Manage Admins

Setting up who in your organization's security and operations teams (ie, which Admins) can view and edit configurations in the Banyan Command Center.

This article describes features that are only available in the Banyan Business edition and Banyan Enterprise edition.

For security reasons, Banyan handles Admins and Users completely separately.
- Admins manage access control security policies via the Banyan Command Center Web Console and API.
- Users use their Devices to access Services that are secured by Banyan’s enforcement components. To manage users, refer to the articles on configuring IDPs.

Account Types

Banyan categorizes administrative accounts by their Account Type. Banyan provides two types of admin accounts:

  • Local
  • SAML-Only

The table below lists the possible permissions and attributes for Banyan account types.

Permission/Attribute      Local      SAML-Only
Available if Local Admin is enabled  
Available if SAML Single Sign On is enabled  
Created via Banyan Command Center (Settings > Manage Admins)  
Created just-in-time once authenticated with SAML Single Sign On Provider  
Can use local account password to log in to the Banyan Command Center  
Can use SAML Single Sign On to log in to the Banyan Command Center
Can generate Refresh Token(s) for API access  
Can create Local administrator accounts (if account has Admin or Owner profile)  
Can delete administrator accounts (if account has Admin or Owner profile)  

Administrator Profiles

Every administrator (Local or SAML-Only) is associated with a single Profile. Currently, Banyan provides five Admin Profile types:

  • Owner (every organization must have at least one Owner)
  • Admin
  • ServiceAuthor
  • PolicyAuthor
  • ReadOnly

When a SAML-Only account is created, it is assigned a ReadOnly profile. Any administrator with Admin or Owner profile privilege can change this profile setting.

The table below lists the possible permissions for Banyan admin profiles.

Permission Owner Admin ServiceAuthor PolicyAuthor ReadOnly
Create/Update/Delete Owners        
Create/Update/Delete Non-Owners      
Manage Services    
Manage Roles & Policies    
Manage Organization Settings      
View Configurations
(Services, Policies, Events, Directory etc)

List of Admins

View the list of administrators who have access to your Organization in the Banyan Command Center by navigating to Settings > Manage Admins.

Admins with SAML-only accounts will not show up in the Manage Admins users list until they have logged into the Banyan Command Center for the first time.

Local Account Passwords and Lockout Threshold

Local administrators can use a local account password to log in to the Banyan Command Center (unlike SAML-Only administrators, who must authenticate via their SSO Provider). Banyan’s password policy requires all local accounts to have complex passwords of 8 or more characters. Local administrator account are also configured with a lockout threshold based on failed logons and password resets to ensure that brute force attacks cannot compromise the account. Finally, a robust audit mechanism is in place to alert the Banyan operations team when a series of failed logons or password resets occur in a given environment.

For more customizable admin authentication and alerting policies, you should enable SAML Single Sign On.

Deleting Admin Accounts and Decommisioning an Organization

In order to delete admin accounts, you need to be an administrator with an Admin profile. In order to delete a SAML-Only admin, you must first remove them from your SAML Single Sign On Provider, and then you can delete them in Banyan. Note that the default admin account is given a ReadOnly profile and cannot delete other admin accounts.

An organization must have at least 1 administrator with the Owner profile at all times; thus, you cannot delete every single admin account associated with an organization. Only the Banyan Operations Team can delete the final administrator account with Owner profile and completely decommision an organization. Contact Banyan Support if you need to do this.

Last modified: Jun 17, 2021