LemonadeLXP has recently gained a new access control list (ACL) system that helps you tune the permissions you give your administrators.
If you visit the Admin area under Learners/Enrollment and edit any learner, you will see the ACL system on the third tab: "Admin Access."
You may have already noticed that administrators can no longer edit other administrators! We did this to prevent privilege escalation. Admins are limited to editing learners only.
So how do you gain admin privileges? Easy, ask your super-admin!
The Super Administrator Role
The super administrator role is a new addition to the LemonadeLXP permissions system.
The LemonadeLXP support team is the only unit that can securely create SuperAdministrators. If you need a registered user to gain SuperAdmin access, please contact your LemonadeLXP CX representative.
SuperAdmins have several traits:
They cannot edit their email address (to counter an evil-maid attack vector).
They cannot promote other super-admins (to prevent privilege escalation attacks).
They are the only account type that can promote learners to admins.
They are the only account type that can set ACL rules on admins.
They can access the entire system without an explicit ACL rule definition.
Note that to remove a SuperAdmin from your LLXP, you will need to demote them first.
A Note on Permissions
Though the Admin Access panel is very self-explanatory, some are worth special mention!
For an admin to interact with the context exchange, they need to have both author and publish on Steps.
Some sections, such as certifications, have user data exports. You will not be able to see list exports in these sections unless you also can export user lists privilege under administrative rights.
Grant the can adjust global configuration privilege sparingly (if you can, don't grant it at all). It's better to limit global configuration to super-administrators.