This is part one of a two-part blog on role based access control.
As more apps move to the cloud, IT security remains a hot topic when it comes to business systems. Having rock-solid security practices is important at the least, and even lawfully required for many businesses. Securing your business software is one integral part of creating a strong IT security strategy. Every administrator should strive to set up a strong security policy when it comes to accessing and modifying business data in their CRM, ERP, Financials, or any other business applications. When it comes to security for these systems as a whole, you can break it down into protecting against:
Internal Threats – Having data improperly accessed, exported, or deleted by a user of the system, such as a disgruntled employee deleting all of the business data. We’ll talk about how to prevent these problems in this article.
External Threats – These are threats related to outside parties like hackers, who may attempt to compromise the system or business data. These threats are mitigated by strong IT policies and systems administration, which Apptivo takes care of for you. Click here to learn more about how Apptivo addresses security as a whole.
Defining a Cloud Security Strategy
As mentioned above, there is much more your IT security strategy than just limiting access inside of your business software, but you’ll still want to start with an overall approach to access control.
What is access control?
Access control allows administrators to define what data a user can view/update, and what actions they can perform in the system. In Apptivo, access control is defined by creating security roles in the Employees App.
What types of access control can be implemented?
When starting to think about your approach to security, you can break your thoughts down into a quite few different areas that are under your control. In Apptivo the primary way to control security is by creating roles & privileges (covered below); but there are also two special settings which can be configured on their own:
- Collaboration Security – Sharing email, calendar, and other data between employees
- Data-Level Access – Access to specific records based on assignment
While these two features work independent of the role based access control, everything else is controlled by limiting access to features by selecting a security privilege. Here are examples of what privileges can control:
- Basic access to apps & records
- Access to specific fields on records (field-level security)
- Ability to search data & produce reports
- Deletion of data (trash bin, and permanent delete)
- Bulk exports of data
- Access to specific features (call logs, documents, calendar, etc)
- Access to specific actions (print PDFs, duplicate, record payments, etc)
Many smaller organizations will choose to pursue an open environment, where all users gain full access to most of the system. But, typically the larger your organization, the more granular & restrictive your access control needs to be. Your first step is to think about the different users/teams who will be using the system, and thinking about what they need to do. Next, consider any special government regulations or corporate policies which need to be implemented, and then you can work on your list of roles. In the next sections we’ll dive into what a “security role” is in Apptivo, and how to go about configuring them.
Creating a Secure ERP System With Apptivo
Now that we’ve talked about security & access control in general, let’s dive into how to implement your access control in Apptivo.
What is a security role?
A security role is a “profile” that contains a list of specific actions, or privileges that a user can perform. These roles can then be assigned to employees, allowing admins to set up the same level of access for similar employees. One employee can have one or many roles.
What is a security privilege?
A privilege is a single specific action that can be performed, and is specific to one app. For example one basic privilege is “View Contacts”. This privilege allows a user to search & view the details of any contact, but not create, update, or perform any other action. There are a basic set of privileges in each app: Access (Add from App Store), View (read-only), Manage (create/update). Additionally, you can create custom privileges in each app, which come into effect when limiting access to features, fields, and special actions. We’ll cover these in detail below.
Where do I configure security roles & privileges for my users?
You’ll perform all of the configuration of your roles & privileges in the Employees App settings area, then assign these roles directly to employees in the same app. There are a series of default security roles & privileges available in each app when you sign up, but you can disable/customize these at any time in the settings area.
Click here for details on how to assign security roles to employees.
Defining your overall approach to security
Now that we’ve covered what options are available in Apptivo, how do you start thinking about which feature to leverage for your business? In many cases you might already know, but if not here are the most common questions to ask yourself to implement the basics:
- Should all users have access to all apps?
If so, you can assign all users the Super User role. Otherwise, you’ll need to have roles that grant access to specific apps.
- Should users see all data in each app?
For example, should two sales people be able to view and update each others’ leads? If not, you’ll need to enable data-level access in some apps.
- Should users see/edit all fields in each app?
If you need to make some fields read-only or invisible to some users, you’ll need to create custom privileges and use field-level security.
- Do you want to use all of the features enabled in each app?
Many times you have features that aren’t relevant to some or all users. You can either disable them, or create a custom security privilege to restrict access.
Walking through some examples
In the next part of this blog post, we’ll cover an example of how to use each individual security feature available. Here is a complete list of security options available in Apptivo, and we’ll cover all of them! Stay tuned.
- Collaboration Security
- Data-Level Access
- Collaboration Feature Control
- Report Access Restriction
- Left Panel View Control
- Field-Level Security
- Action-Level Security
- Search Security