group, you may want to compare its access permissions to the secure default permissions in the System Admin or Business Admin permission group.
It is recommended to follow the principle of least privilege, using the pre-defined permission groups or creating custom permission groups that grant your users the bare minimum access required to carry out their expected work in the application.
You can view the access permissions for any permission group by going to the permission group’s page in the application (Users > Permission Groups, then click on the permission group’s name), or you can export the permissions as described in Managing Permission Groups.
Then, you can view the list of permissions for the System Admin or Business Admin group in:
the application,
an exported JSON file, or
our Permission Groups article.
When you have both lists, you can compare the access permissions for your custom permission group against those in the System Admin or Business Admin permission group.
Editing system settings and permissions via API
Requirements addressed: FRR-RSC-07
Related articles: Hypercell API Documentation
It is not currently possible to edit system settings or permissions via API.
To learn more about our API’s capabilities, see our API documentation.
Changes to settings and permissions across versions
Requirements addressed: FRR-RSC-10
Related articles: Release Notes
We describe changes to our system settings and pre-defined permission groups, along with other product updates, in our release notes. Release notes are published for each patch, minor, and major version.
For a full list of release notes, see Release Notes.