Admins

WHMCS allows you to create admins to access and use the Admin Area. Admins are separate from the clients that access the Client Area. You can create individual accounts for each admin and use detailed controls to set what they’re able to view and do for each area of functionality.

Administrator Users

You can create and configure the individual admins in your WHMCS installation. The list of admins includes all of the admins on your WHMCS installation. This list includes each admin’s name, email address, username, role, and assigned support departments.

You can access this feature at Configuration () > System Settings > Administrator Users or by going to Configuration () > Manage Admins.

Create or Manage Admins

To create an admin, click Add New Administrator, or to edit an existing admin, click the Edit icon.

  • Admin usernames must begin with a letter (AZ or az), contain only alphanumeric characters, and not include spaces or other special characters.
  • Admin passwords cannot use the following characters: &, ", ', <, or >.

Admin Invites

We added admin invites in WHMCS 8.12.

In WHMCS 8.12 and later, you can send invitations to allow new admins to set their own login credentials. This helps to improve admin account security by removing the need for you to send their credentials to them when you create their account.

To send an invite, set Send Invite to Send Invite Link while creating the new admin. The system will send an invitation email that contains a link to create a new username and password.

  • Invited admins appear in the Pending Invites list until they use the emailed invitation link to set up credentials and log in.
  • You can cancel a pending invitation at any time by clicking the Delete icon.
  • Invitation links expire after seven days. If a link expires before the new admin sets up their login credentials, you can resend it.
    For steps to resend an admin invite, see Resend an Admin Invite.
  • The invitation email uses the Admin Invitation email template at Configuration () > System Settings > Email Templates.

Assigning Support Departments

The most common cause of issues accessing a support department is forgetting to select the right departments in the admin’s settings. Make sure you select all of the support departments that you want this admin to view or work with.

When you add or edit an admin, make certain to check the support departments whose tickets you want the admin to see and be able to respond to.

  • If you assign the admin to a role that includes Access All Tickets Directly, they can access other departments through direct links.
  • If you want the admin to receive notifications from one of their assigned support departments, select Enable Ticket Notifications for that department.

Administrator Roles

Administrator roles allow you to set the permissions for different types of admins. You can set up as many different administrator roles as you want and then assign your admins to them.

WHMCS includes three default roles: Full, Sales, and Support Only.

You can access this feature at Configuration () > System Settings > Administrator Roles.

Create or Update an Administrator Role

To create an administrator role, click Add New Role Group, or to edit an existing role, click the Edit icon. Then, configure the desired settings and permissions for that role and click Save.

For all admin roles, you must enable Support Center Overview or Main Homepage. This allows the admin to see the support center overview or Admin Dashboard after logging in.
For steps to create or edit a role, see Add or Edit a Role.

Role Permissions

The system provides options for Admin Area actions and email receiving preferences for system emails, account emails, and support emails.

  • Cancel permissions allow you to cancel an item.
  • Create permissions allow you to create a new item.
    Many Create permissions require the related Manage permission. If you see Access Denied errors, add the Manage permission. For example, errors will occur when creating invoices if you don’t also enable Manage Invoices.
  • Configure permissions are generally for settings under Configuration () > System Settings.
  • Delete permissions allow you to delete or remove an item.
  • List permissions allow you to view a list of items.
  • Manage permissions allow you to manage an item.
  • View permissions allow you to view an item.

For example, for an admin who works with clients and tickets, grant the Manage and View permissions for tickets, domains, and client products. If they will be processing client orders or creating new services for clients, also grant the applicable Create and Manage permissions.

If an admin will provide remote support and you only want them to view items but not change them, you can grant them the desired View permissions only.

Limiting Access to a Specific Addon

You may want to limit an admin to a specific addon in order to allow third-party developers access to debug an issue with that module.

To do this:

  1. Enable the Addon Modules permission for the role.
  2. Enable any other permissions that that addon requires. For example, if an addon adds a Support PIN number within the client profile Summary tab, you may need to grant the View Clients Summary permission to allow the third-party developer to test it.
  3. Edit the Access Control setting at Configuration () > System Settings > Addon Modules to grant access to that admin.

Enabling Permissions for Debugging Provisioning Modules

You may want to enable the following permissions for debugging provisioning modules:

  • Configure Servers
  • View Clients Products/Services
  • View Module Debug Log
  • Perform Module Command Operations

Further permissions, such as the ability to edit services with Edit Clients Products/Services, are generally not necessary. Evaluate this need on a case-by-case basis.

Managing Two Factor Authentication

Two-factor authentication adds an additional layer of security by introducing a second step to the login process. It takes something you know (for example, your password), and adds a second factor, typically something you physically have (such as your phone). Since the system will require both to log in, if an attacker obtains your password, two-factor authentication would stop them from accessing your account.

For more information, see Two Factor Authentication.

Last modified: December 4, 2024