WHMCS provides support for staff accounts, and the Staff Management page is where you can add, remove, and otherwise manage these staff accounts. This article will be going over the options available and the process in managing staff accounts in WHMCS.
The Staff Management page can be found through Setup -> Staff Management where you can choose which section of staff management you need to manage.
The Administrator Users section is where you can view, add, remove, and otherwise manage the admin/staff users on your system.
All current accounts will be listed on the main page, split into two categories: Active and Inactive. The buttons next to each user entry are for editing and removing that user respectively.
Adding an Administrator
To add an administrator, simply click the Add New Administrator button and you will be presented with the following form:
The fields and options on this page are as follows:
- Administrator Role: Specifies the designated role for this admin account.
- First Name: First name of the administrator.
- Last Name: Last name of the administrator.
- Email Address: Email address of the administrator.
- Username: Username for the administrator.
- Password: Password for the administrator. It is recommended to enter a secure, randomly generated password using a tool such as this. It is also recommended to set password reset instructions to the admin after the creation of their account.
- Confirm Password: Duplicate entry for the Password. Needed to ensure password is correct.
- Assigned Departments: Specifies what departments/groups the admin account should belong to.
- Support Ticket Signature: Specifies the admin user’s signature that will appear by default at the end of their ticket messages.
- Private Notes: Place to leave notes on the account. These are visible to other admins as well.
- Template: The template the admin user will adhere to.
- Language: The admin user’s language.
- Disable: Enabling this deactivates the account, preventing login.
Administrator roles are groups that you can assign admin users to in order to apply permissions and policies to them in groups, instead of all individually. You can also use this to designate the exact position the user will be.
The first page in this section simply lists the existing Administrator Roles, along with lists of which admins are members of each group, and buttons to edit or remove the group.
Adding an Administrator Role
WHMCS provides to ways to create a new admin role, by either creating one from scratch or to duplicate an existing group. The buttons to initiate each type of group creation are found at the top of the page.
Add New Role Group
After selecting to add a new role group, you will first be prompted to give a name to the group. Give it a name that is descriptive of its duties and what permissions it will have.
Next you will be prompted to select what permissions you want users within the group to have. The name of each permission is descriptive to what that permission allows the user to do or access.
You will also be able to restrict their access to reports, and specify what types of emails they are able to manage.
Duplicate Role Group
When selecting to duplicate an existing role group, it will ask you which group you wish to duplicate and what name you would like to give to the new one. Give it a name that’s descriptive of its duties and permissions.
You will then be presented with the same permissions selection page as when creating a new user, except it will be pre-populated with the values from the group you are duplicating. Simply modify the setting if you so wish, and save the settings.
Two Factor Authentication
WHMCS provides support for two factor authentication (2FA) to increase security on client and admin accounts. When a user logs in with 2FA enabled, beyond just their username and password, they will be prompted for another form of identification using a second device. Typically this is done by sending a code to a mobile phone via SMS, or with a one-time code that expires and regenerates every 30 seconds.
On the Two Factor Authentication setup page, you are given the option to force clients, admins, or both to enable 2FA the next time they log in, if they don’t have it already.
WHMCS supports 3 types of 2FA:
- Duo Security: use a smartphone or other device to receive a temporary code for login, through methods like push notification, SMS, phone calls, etc.
- Time-Based One Time Password: use a second device to generate a random passcode that is only valid for 30 seconds before a new code is generated. This uses 3rd party applications such as Google Authenticator or Authy to generate these codes. Enabling this requires a subscription payment of $1.50/mo.
- Yubico: a hardware key that plugs into your computer via a USB port in order to identify you. This is free to enable, but you will need to purchase the hardware keys themselves, which start at $25 each.
Manage API Credentials
WHMCS provides API support for the development of 3rd party applications that rely on it’s services. The Manage API Credentials page lets you create roles for access to specific components of the API and assign those roles to API credentials.
Create API Role
Before you can create API credentials, you have to make at least one API role to specify what permissions the credentials will have.
To create an API role, begin by selecting the API Roles tab and clicking the green Create API Role button, and you will be prompted with the following form:
Simply give the role a name that is descriptive of its duties or permissions, and you may give a description to describe those duties and permissions more in depth. Then scroll through the different categories in the left-side panel and select what permissions from those categories this role should have. The full reference guide for the API calls can be found here.
Add New API Credentials
After you’ve created at least one API role, you can create new API credentials for specific admin users by going to the API Credentials tab and clicking the green Generate New API Credential button. This will bring up the following form:
In this form, simply select which admin user the credentials are for, optionally give the credentials a description for their duties or permissions, and then select which API Role(s) they should have (you can select multiple). Then just click Generate and you will be presented with the following information:
These are the identifier and secret key used to authenticate access to WHMCS’ API. You will give these to the admin user the credentials are for.