Understanding Security Groups
This short article describes the implementation steps required to set up security in your Intelligentcontract.com account.
The security model allows an administrator to setup one or more security groups and assign users to those security groups. Records (for example: contracts, documents etc) are also assigned to one or more security group. Users are then only able to work with records in their assigned group. You are able to control whether a particular user is able to view only or edit records in their groups.
By default, children records “inherit” (or Pass-down) the same security group settings – although this can be changed if required (see ‘Alter security Group’ and ‘Pass-down Security Rules settings’ below)You are able to set the default security groups that records created by a specific user or user(s) are created with.
Navigate to Configuration > Security > Security Groups.
Key points to note:
- By default, no security rules are implemented in a new account. All data created will be visible to all users.
- A user must be defined as an administrator in order to access security groups and other security related controls.
- Administrators are not subject to security rules. Any user that is defined as being an administrator will be able to see all data in the account regardless of any rules that have been set.
Set up Steps
In order to implement security rules for an account there are 7 steps to consider.
1. Security Groups Setup
Any number of security groups can be configured and any number of users can be added to each group.
Fig 1 Security Groups
Tip: A default group (that can’t be deleted and users can’t be deleted from it) named “Everyone” is automatically available and contains all defined users
Create a new security group clicking the New (+) button to the top-right of the summary table. All you have to do at this point is give the group a name.
You should set up security groups to match your requirements. There should be a security group for each group of users that require access to different data sets. So for example you may have a “Head Office Group” that gives access to all of your data and then a “Sales Group” that has access only a selection of sales related contracts.
Tip: It is possible to add one security group as a sub-group of another. This has the same effect as adding all the users in the sub-group to the main group, but is quicker and is easy to understand later
2. Add users to User Groups
You now should add users to the security groups that were created. You can add one or many users to one or many security groups. On the security group view page select the Users sub-tab and click the New button to select the user that you would like adding to the group.
A user can only see transactions that have been assigned a security to which that user has been assigned.
Fig 2 Users in Security Groups
Tip: Sometimes it’s easier to select a user and add the relevant security groups to that user. This can be done by navigating to: Admin > Global > Users
3. Set User Defaults
Navigate to Configuration > Users & Permissions > Users
Having set up security groups and assigned users to those groups, this step allows you to ensure users create new records in the appropriate security group. For example, if you have a head office security group with assigned users, you would now want any records created by any of these users to be assigned to the head office security group. This would allow head office users to be able to see the records they have created and no one else.
This can be set in the Users page under the Defaults section of a specific user record. You are able to set the default security group for each contract a user creates. For each user you are able to specify one or more default security groups.
Fig 3 User default Security Group
Then you can assign the default Everyone (Read-Write) group or set your own defaults by selecting 'Override & Apply This'. This will then allow you to add one or multiple security groups to the user's defaults as well as selecting RW (Read-Write) or RO (Read-Only) access.
Fig 4 Security Advanced Options
Note that having assigned a default security group (or an advanced default security group) you are able to control whether read/write access or read only access is granted to the user for that security group.
Fig 5 Changing RO and RW
4. Configure the "Security Group" field
For People, Contract and Parties, there is a "Security Group" field. You can move this field, like any other field, to anyway on the Contract, Party or People form. This field will display the currently assigned security group and allow you to change the security group.
Tip: You are able to change the name of the security group field. This is useful if your security is driven by a "feature" of your organisation. For example, you may have security set up in line with your organisation's departments. You can therefore change the name of the security group field to "Department" and then create security groups that reflect your departments. Now when a user chooses the department to assign to a contract they will also be choosing the appropriate security group.
5. Using Pass-down Security Rules settings to a record [optional]
When a record is created by a user (for example a Contract or Party), the system will determine the security group to assign to the record based on the user’s default security, but if a child-record is then created (for example an Alert or a Contract Document) then the security group to assign to this child record is, by default, derived from the parent record.
Tip: This feature is available for advanced users. This functionality provides flexibility to implement a complex security strategy to meet the needs of most organisations
Normally the child record (the Contract Document) is given the same security group as the parent (the Contract) which in turn was taken from the user’s default security group – and this arrangement is what is required for the majority of situations. However, administrators are able to alter the defaults to provide greater flexibility if business security rules require it. The two changes available on all records are:
- An administrator is able to alter the security group assigned to the current parent record
- An administrator is able to alter the security group passed-down to child records. The passed down security group can be the same or different for each child record type
Fig 6 Security Record
In both cases it is possible to grant read write or just read only access to the assigned security group.
You can assign 'RO' (Read Only) and 'RW' (Read Write) access using the buttons under the X. Click [Save] and the passed down security groups will be set up for this record.
Key points to Note
- It is recommended that the security rules set up steps are completed before transactions and users are added. This will avoid having to retrospectively update all users and records in order to achieve the security rule strategy required
- Any user that is an administrator will be able to see all contracts regardless of the security
- An administrator user cannot be assigned read-only rights.