You use access privileges to further refine what users can do in the software. For example, which users can edit events beyond a certain status or which users can delete notes with certain note sensitivities.
You assign access privileges at the role and/or user level. The best practice is to assign access privileges at the role level so access is more easily maintained.
When a user is stopped by an access privilege, he/she usually receives a message similar to the below:
User (user name) is not allowed to (restriction). User restricted by security option (access privilege name).
System Access Privileges and Access Privileges
There are two types of access privileges: System Access Privileges and Access Privileges.
System access privileges apply to all organizations if you use multiple organizations. Examples of system access privileges include editing dictionary phrases and add/editing roles and users.
Access privileges apply only to the organization you configure them in. Examples of access privileges include editing events up to a certain status and deleting documents up to a certain sensitivity.
Implicit and Explicit Access Privileges
Each access privilege is either implicit or explicit. You can see if an access privilege is implicit or explicit using the Scope column on the Access Privileges page.
- Implicit - If no users are assigned to the access privilege, all users have access.
- Explicit - If no users are assigned to it, no users have access.
It is important to understand the difference between implicit and explicit access privileges because if you were to give a user access to all access privileges, then those users not assigned to the implicit access privileges are no longer able to perform those functions.
Manage Access Privileges
You should always carefully consider any changes you make to access privileges. Changes are applied immediately after you save the access privilege changes and you could impact large groups of users.
Access privileges that display in gray on the Access Privileges page are not active, meaning there are no roles or users assigned. See Implicit and Explicit Access Privileges to understand what it means if no roles or users are assigned.
Some access privileges use access details or security values to determine access. See Change Access Details for Access Privileges and Change Security Value for Access Privileges for more information.
The below steps use the Access Privileges page but the same process applies but with the System Access Privileges page. To manage access privileges:
- Click the Access Privileges link from the Main Menu. The Access Privileges page opens.
- Select the access privilege to manage.
- Right-click and select Edit. The Edit Access Privilege window opens.
- Select the Access Privilege Details tab.
- Click the Manage button. The Assign Access Privileges window opens.
- To assign roles and/or users to an access privilege:
- Select the role(s) and/or user(s) to assign to the access privilege in the Available panel. Use Ctrl+Click or Shift+Click to select multiple roles and/or users.
- Click the single right arrow button to move the selected role(s) and/or user(s) to the Selected panel.
- To unassign roles and/or users to an access privilege:
- Select the role(s) and/or user(s) to unassign to the access privilege in the Selected panel. Use Ctrl+Click or Shift+Click to select multiple roles and/or users.
- Click the single left arrow button to move the selected role(s) and/or user(s) to the Available panel.
- Click OK. You return to the Edit Access Privilege window.
- Click OK.
Change Access Details for Access Privileges
Some access privileges allow for you to assign more detailed access using Access Privilege Details. This is often used when determining who can edit or delete information for a certain account rep or a certain department. Not all access privileges use Access Privilege Details. If an access privilege allows for additional access, it is noted in the access privilege note.
To assign access privilege details for a role and/or user on an access privilege:
- Click the Access Privileges link from the Main Menu. The Access Privileges page opens.
- Select the access privilege to manage.
- Right-click and select Edit. The Edit Access Privilege window opens.
- Select the Access Privilege Details tab.
- Select the role and/or user for the more detailed access.
- Right-click and select Assign Details. The Assign Details window opens.
- To assign access:
- Select the value(s) the role/user has access to in the Available panel. Use Ctrl+Click or Shift+Click to select multiple values.
- Click the single right arrow button to move the selected value(s) to the Selected panel.
- To unassign access:
- Select the value(s) to unassign in the Selected panel. Use Ctrl+Click or Shift+Click to select multiple values.
- Click the single left arrow button to move the selected value(s) to the Available panel.
- Click OK. You return to the Edit Access Privilege window.
- Click OK.
Change Security Value for Access Privileges
Some access privileges allow for you to assign more detailed access using a Security Value. This is often used when determining who can edit or delete information based on a status level. Not all access privileges use security values. If an access privilege allows for additional access, it is noted in the access privilege note.
To assign a security value for a role and/or user for an access privilege:
- Click the Access Privileges link from the Main Menu. The Access Privileges page opens.
- Select the access privilege to manage.
- Right-click and select Edit. The Edit Access Privilege window opens.
- Select the Access Privilege Details tab.
- Show the Value column.
- Enter the code for the desired value into the Value field for the role and/or user. Review the access privilege note to understand which code to enter.
- Click OK.
You can set a default security value so whenever a role and/or users is assigned to the access privilege, it is given the default security value.
- Click the Access Privileges link from the Main Menu. The Access Privileges page opens.
- Select the access privilege to manage.
- Right-click and select Edit. The Edit Access Privilege window opens.
- Enter the code for the default security value into the Default field.
- Click OK.
View Only Access Privileges
Some access privileges allow for a View Only setting. View Only allows a user to see information but not update it. The following access privileges allow for view only access:
- Edit/Add Accounts by Account Rep
- Edit/Add/Delete Accounts by Account Rep
- Allow Event Modification by Account Rep
- Allow Campaign Modification by Account Rep
- Allow Event Modification by Coordinator
- Allow Function Modification by Coordinator
- Allow Job Modification by Coordinator
- Access Issues by Issue Rep
For example, Mary Brown is assigned to the access privilege Edit/Add Accounts by Account Rep. This privilege is configured to allow Mary access to accounts with Mary Brown assigned as the account rep and with Keith Miller assigned as the account rep. For accounts where Keith is the account rep, Mary needs View Only access so she can see the information but not change it. The following three scenarios are possible:
- Mary edits an account where Mary is the account rep. She can edit the account and all the account information.
- Mary attempts to edit an account where Keith is the account rep. She can view the information but cannot make changes to the account.
- Mary attempts to edit an account where Bill is the account rep. Mary cannot access the account because she does not have access to view or edit accounts where Bill is the account rep.
Track Access Privilege Changes in the Audit Log
You can track the changes made to access privileges through the audit log. To configure the audit log to track access privilege changes:
- Click the Audit Log link from the Main Menu. The Audit Log page opens.
- Click the Tools button.
- Select Configuration. The Audit Log Configuration window opens.
- Locate the Organization Access Privileges option.
- Show the Status column.
- Select Active from the Status drop-down for the options you want to track: Assign Access Privilege, Assign Access Privilege Detail, Changed Access Privilege Detail, Changed Access Privilege Value, Delete Access Privilege and Delete Access Privilege Detail.
- Click the Save button.
To view access privilege entries in the audit log:
- Click the Access Privileges link from the Main Menu. The Access Privileges page opens.
- Click the Tools button.
- Select Audit Log. The Audit Log page opens.
- Enter your desired filters.
- Click the Search button. The audit log entries for the Access Privileges matching the entered search criteria display.
Comments
4 comments
Hello.
When an access privilege is described as "THIS ACCESS PRIVILEGE IS NOT CURRENTLY IMPLEMENTED IN UNGERBOECK.", is there a way to know if that's a discontinued legacy item vs. something waiting a future release?
E.G.: Event Management and Coordination - Access Privilege Filter: View Only User-Related Events
Zak.
0 upvotes
Hi Zak,
The presence of, "...not currently implemented...," verbiage generally indicates that the access privilege is related to functionality planned for future release.
Discontinued access privileges often indicate their last functional release and/or refer to the new access privilege(s) that replace the existing privilege.
Regards,
Sam
0 upvotes
Thanks, Sam.
Do you have the crystal ball that shows what release a privilege might land in?! Or is there a way to upvote one that's stalled?
Aside from sifting thru "What's New" pdfs, any way to see if an access privilege that's not available in one's active version has been activated in a more current version?
i.e. I'm on 30.97C; i don't see mention of the "View Only User-Related Events" privilege in .98 or .99 WN files. Is there another place to check for newly-activated - or all active - privileges for each software release, to know if updating would unlock this access privilege?
Zak.
0 upvotes
Hi Zak,
I'm sad to say someone borrowed my crystal ball and never returned it.
Ungerboeck non-development staff also heavily rely on the What's New documentation for release information. Development teams rely on it for areas outside of their focus. This document essentially serves as a clearinghouse for this information both inside and outside of the organization.
You can advocate for desired functionality using a couple different methods.
There may be other user-facing tools offered in the future, but these options are currently available. At minimum, I recommend taking advantage of your CSM. They are uniquely positioned to assist with this type of request.
Regards,
Sam
0 upvotes
Please sign in to leave a comment.