Security: Understanding who can do what in policyIQ

Are you expanding or considering expanding your use of policyIQ and wondering how to determine whether content is available and viewable by only the appropriate personnel? Your understanding of the three key influences on policyIQ Security will help you to make the appropriate adjustments to your pages and personnel.

Before we really dig into these influences on security, let’s revisit some policyIQ basics.

policyIQ has 5 Main Modules:

Home: Read-only access to published content and Forms which you are permitted to see (by local right or global permission).
Create And Edit: Generate new content, delegate content, update content or submit for publishing approval.
Approve: Review and Approve content, or send content back to Create And Edit for further development.
Reports: Find a needle in a haystack or perform broad analysis across the business by creating detail or summary reports with a wizard interface for online viewing, printing, and exporting.
Setup: Manage the layout of content, organization of content, user accounts and users’ Global Permissions among other system settings.

The three influences on accessing content in policyIQ are (drum roll, please):
1. The Stage of an item’s development; where it is in the workflow
2. The Local Rights granted at the object level in policyIQ
3. The Global Permissions or Role assigned to each user

Each of these influences is distinct and separate from the other influences, and each influences a user’s interaction with an object in policyIQ.  If an individual is having difficulty locating, editing, or accessing an object, please consider the following questions:

Is the stage of an object affecting my ability to perform an action?
An item could be in one of a number of stages of development including Checked Out To Me, Available For Check Out, or Awaiting My Approval.  Folders also have workflow including Draft (found only in Create And Edit or Setup) or Visible (found in Home).  The stage of development affects what actions can be performed on an object.

Here are some examples for consideration:

  • If I am navigating through Folders in the Home module, I will not see any content that has not yet been published.  In Home, I have read only access to published content.
  • If I am viewing a Page that is published and need to make changes, I first must choose to “unpublish” the Page and check it out to myself before I am able to edit the item.
  • If am in the Home module, I will see only those Folders with a stage of Visible.  Draft Folders can be seen only in Create And Edit or Setup.

Do I have a Local Right to this object?
Examples of Local Rights include Administrator, Editor, Viewer, Indexer, etc.  If you do have a Local Right to an object, is it the correct Local Right to perform the action needed?  Local Rights provide the ability to perform different actions on an object, and you must have the correct rights to perform these actions.

Examples:

  • If I am an Editor on a Page, I do not have the ability to delegate the Page to another or to publish the Page—these capabilities are reserved for the Page Administrators.
  • It is not necessary to add the Page Administrators to the Viewers field on a Page—of course they have the right to see the Page if they have been granted the right to administer it.
  • If I make another user an Administrator of a Folder, he or she is then permitted to edit the properties (such as Name or Viewers) and to add sub-Folders under it.

Do I have a Global Permission that pertains to this object?
Global Permissions are combined to form Roles, and Advanced Users in policyIQ are each assigned a Role as a part of his/her profile.  If you cannot perform an action, consider whether you have permission, based on your assigned Role, to perform an action on the object.

More on Roles:
*Default User: The default Standard user does not have any “permissions” enabled. The Standard User has read-only access to content, plus the ability to respond to Forms.

The other roles that are pre-set for any new policyIQ client are additive–meaning they build on one another. Each one can do what lower Roles can do, plus they have additional global capabilities.

Notice that the Default User is represented by the base or the broadest portion of the image below. This it to help visualize that the Reporting User has the same capabilities that the Default User has, plus more.

Roles-PyramidThis image is also a good representation of how an organization may distribute users; the majority of your users may be Default Users (in other words, Standard Users), you’ll likely have a smaller number of Reporting Users, fewer Managers, even fewer Project Managers or Group Administrators, and only a very small number of Site Administrators. Read on for more detailed descriptions of the pre-set policyIQ Roles:

Reporting User: So, the Reporting User has read-only access to content and the ability to respond to Forms as the Default user has, PLUS, a user with this Role can access and add Reports in the Reports Module.

Manager
: Building on the Reporting User, the Manager can Add Content—this is the lowest Role that has the permission to Add Content and, therefore, to access content that is in development within the Create And Edit module. A user with the Manager role can also Add Form Templates and Form Lists.

Group Administrator
: The Group Administrator builds on the Manager—not on the Project Manager. In addition to what the Manager can do, a user with this Role can Add Users

Project Manager
: Building on the Manager, a user with this Role also has the permission to view and take over the administration of any content in the site. The Project Manager Role also allows a user to view and index to any Folder as well as to Administer any Form Template and any Form List.

Site Administrator
: A user with this Role has all permissions enabled. In addition to all of the permissions discussed in lower Roles, the Site Administrator can administer all Setup items.

Expanding to more users or using policyIQ for a new purpose?
If you are considering expansion, you may need to make adjustments related to the three influences described above. Stay tuned the policyIQ blog – later this week, we will provide some best practices and steps to take when expanding your policyIQ site.

If you have any questions about security or making the best decisions as you consider expansion, please contact us for assistance—we’d be glad to schedule a free planning or working meeting with you.

This entry was posted in Features by Stephenie Buehrle. Bookmark the permalink.

About Stephenie Buehrle

Stephenie is the “solutions” expert on the policyIQ team. With RGP since 2004, she designs and develops solutions that capitalize on the best practices of the hundreds of companies that she has touched, while tailoring each configuration to meet the unique needs of each client. Before joining RGP and the policyIQ team, Stephenie enjoyed working as an independent consultant in the non-profit sector. Stephenie also previously performed analyst services for a major brewer ranging from roles in biological and chemical services to analytical roles in business process improvement and innovation. Stephenie quips that she still doesn’t know what she wants to be when she grows up, but hopes to spend her days helping others (companies, individuals, and communities) to realize their full potential.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s