The application is Group based. When a user signs in they are recognised as a User within a Group Type. The Group Type determines the permissions for a user.
There are three Group Types:
- Power Users – A power user can do anything
- Communication Users – A communication user can own objectives and metrics, update actual values, write notes, set alerts and create tasks
- Viewers – A viewer can view the system
Within a Group Type, you can add as many Groups as you need. You can change the permissions of the Group based on the super-set of permissions allocated to the Group Type.
A Typical configuration might look something like this:
To create a Group you need to be an Administrator. If you are an Administrator go to the Administration view.
Click on the small cog at the bottom left-hand side of the screen to open the Administration view.
You will be presented with the Account Information screen.
Click on Groups under Security about half way down the Settings list.
A screen similar to the one below will appear. Click on + Add to add a Group.
The New Group panel will appear next to the Groups panel. Add the name of the new group (we have added Sales) and click on the Group Type and select the group type we have selected Communication Users.
Important: click Save to save the group.
The new group will appear in the Groups list (you may need to refresh the browser to see it).
In this case, Sales, has appeared in the list with a group type of Communication User.
Click on Advanced under Permissions in the right-hand panel to open the Permissions dialogue.
The Permissions dialogue box will appear. By default, is selected. This is an important principle. By default, everyone can see everything in the system. To restrict access a positive action or actions need to be taken.
The following dialogue box is for Communication Users in the Sales Group.
To restrict access, click on the checkboxes and remove the check-ticks. In this example we have un-checked View All Organizations, Edit Initiatives, Modify Documents and Delete Documents and have therefore severely restricted access for the Sales group. Important: Click Done Save.
Having restricted View All Organizations, we now need to grant access to Organizations/Scorecards, Dashboards, Reports etc.
The Sales Group has now been denied access to view Organizations. To allow the Sales Group to see the scorecards, dashboards, initiatives etc. in the Sales Organization, click on Organization next to the Advanced button:
The Sales: Organization Permissions dialogue will appear together with the Organization Tree.
Highlight on Sales in the list.
(if you have not added Sales, as part of this training, click on another Organization).
The Organization will appear in the list to the right.
Click on the blue Done button.
If you now add a User to the Sales Group their access will be restricted to the Sales Organization’s data. When they sign on, that is all they will see.
Important Note: If a User is added to multiple groups, they will inherit ALL of the access permissions defined. To restrict access, you must ensure Users are assigned to the appropriate group(s).
When adding a Group to the Power User Group Type a different set of Permissions will be displayed (as will a much more restricted set if the Viewer Group Type is used). This is an example of the Power User permissions:
When adding Groups to the Power User group type great care must be taken to ensure the appropriate level of permissions are granted especially under the Administration and Super Administration sections.