Share Gandi products and manage permissions

May 21, 2020  - written by  in Domain names

A workflow that’s overly dependent on any one person on a team is never optimal, even if your team is relatively small. But while you may not want to be the only one with access to make important changes on your domain name, you also might not want to give up full control to any one person.

The best, and most secure, way to collaborate on managing something as valuable as your domain name is to give others only the access they need to fulfill their particular role in managing your domain, nothing more and nothing less.

In your Gandi interface, you can collaborate on managing your products a couple of different ways. The quickest and easiest is with Quickshare. But for larger organizations that need more fine-grained permissions, sharing through Teams is best.

Quickshare

With Quickshare, you can share either an individual product or a group of products, whether those have the same owner or different owners.

Similarly, the people you share with don’t have to have usernames under a single organization.

When sharing a domain name with Quickshare, you have four permissions that you can set. These are called “View and renew,” “Configure,” “Manage owner & contacts,” and “Purchase additional services.”

Giving someone “View and Renew” permissions is sort of like giving them “Read only” permissions. While renewing goes beyond just viewing a domain, renewing a domain doesn’t change anything about a domain except its expiration date.

Giving someone permission to “Configure” a domain name lets them make changes to your domain name limited to how it connects to website or email hosting. This is a good permission set for whoever is in charge of these services, since it lets them configure the domain DNS and mailboxes but not change the owner or give permissions to others.

That’s what the “Manage owner & contacts” permission set lets you do. Giving someone this permission set gives them the ability to broadly change who has access to the domain name, so should be used sparingly. This is a good permission set for someone in a management role who may not have the technical skills to change the DNS configuration of a domain name.

Finally, the “Purchase additional services” permission set lets a user add new mailboxes or upgrade existing ones, and to purchase marketplace services for your domain. This permission set is also good for someone with a more administrative role than a technical one.

Of course, you can give someone one or more or all of these permission sets when you share a domain name with them, depending on their specific role.

Sharing with Quickshare

To share a domain name, log in to your account, click the domain name you want to share, and click the “Sharing” tab.

You can then share your domain with collaborators either using their Gandi username or email address. Select the permissions you want to give them and click “Share.”

You can also share multiple domains using the “Table view” in your control panel.

Teams

The other way to collaborate on managing a domain name is using Teams. A Team needs to be composed of accounts that are all part of the same Organization, and they are managed through the “Organizations” part of your account, so they are ideal for managing domains in a larger organization.

They do, however, have a larger set of permissions available to better fine-tune what kind of access you’re providing to your collaborators.

Each Team has its own permission set and everyone you add to a particular Team will have the same permissions as everyone else on that Team. If you need to give two people slightly different permissions, you should use two different Teams.

Team permissions

A Team can be given a wide range of potential permissions that give access to aspects of the management of the Organization, Billing, the Organization’s Domain names, Simple hosting, Cloud resources, and SSL certificates.

You can set team permissions manually, or you can start with a permissions profile and build from there.

Organization permissions

You can let members of a Team either View organization settings, teams, and permission sets or you can give them access to Manage organization settings, including enabling reseller mode.

Billing permissions

You can allow members of a Team to View billing admin, which lets them see invoices, order history, and billing settings, Modify billing options like adding credit cards or prepaid funds, Bill the organization which lets Team members generate invoices but not use payment methods, Pay using the saved credit card, Pay using the prepaid account, or Allow payment terms, which lets Team members purchase and renew products that are added to the organization’s monthly invoice.

Domain permissions

You can set Domain permissions for a Team that would allow members to See and renew domain names, Manage domain name technical configurations which includes nameservers, DNS records, glue records, DNSSEC, and web forwarding, ideal for your website team, Manage mailboxes and email forwarding for whoever is managing your organization’s email accounts, Manage domain contacts, and Manage owner changes and outgoing transfers, best for someone in a management position able to make business decisions on behalf of your organization.

Simple Hosting permissions

You can set Team permissions for Simple Hosting to either View and renew, similar to the Quickshare permission set mentioned above, or Manage Simple Hosting instances.

Cloud resource permissions

Similarly, you can set Team permissions for your Gandi Cloud servers with which they can view an organization’s Cloud resources, configuration, history, metrics, and account balance, or Manage Cloud resources.

SSL certificates

For SSL permissions, you can let members of a Team either see which SSL certificates are purchased, or to purchase, renew, download, configure, revoke, and regenerate SSL certificates (they will also need to have the “Bill the organization” Billing permission).

Permission profiles

There are four preset permissions profiles that you can also use, and then adjust based on your specific needs. These are:

  • Administrator profile
    This gives full access to all permissions.
  • Technical profile
    Gives full permissions on Simple Hosting, Gandi Cloud, and SSL certificates and all Domain permissions except Manage domain contacts and Manage owner changes & transfers
  • Billing profile
    Gives full permissions on Billing, but only View permissions for Domains, Simple Hosting, Gandi Cloud, and SSL certificates
  • Read-only profile
    This gives only View permissions across all categories

Sharing products using Teams

If you don’t already have an Organization, you’ll need to create one either from the Organization menu, or in the shopping cart or at checkout when purchasing a product. N.B. the Organization becomes the legal owner of whatever products you have in it.

To create Teams in an organization, go to “Organizations” in your account, and under the Organization you want to add the Team to, click “Teams” and then “Manage your teams.” Then click “Create a new team.”

This will let you name the team, add members, and then choose the permissions for the team from the permissions listed above.

If you need to add more Team members later, you can do that from the “Team overview” page. Just click “Invite” using either their Gandi username or an email address, and then “Send invitations.”