Administrators
The Administrators section is your system's access control center. This is where you manage who can log into Manage1to1, what they're allowed to do, and which schools/buildings they can oversee.
You can access this section from the main navigation under Administrators.
To manage administrators and roles, you need the Manage Administrators permission assigned to your role.
What is Administrator Access Control?
Think of administrator access control as keys and clearance levels for your Manage1to1 system:
Administrators are staff members who have login access to the administrative side of Manage1to1 (not the student/staff user portal - those are "users"). Examples include:
- Technology Directors
- IT Technicians
- Building Secretaries
- Help Desk Staff
- Accounts Payable Clerks
- Principals (for reporting)
Access control determines two critical things:
- What they can do (permissions) - Can they add devices? Delete incidents? Process payments?
- What they can see (building access) - Can they see all schools' data or only their building?
How Administrator Access Works
Manage1to1 uses a two-factor access control system:
1. Roles (What They Can Do)
A role is a collection of permissions that defines which features and actions an administrator can access.
Example roles:
- Technology Administrator - Full access to devices, users, incidents, carts, settings
- Building Secretary - Can check out devices and manage basic user information
- Help Desk Support - Can view and respond to support tickets only
- Billing Clerk - Can create invoices and process payments only
- Read-Only Viewer - Can run reports but cannot modify data
Roles answer the question: "What tasks is this person allowed to perform?"
2. Building Access (What They Can See)
Building access limits which school/site data an administrator can view and manage.
How it works:
- Administrators can only see users, devices, carts, and incidents from their assigned buildings
- This creates data boundaries between schools
- An administrator with no buildings assigned won't see most system data
Building access answers the question: "Which school's data can this person see?"
Both role AND building access are required for full functionality. An administrator with broad permissions but no building access will have a mostly non-functional account.
Example:
-
Building Secretary at Lincoln Elementary
- Role: Building Secretary (has "Checkout Device" permission)
- Buildings: Lincoln Elementary only
- Result: Can check out devices, but only sees Lincoln Elementary students and devices
-
District IT Technician
- Role: Technology Administrator (full device/incident permissions)
- Buildings: All buildings checked
- Result: Can manage devices and incidents across the entire district
Key Concepts
Active vs. Inactive Administrators
Active Administrators:
- Can log in to Manage1to1
- Can perform actions within their permissions
- Counted as current system users
Inactive Administrators:
- Cannot log in (access disabled)
- Historical records remain intact (who created what, who checked out devices, etc.)
- Used for former staff or temporary access removal
When staff leave, mark them Inactive rather than deleting them. This preserves historical data and audit trails.
Permissions
Permissions are specific capabilities within the system.
Common permissions:
- View Users - Can see the user list
- Add Devices - Can create device records
- Checkout Device - Can check out devices to users
- Edit Incidents - Can modify incident reports
- Delete Invoices - Can permanently remove invoices
- Manage Administrators - Can create and modify admin accounts
- View Activity Log - Can see administrator action audit trail
Permissions are grouped into categories:
- Users, Devices, Carts, Incidents, Invoices, Support Tickets, Settings, MDM, Rooms, Administrators
Super Administrators
Super Administrators are system-level accounts with special privileges:
- Reserved for Manage1to1 support staff and district Point of Contact
- Can delete administrators and roles (regular admins cannot)
- Can modify POC and Reseller flags
- Not typically used for day-to-day district operations
Administrator Management Pages
View Administrators
The View Administrators page shows all administrator accounts (active and inactive).
What you can do:
- See all administrators in your system
- Edit administrator accounts (name, email, password, role, buildings)
- Mark administrators active or inactive
- (Super Admins only) Delete administrators with no historical records
See View Administrators for complete details.
Add/Edit Administrator
The Add Administrator page is where you create new administrative accounts.
What you define:
- Basic information (name, email, password)
- Role assignment (what they can do)
- Building access (what they can see)
- Active status (can they log in?)
Key fields:
- Email - Their login username (must be unique)
- Role - Required (determines permissions)
- Buildings - Required (at least one, determines data visibility)
See Add Administrator for step-by-step guidance.
Manage Roles
The Manage Roles section is where you create and configure permission sets (roles).
What you can do:
- Create new roles aligned with job functions
- Edit existing roles to add/remove permissions
- Configure email notification settings for roles
- (Super Admins only) Delete unused roles
Key concept:
- Changes to role permissions immediately affect all administrators assigned to that role
- No logout/re-login required - changes are instant
See Manage Roles for detailed role management guidance.
Common Workflows
Scenario 1: New Building Secretary Starts
A new secretary at Washington Middle School needs device checkout access:
- Go to
Administrators > View Administrators - Click Add Administrator
- Fill out form:
- Name: Sarah Johnson
- Email: sjohnson@district.edu
- Password: TempPass123! (temporary, they'll change it)
- Role: Building Secretary (has checkout permissions)
- Buildings: Check Washington Middle School only
- Click Add
- Provide Sarah with her credentials
Result: Sarah can log in, see only Washington Middle School data, and check out devices to students.
Scenario 2: Staff Member Leaves District
A technology coordinator resigned and left the district:
- Go to
Administrators > View Administrators - Find the staff member in the Active table
- Click Edit
- Uncheck the Active checkbox
- Click Save
Result: They can no longer log in, but all their historical records (devices added, incidents created, etc.) remain intact for audit purposes.
Scenario 3: Job Duties Change
A help desk staff member is promoted to IT technician and needs broader permissions:
- Go to
Administrators > View Administrators - Find the staff member and click Edit
- Change their role from "Help Desk Support" to "Technology Administrator"
- Update their building access if needed (add more buildings)
- Click Save
Result: They immediately inherit the new permissions without needing to log out and back in.
Scenario 4: Creating a New Role for Repair Technicians
You need a role for repair technicians who work on devices but shouldn't have full admin access:
- Go to
Administrators > Manage Roles - Click Add Role
- Fill out form:
- Name: Repair Technician
- Description: Device and incident management for repairs
- Check permissions: View Users, View Devices, Edit Devices, View Incidents, Create Incidents, Edit Incidents, Add Incident Log, Add Photos
- Leave delete capabilities and confidential data unchecked
- Click Add
- Assign this role to repair technician administrator accounts
Result: Repair technicians can manage devices and incidents but cannot delete records or access sensitive confidential data.
Scenario 5: Quarterly Access Review
Your IT security policy requires reviewing administrator access quarterly:
- Go to
Administrators > View Administrators - Review the Active Administrators table
- For each administrator:
- Click Edit to verify their role and building access
- Check if they still need this level of access
- Verify building assignments match current job duties
- Mark any inactive (staff who left or changed roles)
- Update roles/buildings as needed
Result: Maintained system security with up-to-date, appropriate access controls.
Security Best Practices
Principle of Least Privilege
Grant only the minimum permissions needed for each administrator's actual job duties:
✅ Do:
- Assign the narrowest role that meets their needs
- Check only the buildings they genuinely need to access
- Start with minimal permissions and add more as needed
- Review access regularly (quarterly or annually)
❌ Don't:
- Give everyone the same broad role for convenience
- Assign all buildings to all administrators
- Grant delete permissions unless absolutely necessary
- Provide sensitive data access (passwords, confidential fields) broadly
Account Management
Maintain proper account hygiene:
✅ Do:
- Create individual accounts for each person (never shared accounts)
- Use official work email addresses (not personal emails)
- Set strong temporary passwords and require change on first login
- Disable accounts immediately when staff leave or change roles
- Keep inactive administrators in the system (preserves audit trail)
❌ Don't:
- Share administrator login credentials between multiple people
- Create "test" accounts and forget about them
- Leave former staff active indefinitely
- Delete administrators with historical records
- Create accounts weeks/months before they're needed
Regular Reviews
Conduct periodic access audits:
Quarterly/Annual Reviews:
- Review all active administrators
- Verify roles still match job duties
- Check building access still aligns with assignments
- Remove access that's no longer needed
- Update documentation on why administrators have specific permissions
After Staff Changes:
- Immediately disable access when staff leave
- Update roles when job duties change
- Review permissions after organizational restructuring
Separation of Duties
Distribute sensitive permissions appropriately:
Best practices:
- Don't grant all permissions to all IT staff
- Separate billing access from device management
- Limit who can manage administrator accounts
- Restrict who can access confidential incident data
- Control who can delete records
Common Questions
Q: What's the difference between an "administrator" and a "user"?
- Administrator - Staff member who logs into the administrative interface to manage the system (you, IT staff, secretaries, etc.)
- User - Student or staff member who may log into the user portal to view their information, request support tickets, or check out devices (the people you manage)
Q: Can one person be both an administrator and a user? Yes. A staff member can have both an administrator account (to manage the system) and a user account (as a district staff member). These are separate accounts with different purposes.
Q: How many administrator accounts should we have? As many as you have staff who genuinely need system access. Every person who needs to log in should have their own individual administrator account. Never share accounts.
Q: What happens if an administrator has no role assigned? The account won't function properly. Role assignment is required when creating administrators.
Q: What happens if an administrator has no buildings assigned? They can log in, but won't see users, devices, carts, or incidents - even if their role has those permissions. Always assign at least one building.
Q: Can we change an administrator's permissions without changing their password? Yes. When editing an administrator, leave the password fields blank to keep their existing password. Only enter a new password if you're intentionally changing it.
Q: How do we know who has access to sensitive data?
Review the roles in Administrators > Manage Roles and check which roles have sensitive permissions (View Passwords, View Confidential Data, Delete capabilities, Manage Administrators). Then check View Administrators to see who's assigned to those roles.
Q: Can administrators see the activity log of what other administrators do? Yes, if they have the View Activity Log permission. This is important for accountability and audit purposes. Not all administrators should have this permission.
Q: What's the difference between marking someone Inactive vs. Deleting them?
- Inactive - Account disabled (cannot log in), all historical records preserved
- Deleted - Account completely removed (only possible if they have no associated records)
Always prefer Inactive for staff who have used the system.
Tips for Managing Administrator Access
✅ Do:
- Document why administrators have specific permissions
- Use descriptive role names that reflect job functions
- Conduct regular access reviews
- Test new roles with test accounts before assigning to real staff
- Train new administrators on their permissions and responsibilities
- Keep a backup list of who has what access (for disaster recovery)
- Review administrator actions in the Activity Log periodically
❌ Don't:
- Create "super user" roles where everyone has all permissions
- Assign permissions "just in case they might need it someday"
- Forget to disable access when staff leave or change roles
- Share administrator credentials between multiple people
- Grant delete capabilities without careful consideration
- Assign sensitive data access (passwords, confidential data) broadly
- Create custom roles for every individual person
Summary
Administrator access control in Manage1to1 requires:
- Creating roles aligned with job functions (what they can do)
- Creating administrator accounts with appropriate roles and building access
- Regular reviews to ensure access remains appropriate
- Following security best practices (least privilege, individual accounts, regular audits)
Properly configured administrator access ensures:
- ✅ Staff can do their jobs effectively
- ✅ Data remains secure and appropriately restricted
- ✅ Audit trails remain accurate and complete
- ✅ Compliance requirements are met
- ✅ System changes are accountable and traceable
The administrator access control system is fundamental to maintaining a secure, well-managed Manage1to1 environment.