Removing Technician/App Admin Access

This article helps global administrators in TDX learn how to remove a user's access at the global level.

Overview

Removing a user from a group does not automatically revoke their access. If their global security role is still active and they have access to TDWorkManagement, formerly called TDNext, they can still view and work on tickets.

To fully remove access, the user's college app admin must submit a Maricopa Help Desk Requests ticket. This allows a global admin to follow the steps below to remove the user's global security role and other permissions.

Each request is unique, and the global admin will review the details, but the steps below outline the general process for removing a user’s access.

Note: If you know how to Grant Technician/App Admin Access to users, then removing access usually involves reversing those steps by resetting permissions and adjusting the global role and college-level app security roles back to Client.

Reviewing Accounts

Accounts are maintained as a standard User type; rather than changing the account type, access is controlled by modifying Security Roles and permissions across general settings, applications, groups, dashboards, and workspaces.

Here are the four main security roles:

1. Global Admin - District-level owners who oversee organization-wide settings, security permissions, and global group structures.
2. App Admin - College-level managers who organize local services and workflows, and oversee technician memberships for the college's groups.
3. Technician - Responsible for managing and resolving assigned tickets and tasks.
4. Client - End-users who use the portal to request services.

By default, all users in the Maricopa system sync into TDX as the User type and automatically receive the Client security role for all client portals. Users must have the Client security role at each client-portal application level to access that portal and submit tickets.  

When the Client security role is set at the org level on the general tab, you will notice that some other applications (Community, Ticketing apps, Asset apps, People, TDNext, etc.) are automatically grayed out.

These grayed-out applications become selectable only after a user is assigned the Technician or higher security role at the organization or global level (located under the General tab).

Important: The App Admin column (as shown below). The App Admin checkbox must remain unchecked when the security role is set to Technician or Client, as selecting it would grant unintended administrator access. This box should only be checked when the security role is App Admin, since it is what actually provides administrative privileges. Always ensure the checkbox aligns with the assigned role to prevent mistakenly giving admin rights to non‑admin users.

Revoking Access

Once a user is granted the Technician role at the organizational level, ticketing applications that were previously greyed out become available for updates. In the security roles column for these applications, you will see App Admin and Technician listed. Note that the Client role is not available here because it is only used for client portal applications, not for ticketing or asset applications.

The screenshot below illustrates a DO IT staff member with Technician access to the DO – Client Portal and DO – Ticketing apps, while their access to other applications remains at the Client role. Note that If an access-expansion request is approved, global admins can then assign Technician or higher roles for additional client and ticketing apps across multiple locations.

Remember, fully enabling a user involves more than just changing their roles. For detailed steps, please see the sections Removing App Admin and Technician access below.

Removing App Admin Access

In this example, permissions and applications are being removed from a Chandler Gilbert Community College App Admin.

• Org Level/General: Update Security Role from App Admin to Client

• Applications:

  • Ensure Community is deselected

  • Ensure People is deselected

  • CGCC - Client Portal App - CGCC doesn't utilize or have a Client Portal App that currently exists.

    • Important: To remove App Admin access for someone in a college's client portal that currently exists, change their role back to Client and uncheck the “App Admin Column” checkbox next to the security role name. The App Admin checkbox is what actually gives administrative privileges, while the security role defines specific permissions.

  • CGCC - Ticketing App - Ensure this application is unchecked. 

    • Important: Ensure that the “App Admin Column” checkbox is unchecked. 

  • Ensure TDNext is deselected

  • Ensure Workspaces is deselected

  • Note: There may be additional applications not listed above to deselect. Please review and deselect any as necessary.

• Groups: Remove any remaining groups.

• Dashboards: Remove any DO designed linked dashboards "SysAid Default View (CGCC)" & "Tools - Technician"

• Workspaces: Deactivated "Tickets Transferred to DO"

Additionally, for app admins, when adding or removing members, it helps to update their membership in the TDX App Admins Webex Space and the DL ITS AT TDX Admin (dl-its-at-tdx-admins@domail.maricopa.edu) to keep the list of app admins at the colleges current.

Removing Technician Access

In this example, permissions and applications are being removed from a Paradise Valley Community College Technician.

• Org Level/General: Updated Security Role from Technician to Client

• Applications:

  • Community deselected

  • People deselected

  • PVCC - Client Portal App updated from Technician to Client

  • PVCC - Ticketing App updated from Technician to Client

  • TDNext deselected

  • Workspaces deselected

  • Note: There may be additional applications not listed above to deselect. Please review and deselect any as necessary.

• Groups: Removed any remaining groups.

• Dashboards: Removed linked dashboards "SysAid Default View (PVCC)" & "Tools - Technician"

• Workspaces: Deactivated "Tickets Transferred to DO"

Conclusion

Note: If the user has tried to sign in, they might need to sign out, close their browsers, and sign in again for the new permissions to apply.

There are a few different steps depending on what’s being updated — for example, removing App Admin access is handled differently than adjusting permissions for a technician — typically, the security role should be reset to the Client level at the org/profile level, also known as General. After that, update applications, groups, dashboards, workspaces, and any other relevant areas as needed. Team Dynamix Solutions knowledge base offers many helpful documents about TeamDynamix.