As more apps move to the cloud, IT security remains a hot topic when it comes to business systems. Having rock-solid security practices is important at the least, and even lawfully required for many businesses. Securing your business software is one integral part of creating a strong IT security strategy. Every administrator should strive to set up a strong security policy when it comes to accessing and modifying business data in their CRM, ERP, Financials, or any other business applications. When it comes to security for these systems as a whole, you can break it down into protecting against:
Internal Threats – Having data improperly accessed, exported, or deleted by a user of the system, such as a disgruntled employee deleting all of the business data. We’ll talk about how to prevent these problems in this article.
External Threats – These are threats related to outside parties like hackers, who may attempt to compromise the system or business data. These threats are mitigated by strong IT policies and systems administration, which Apptivo takes care of for you. Click here to learn more about how Apptivo addresses security as a whole.
Defining a Cloud Security Strategy
As mentioned above, there is much more your IT security strategy than just limiting access inside of your business software, but you’ll still want to start with an overall approach to access control.
What is access control?
Access control allows administrators to define what data a user can view/update, and what actions they can perform in the system. In Apptivo, access control is defined by creating security roles in the Employees App.
What types of access control can be implemented?
When starting to think about your approach to security, you can break your thoughts down into a quite few different areas that are under your control. In Apptivo the primary way to control security is by creating roles & privileges (covered below); but there are also two special settings which can be configured on their own:
- Data-Level Access
Data level access is an additional layer of security over access roles. Enabling this setting will restrict access to the individual object, based on whether all users are assigned to that object, or whether they manage a particular person assigned to that object. For example, an organization might have a sales organization with 2 teams of 5 people, each managed by a sales manager, and all lead by a sales director.
This feature enables the sales director to view all records, each sales manager could view their own and their team’s records, and each sales rep could view only their own records. This feature can be turned on or off within each app that supports it individually.
- Collaboration Security
While data level access controls access to specific records in each of the apps (leads, contacts, cases, etc), collaboration security is the similar concept but applied to the common apps. Collaboration security determines how emails, calendar events, and tasks are shared among employees.
This allows you to keep these objects private to the user and administrators or can be turned into “collaboration mode” which will share these records between users.
- Report & Action-Level Security
Nearly every button, link, report, or action within the system can be restricted to a set of individuals. This is controlled using the same security privileges identified above, but allows businesses to create their own custom privileges, then restrict actions to those users who have such privileges.
Here are some of the most common action-level security restrictions a business might use:
Restrict export capabilities
Restrict permanent deletion of data
Restrict access to reports
Restrict creation of records in certain apps
Restrict the ability to perform bulk data changes
- Field-Level Security
While data-level access controls which record a user might be able to view/edit, they still might not have complete access to every field on that record. Apptivo allows administrators to restrict every field individually using security privileges. An administrator can choose which privilege is required to view a field, edit a field, or submit a value for a field during creation only.
- Search Security
Action-level security can completely remove the ability for a user to run a search, but some companies might have specific limitations required to control the risk of their data being harvested by a malicious employee. Each field can individually be controlled, and an administrator will choose which types of users are allowed to run a search using that field.
While these two features work independent of the role based access control, everything else is controlled by limiting access to features by selecting a security privilege. Here are examples of what privileges can control:
- Basic access to apps & records
- Access to specific fields on records (field-level security)
- Ability to search data & produce reports
- Deletion of data (trash bin, and permanent delete)
- Bulk exports of data
- Access to specific features (call logs, documents, calendar, etc)
- Access to specific actions (print PDFs, duplicate, record payments, etc)
Many smaller organizations will choose to pursue an open environment, where all users gain full access to most of the system. But, typically the larger your organization, the more granular & restrictive your access control needs to be. Your first step is to think about the different users/teams who will be using the system, and thinking about what they need to do. Next, consider any special government regulations or corporate policies which need to be implemented, and then you can work on your list of roles. In the next sections we’ll dive into what a “security role” is in Apptivo, and how to go about configuring them.
Creating a Secure ERP System With Apptivo
Now that we’ve talked about security & access control in general, let’s dive into how to implement your access control in Apptivo.
What is a security role?
A security role is a “profile” that contains a list of specific actions, or privileges that a user can perform. These roles can then be assigned to employees, allowing admins to set up the same level of access for similar employees. One employee can have one or many roles.
What is a security privilege?
A privilege is a single specific action that can be performed, and is specific to one app. For example one basic privilege is “View Contacts”. This privilege allows a user to search & view the details of any contact, but not create, update, or perform any other action. There are a basic set of privileges in each app: Access (Add from App Store), View (read-only), Manage (create/update). Additionally, you can create custom privileges in each app, which come into effect when limiting access to features, fields, and special actions. We’ll cover these in detail below.
Where do I configure security roles & privileges for my users?
You’ll perform all of the configuration of your roles & privileges in the Employees App settings area, then assign these roles directly to employees in the same app. There are a series of default security roles & privileges available in each app when you sign up, but you can disable/customize these at any time in the settings area.
Click here for details on how to assign security roles to employees.
Defining your overall approach to security
Now that we’ve covered what options are available in Apptivo, how do you start thinking about which feature to leverage for your business? In many cases you might already know, but if not here are the most common questions to ask yourself to implement the basics:
- Should all users have access to all apps?
If so, you can assign all users the Super User role. Otherwise, you’ll need to have roles that grant access to specific apps.
- Should users see all data in each app?
For example, should two sales people be able to view and update each others’ leads? If not, you’ll need to enable data-level access in some apps.
- Should users see/edit all fields in each app?
If you need to make some fields read-only or invisible to some users, you’ll need to create custom privileges and use field-level security.
- Do you want to use all of the features enabled in each app?
Many times you have features that aren’t relevant to some or all users. You can either disable them, or create a custom security privilege to restrict access.
Walking through some examples
In the next part of this blog post, we’ll cover an example of how to use each individual security feature available. Here is a complete list of security options available in Apptivo, and we’ll cover all of them! Stay tuned.