Staff¶

About Staff User Accounts¶

In ActionKit a staff user is anyone with administrative access to your ActionKit admin interface.

Staff users can only be created on the Staff tab. From this tab you can edit staff user permissions (if you have permission to do this yourself), unlock staff accounts and reset passwords.

Adding Staff Users¶

To add staff users:

1 Click Browse All in the Staff tab.

2 Click Add user.

3 Enter a username and password. The user can later change their password using the change password link.

4 Click Save. The Change User screen displays the user personal information and permissions settings.

5 In the Personal Info section enter the user's first and last name and email address (required).

Staff Permissions¶

In the Permissions section define this staff user's level of access by toggling any or all of the following switches:

Active Account - If this isn't set to "On", the user has no permissions. Toggle this switch to "Off" to deactivate an account.
Admin Interface - Gives a user access to the ActionKit admin. Turn off this switch to prevent users from accessing the admin web interface, while continuing to allow them to access the API.
Superuser Status - When turned on, this gives the user all permissions, regardless of what's selected in the Permission Groups section below. Access to the site-wide configuration options is only available to superusers.
Receive All Mailings - When this setting is turned on, the user will receive a copy of every email sent. This option is not automatically selected for Superusers and must be manually selected.

These mailings will arrive with a subject line beginning {Final mailing ###} [Count N], where ### is the mailing ID and N is the number of users being sent the mailing, so you can tell that it's not a proof or an email you're receiving as a targeted recipient.

Note

Active Account and Admin Interface must both be set to "On" for the user to be able to log in to your ActionKit instance at all.

Permission Groups¶

In the Permission Groups section, select the permission groups for staff who aren't Superusers.

The permissions listed are the only ones available, and you can combine these permissions however you'd like.

These permissions also grant access to the REST API for the relevant objects. To grant access to all objects in the database, add the account to the Data Models - View, Edit, and Delete group. However, for security it's preferable to restrict an account's access to just the kinds of objects it will need.

If a user tries to do something for which they don't have permission, they'll see a big black message Permission Denied and they'll need to hit the back button to get back into the ActionKit admin.

Following is a description of the built-in permission groups:

All¶

All: When selected, the user is granted all permissions from all permissions groups. This setting is similar to Superuser status but does not grant access to your site-wide ActionKit configuration. Users with these permissions will have full API access but they must also have the Admin Interface setting turned on in order to access the admin site.

Data Models¶

View Only: The user can view all data but not edit or delete it.
View, Edit, and Delete: The user can view or change any data.

Note

Data Models permissions are intended only for API user accounts, these permissions are not reccommended for regular admin user accounts as these permissions can override other Permission Groups settings.

Data Models does not include staff management permissions.

Events¶

Manage: Staff users with this permission have access to all event campaigns and all the event management tools available on the Dashboard for each campaign. They can confirm, approve and delete events, email hosts, and more. They cannot create or edit event pages.
Manage plus Campaigns: All the permissions included in Events - Manage, plus the user can edit campaign settings for any event.

Languages¶

Languages: The user can add and edit the language definitions. Add this permission (in combination with the others above) for any users who will be adding languages or editing translations.

Mailings¶

Edit and Limited Send: Like Mailings - Edit and Send, except the maximum size of the mailings that can be sent is limited. The limit is configurable.
Edit and Send: All the permissions included in Mailings - Edit Email, plus the ability to send the mailing.
Edit (not send): The user can view the Mailings tab, add a draft, edit existing drafts and view any of the related tools that aren't specifically mentioned in the other mailings related permissions below. The user cannot send mailings with this permission.
Edit plus Client Domains: All the permissions included in Mailings - Edit Email, plus adding and editing client domains.
Edit plus Email Wrappers: All the permissions included in Mailings - Edit Email, plus adding and editing email wrappers.
Edit plus Mailing Lists: All the permissions included in Mailings - Edit Email, plus adding and editing mailing lists.
Edit plus Model Mailings: All the permissions included in Mailings - Edit Email, plus adding and editing model mailings.

Manage Deliverability¶

Manage Deliverability: The user can view and make changes to Blackholed Domains and Emails, and Engagement Query Reports.

Pages¶

Edit, View, Create: The user can edit, view, and create pages and edit most of the page related tools.
Pages plus Fraud Filters: All the permissions included in Pages - Edit, View, Create, plus managing fraud filters for donation pages.
Pages plus Model Pages: All the permissions included in Pages - Edit, View, Create, plus adding and editing model pages.
Pages plus Petition PDFs: All the permissions included in Pages - Edit, View, Create, plus adding and editing delivery jobs.
Pages plus Templatesets: All the permissions included in Pages - Edit, View, Create, plus adding and editing templatesets and account tools.

Reports¶

Reports Only: The user can create, edit, and view reports and all of the related tools.
View and Download: The user can search for and run existing reports, including downloading surveys and comparing performance by mailing or by page.
View Only: The user can search for and run existing reports, but cannot download reports data.

Manage Salesforce Sync¶

Manage Salesforce Sync: The user can view and edit all settings related to sync with the Salesforce ActionKit app.

Texting¶

Edit and Send: The user can view the Texts tab. The user can view, create, edit, and send text messages.
Edit Broadcasts (not send): The user can view the Texts tab, add or edit message drafts. The user can view (but not change) existing broadcast and transactional messages. The user cannot send text messages with this permission.
Edit plus Manage: In addition to all of the permissions of Edit Broadcasts (not send), the user can also make changes to texting lists, blocked recipients, and transactional messages.
Edit plus Setup: In addition to all of the permissions of Edit plus Manage, the user can make changes to your texting phone numbers and gateway service configuration (bindings and originators).

Users¶

Users Only: The user can view the Users tab, search for users, view and edit user records (except manage donations), plus add custom user fields and reset passwords.
Users plus Donation Management: Gives permission to change donations in the individual user record.
Users plus Imports: Gives permissions to import users either from the Users tab or from an existing import page on the Pages tab.

Deactivating Staff User Accounts¶

You cannot delete a staff member, instead you deactivate them. A deactivated staff member no longer has the ability to log into ActionKit admin. This does not deactivate their SQL log in, if they have one; request that through the support form.

To deactivate/remove a staff member:

1 Click Browse All in the Staff tab.

2 Select the staff user name in the listing or click the Edit button in the right-hand column adjacent to the user name.

3 In the Permissions section, clear the Active checkbox.

4 Click Save. This user will no longer be able to access your ActionKit website.

Note

Deactivating a staff account which is used by ActBlue's webhook will prevent ActBlue from connecting to ActionKit and sharing donations data. ActionKit will try to warn you if you are editing a user account which has recently been used by ActBlue. However, it is important to always be careful that an account you are about to deactivate isn't being used by ActBlue.

Unlocking Staff Accounts¶

Your user data is a valuable organizational resource. To make sure your users' privacy is protected as well as your organizational data we require a log-in to access the ActionKit admin.

If you attempt to log in too many times with the wrong password, you and everyone who shares your IP address will be locked out. Any staff user with the superuser permission can unlock the account by clicking the Unlock Staff Accounts button on the Staff tab.

Resetting Passwords¶

You can reset your own password through the Reset Password button on the Staff tab or by clicking the Change Password link in the header bar on any tab in the ActionKit admin.

To reset another staff user's password:

1 Click Browse All.

2 Find the staff user name in the list and click Edit. You can search by name or email address. You can also use the Filters to refine your results by active, admin interface access, and superuser.

3 In the Password field, click the change password form link.

4 Enter the new password in the two fields provided and click Change password.

Two-Factor Authentication (2FA)¶

To provide better security for the admin interface, ActionKit now supports two-factor authentication.

Note

Two-factor authentication does not affect API access.

How It Works¶

Under two-factor authentication, the admin will require you to provide not only your username and password when logging in but also a special token provided by a device associated with your account (a phone or token generator). This improves security because a password, which may be obtained or guessed by an attacker, is no longer sufficient to access your account.

By default, two-factor authentication is supported for all staff users, but not required. If you set up a two-factor authentication device for your admin account, it will be required for your account, but other staff who have not set up devices for their accounts will still be able to log in with just their username and password.

On request, we can add a setting to your ActionKit configuration that will require two-factor authentication for all staff accounts in your admin. We recommended that all staff set up two-factor authentication before enabling this option. See below.

You can see which staff users have two-factor authentication enabled in the relevant column on the staff list.

Account Setup¶

From the gear menu in the top-right, click Two-Factor Auth. You'll be guided through the set up of your device. You can choose a token generator (an app like Google Authenticator or Microsoft Authenticator), or enter a phone number to receive SMS or a voice call. Enter the code generated by (or sent to) your device to confirm that the device is working. For all subsequent log-ins, you'll be prompted to enter a token from your device after you enter your username and password. We recommend setting up one or more back up devices that you can use if your primary device is unavailable.

Agent Trust¶

"Agent trust" allows you to trust a (non-shared) computer or device for 30 days, so you don't have to re-enter your token every time you log in. (Google uses a similar approach with their two-factor auth.) If two-factor authentication is enabled, you'll see a new "remember me” option. You can revoke trust for a computer or device from the Two-Factor Authentication screen, by clicking forget other devices.

Two-Factor Profile¶

Once Two-Factor Authentication is enabled, the Two-Factor Auth option on the gear menu will bring you to your profile, where you can review your two-factor authentication settings, add new devices, change devices, and obtain backup codes. Backup codes are one-time passwords that can be used if you lose your phone. You can also use this interface to disable two-factor authentication for your account.

Other Staff Accounts¶

Superusers can generate a code for another staff member who has lost their two-factor authentication device and does not have backup codes. Select Get Token for User from the user's staff profile (accessible from the Staff tab by clicking Browse All, then selecting the appropriate user). Note: this effectively creates a device for a user; using it will require a user to log in with two-factor authentication ever after, even if it's not required by the instance configuration.

Adding New Staff¶

If your instance is configured to require all staff to log in with two-factor authentication: New staff won't be able to log in until they have set up a device. You can add new staff and generate a back up code for one-time use so they can log in and set up their device.

To add new staff:

1 Set up the staff user as usual, assigning a username and password.

2 From the detail page of the new staff user (e.g. /admin/auth/user/10/), click get token for user.

3 Send the back up code that displays, along with their username and password, to the new user. You may want to send the backup code separately (e.g. via SMS).

4 The new user should immediately configure two-factor authentication. A link is provided on the get token for user page to facilitate this. The back up code only works once.