Security Concepts
Roles-Based Security
Users inherit their security rights based on their Security Roles. You can apply a Security Role to a User, and Users belong to Security Roles. One User can have an infinite number of Security Roles, and one Security Role can have an infinite number of Users.
Layered Security
Because Users can have multiple Security Roles, think of each role as a layer. The User's access to information in the system is based on the sum of all of the roles assigned to their record.
Additive Security
You must grant access to certain information. SPoCs can hide items from Users so they have no way to know the item exists until you apply a Security Role that can access that information to the User's record. For example, most Users don't know there is a Background Checks Page until they receive a Security Role that can view that Page.
You must add the following entities to a User before they can interact with them:
- Pages
- Sub-pages
- Reports
- Tools
- Explicitly Secured Actions
Gain Highest Level of Access
When a User has multiple roles impacting any of the above entities, they gain the most access afforded to them by any Security Role. For example, if a User has a Security Role where they can only view or read records on the Contacts page, but they also have a Security Role where they can edit records on the Contacts page, they can edit records on the Contacts page. The User receives all permissions of both roles.
Each Role can access specific Tools and Reports, if needed. Roles can also grant access to specific Tools and Reports. You don't need to grant rights to any new Page to use a role to give access to specific Tools or Reports.
Restrictive Security
Once a User has access to information, you may need to restrict some of that information. By default, when you grant rights to a Page, you give all Users with that role the right to all views, fields, and records on that Page. Restrictive security allows a supervisor to fine-tune what the Users with that role see on the Page. You must restrict the following entities to remove them from view:
- Specific records on a Page, such as a celebrity's Contact record on the Contact page.
- Specific Page Views on a Page, such as Major Donors on the Donors page.
When you have a role that restricts an entity in the database, that role is always restricted from that entity regardless of their other roles.