Role Based Access Permissions

From LongJump Support Wiki

Role Based Access Permissions give users the ability to access data based on their designated Role in a Team.

About Role Based Access Permissions

Default and Custom Roles

Although more personalized controls are often needed, the out-of-the box implementation includes Default Roles for administrators, managers and team members. Additional roles can be added and existing roles can be modified as the needs of the organization change. Note that Visibility Controls are an extension of Role Based Access Permissions, and also affect the data that is available to users.

For example, a Web Tab can be created that is only available to managers.

For other uses, see Access Control (disambiguation).

Roles and Data Visibility

Custom Access Criteria are a set of rules which define the Users who can perform various Actions (add, view, update, delete) on Records in Objects
Visibility Controls define whether User data is available to other users, whether records in objects are visible or hidden and optionally, whether the User has rights to modify data records based on Record Ownership
Data Sharing Policies are a set of rules that enable users to share data across Teams, with the level of access based on each User's Role in a primary Team

Note that Team Data Sharing Policies override record-level access specified by individual Visibility Controls.

Field Visibility (Role Based Permission Control), a security control that provides data visibility rights at the Field level
Role Based IP Login Restriction, a security control that restricts login to users in a limited IP address range

User, Team and Role Guidelines

Administration

The ability to manage users, teams, and roles is subject to the restrictions of the Permissions Hierarchy.

Users

Users can be members of multiple Teams
When a user is assigned to a team, they are given a designated Role
A user can have different Roles on different teams
A user can have different Roles on the same team, as well.
In that case they acquire the combination of permissions from each Role.

Roles

Each Role is available for assignment in all Teams
Roles define the types of data users can access and share with other team members
Default Roles are available in the platform

Additional roles can be created and the default roles can be modified as needed

Teams

Each user must be assigned to a Primary Team
When a user is assigned to a Primary Team, any previous primary team assignment is replaced

Working with Roles

As organizations grow and evolve, the Default Roles built into the platform may need to adapt to changing business needs.

It is common for new roles to be added over time, and for these roles to evolve (in scope or access permission rights) as the organization grows and business roles change.

Users in Roles that have the Access Control/User Management permission can create teams and roles, add users, assign users to teams, and designate access permission rights

Role Management Restrictions

The ability to manager roles is subject to the Permissions Hierarchy restrictions.

Add or Edit a Role

To Add or Edit a Role:

Click Settings > Administration > Roles. The currently defined roles are listed.
- The System Administrator role comes with the platform.
- The Team Manager and Team Member roles come with the OfficeSpace Application
Learn more: Default Roles
Click the [New Role] button to add a role;
Optionally, click an existing role to edit the role
Specify the Role Settings (described below)
Click [Save]

Clone a Role

You can clone a role in order to save time in creating a new role that has similar settings.

To Clone a Role:

Click Settings > Administration > Roles
Click the name of the role you want to clone. The detail page for that role opens.
Click the [Clone] button.
The Add Role page opens, displaying the settings from the Role you cloned.
Specify the Role Settings (described below)
Click [Save]

Delete a Role

To Delete a Role:

Click Settings > Administration > Roles
Click the name of the role you want to delete; the detail page for that role opens
Click the [Delete] button at the top of the page.
A confirmation dialog appears.
Click [OK] to delete the role.

Role Settings

Role Information

Name: The name of the role as it will appear in the platform
Description: Text that describes this role and its settings (permissions)

Login IP Address Restrictions

IP Address Ranges: For extra security, enter ranges of IP addresses from which users with this Role are allowed to access the platform.

Global and Individual Permissions Tabs

Use these tabs to set up global and individual-object and individual platform-element permissions, as described in the next section.

Global vs. Individual Permissions Assignment

When granting role-based access permissions, it is possible to grant access on a Global or Individual level. Global permissions apply to all objects or platform elements. Individual permissions, on the other hand, apply to specific objects or platform elements.

For example, when the global permission to view Web Tabs is defined for a Role, it applies to all Web Tabs defined in the platform. Individual permissions, meanwhile, allow specified Web Tabs to be viewed by users with that Role.

The Individual level permissions provide very granular control. However, as staffers move and the organization evolves, managing permissions at the Individual level can become complex.

Tip: New administrators should work at the Global level, and add roles as needed to create access permissions. The platform includes these Default Roles, which can be used as-is, until a business need prompts the creation of new roles and permission settings.

Globally Manage Permissions

To edit global access permission rights:

Click Settings > Administration > Roles > {role}
Click the [Edit] button
Click the Globally Manage Permissions tab
Click the Enable All Objects or Enable All radio button to grant access permission to the element

When Permissions are managed Globally, the Global Permission overwrites any Individual permissions

Access Permission to Records Owned by Others Within the Team

Update Records: Update records owned by other Team Members.
Delete Records: Delete records owned by other Team Members.
View Records: View records owned by other Team Members.

Record Access Permissions

Create Records: The right to create new Object records.
Delete Permissions (if owner): The right to delete objects owned by the user.

Other Access Permissions

View Web Tabs: Permission to view Web Tabs defined in the platform.
Administrative Areas: Ability to carry out administrative operations.

Access Permissions to Resources Owned by Others Within the Team

Update: Allows the user with this role to edit and update the resource information for resources owned by other team members
Delete: Allows the user with this role to delete the resource record for resources owned by other team members
View: Allows the user with this role to view the resource record for resources owned by other team members

Create Permissions

Selecting the check box next to a resource listed in this section allows users with this role to create a new resource of that type. This list includes objects and options pertaining to record ownership, activities, printing, and exporting data

Web Tab Access Permissions

Selecting the check box next to a resource listed in this section allows users with this role to have permission to create a new resource of that type

Individually Manage Permissions

Note: Before changing permission rights in a role, see these articles for information about how roles affect data access in the platform

Roles
Role Based Access Permissions

To edit individual permissions:

Click Settings > Administration > Roles > {role}
Click the [Edit] button
Click the Globally Manage Permissions tab
Click the No radio button for each permission you want to specify individually
Click the Individually Manage Permissions tab and set the permissions as needed

Access Permission to Records Owned by Others Within the Team

Specify update, delete, and view permissions for selected objects. (The permissions apply to records owned by a different member of the team.)

Record Access Permissions

Specify record create and delete permissions for selected objects.

Web Tab Access Permissions

Specify view permissions for selected Web Tabs.

Administrative Permissions

Administrative Permissions Grant Access to administrative levels of the platform, and allow users with these rights to Customize selected aspects of the platform.

Selecting the check box next to a resource listed in this section allows users with this role to have permission to manage that resource or information

Users in Roles with Administrative Permission rights should have the following skills:

Familiarity with the platform and business processes
Good understanding of the Application Design Guide

Learn more:

Role Based Access Permissions
Platform Training

Note: Only those with User Management permissions can create new users, roles, and teams, and perform functions associated with these permissions.

User and Ownership Controls

Access Control/User Management

Change Ownership of my Team’s Records

Change Ownership of Self Owned Records

Manage Personal Setup

Reporting Controls

Create/Delete Views/Reports/Homepages

Export Views and Reports

Make Views/Reports Visible to Others

Manage Global Views/Reports

Print Views and Reports

CRM Features