Groups control both the access to records in the system, as well as the action capabilities of users within the system.
There are two groups by default that cannot be deleted:
- Everyone: All users belong to the Everyone Group.
- Super Administrator: Users who belong to the Super Administrator Group have permissions and rights to all records in the system, regardless of whether they belong to other more restrictive groups. Module Permissions and Rights cannot be modified for this group.
User Membership
When you add a user to a group, that user is bound by the permissions and rights set in the group.
If a user belongs to more than one group, the most restrictive permissions and rights will apply. The only exception is a user who belongs to the Super Administrator group, who will always have full permissions and rights for all records.
Tip: To view a list of all groups a user belongs to, as well as their overall security permissions, click into the User, under the Configuration button, select Security Overview.
Record Permissions
Use Record Permissions to specify which records users can Read, Write, and Delete within a module.
- Owner Only - Only the owner of the record can perform the action. This setting will affect Role security and prevent managers from viewing lower hierarchy user records.
- Not Set – Ad-hoc /Owner – This setting is restrictive by default. By itself, only the owner and group populated in the ‘Who can read and write’ section of a record will be able to perform the action. This setting comes into play for users who belong to more than one group or with role security. If using Roles, this setting will allow managers to view lower hierarchy user records.
- All - All users of the group can perform this action.
EX: Below is a table showing the Read permissions of user Laura who belongs to both Group A and Group B:
|
|
Group A |
Group B |
Effective Permissions |
|
Account - Read |
Not Set – Ad-hoc/Owner |
Not Set – Ad-hoc/Owner |
Laura can view all records she owns, all Group A records, and all Group B records. |
|
Account - Read |
Owner Only |
Not Set – Ad-hoc/Owner |
Laura can only view accounts that she owns. |
|
Account - Read |
All |
Not Set – Ad-hoc/Owner |
Laura can view all accounts in the system. |
|
Account - Read |
All |
Owner Only |
Laura can only view accounts that she owns. |
EX: Below is a table showing the Write permissions of user Laura who belongs to both Group A and Group B:
|
|
Group A |
Group B |
Effective Permissions |
|
Account - Write |
Not Set – Ad-hoc/Owner |
Not Set – Ad-hoc/Owner |
Laura can edit all records she owns, all Group A records, and all Group B records. |
|
Account - Write |
Owner Only |
Not Set – Ad-hoc/Owner |
Laura can only edit accounts that she owns. |
|
Account - Write |
All |
Not Set – Ad-hoc/Owner |
Laura can edit all accounts in the system. |
|
Account - Write |
All |
Owner Only |
Laura can only edit accounts that she owns. |
Delete Permissions are a bit more restrictive. Delete rights are additionally controlled in the Rights tab. A user can only delete records if they have the Rights to delete. Below is a table showing the Delete permissions of user Laura who has Delete Rights and belongs to both Group A and Group B:
|
|
Group A |
Group B |
Effective Permissions |
|
Account - Delete |
Not Set – Ad-hoc/Owner |
Not Set – Ad-hoc/Owner |
Laura can only delete accounts that she owns. |
|
Account - Delete |
Owner Only |
Not Set – Ad-hoc/Owner |
Laura can only delete accounts that she owns. |
|
Account - Delete |
All |
Not Set – Ad-hoc/Owner |
Laura can delete all accounts she has access to. |
|
Account - Delete |
All |
Owner Only |
Laura can only delete accounts that she owns. |
Module Rights
Use Module Rights to specify whether users of the group have the right to Access a module, Access to administrative settings, ability to Create or Delete records within a module, as well determine their Sign In rights, and ability Mass Update/Delete within the system.
- Deny - none of the users can perform this action
- Not Set - by itself, this setting is restrictive and does now allow users to perform the action. This setting comes into play for users who belong to more than one group.
- Allow - users from the group are permitted to perform this action
EX: Below is a table showing the account Rights of user Laura who belongs to both Group A and Group B:
|
|
Group A |
Group B |
Effective Rights |
|
Account - Access |
Not Set |
Not Set |
Laura does not have access to the Account module. |
|
Account - Access |
Not Set |
Deny |
Laura does not have access to the Account module. |
|
Account - Access |
Not Set |
Allow |
Laura has access to the Accounts module. |
|
Account - Access |
Deny |
Allow |
Laura does not have access to the Account module. |
Policies
Use Policies to enforce strong passwords and settings. If a user belongs to more than one group, the Policies that are most stringent will apply. By default, system passwords must always be a minimum of 5 characters in length.
- Enforce strong password: Enabling strong password will require and Uppercase, lowercase, and number value. Not set and No options still require a minimum password length of 5 characters.
- Minimum Password Length: The default minimum password is 5. You can make this requirement longer by selecting Yes and entering the desired length (a password must always contain 1 uppercase, 1 letter, and 1 number).
- Minimum Username Length: The default minimum username is 5. You can make this requirement longer by selecting Yes and entering the desired length.
- Password Expires: Select Yes to force a password change every x number of days.
To create a new group:
- Go to Administration-->Groups.
- Click the button Create.
- Enter the Group name, populate a Parent group (if applicable) and click Save.
To view and add/remove a user to/from a group:
- Go to Groups.
- Click on the appropriate group Name OR click the Configure button for that group.
- Click on the User Membership button.
- To add users to the group, select the users in the Non Members box and use the arrow to move them to the Members box. To remove users, select the users from the Members box and use the arrow to move them to the Non Members box.
To edit group permissions, rights, policies :
- Go to Groups.
- Click on the appropriate group Name OR click the Configure button for that group.
- Click on the tab name to modify the settings.
To delete a group:
- Go to Groups.
- Click on the appropriate group Name OR click the Configure button for the group you want to delete.
- Click the Delete Group button.
To view a User’s overall security permissions:
- Go to Users.
- Click into the appropriate user.
- Under the Configuration button, select Security Overview.
FAQs
Q. I need to create a new user with identical permissions to an existing user
A. All you need to do is add your new user to the same groups as the user whoses permissions you wish to replicate. For example, if I want my new user Sally to have the same restrictions as Jeff I just create Sally's user, check which Groups Jeff curretly belongs to and add Sally to those groups
Comments