How to Limit Access to Users in System
Accessing Users #
Navigate to Setup by selecting the spanner at the bottom left.
Select Users,
Select a user you want to add a role and division to,
Role Explanation #
The below image describes the basic principle of how Roles work within the system.
(Note: Where it says Module – replace that with the relevant Module. E.G if it was for the Controls module it would be Module General Viewer = Control General Viewer)
General Role Use Cases:
module_admin – Has admin privileges (complete access) to all items within that module alone.
module_manager – Can manage records within the module but not items like drop-down lists or items in stubs.
module_record_owner – A user who has own able permissions over a record in the module (usually something that they created).
module_record_owner_admin – A user who has own able Admin permissions over a record in the module (They can delete their owned records).
module_action_assignee– The user can have actions assigned to them typically regarding Reviews.
module_general_viewer – General Read Only access to a module.
Divisional Role Use Cases:
module_div_admin – Has complete access to all records only within the user’s division and its subsidiary divisions within the module.
module_div_manager – Can see and manage records within the user’s division and its subsidiary divisions but cannot delete items.
module_div_viewer – Divisional and subsidiary divisional Read Only access to a module.
(Note: Where it says Module – replace that with the relevant Module. E.G if it was for the Controls module it would be Module General Viewer = Control General Viewer)
Assigning a Role #
Select which Role to assign to the User,
At least one User Role is required,
(Critical Note: Only assign ONE role per module to a user. Assigning multiple roles for the same module to the same user will cause problems)
If you’d like to Divisionally Restric data you MUST assign a Divisional (div) Role,
Role Example (1) #
In the below example, the User would have,
Module Specific Admin Permissions
(Read Module Records, Edit Module Records, Delete Module Records, Query (Reports) Module Records)
For the following Modules: Risk and Controls.
Role Example (2) #
In the below example, the User would have,
Risk Divisional Manager Permissions and Audit Manager Permissions
Risk: (Create Divisional Records, Read Divisional Records, Edit Divisional Records, Query (Reports) Divisional Records)
Audit: (Create Records, Read Records, Edit Records, Query (Reports) Records)
For the following Modules: Risk and Audit
(Please Note, This user would be bound by Division ONLY for Risk, as the Audit Role is Non-Divisional)
Role Example (3) #
In the below example, the User would have,
Action Assignee Permissions
(Read Assigned Records, Edit Assigned Records, Query (Reports) Assigned Records)
For the following Modules: Risk, Audit and Controls.
Role Example (4) #
In the below example, the User would have,
Full System Admin
(Ability to do everything, Including Edit the System Itself)
For the following Modules: All Installed Modules
Beware of Role Collisions #
In the below example this will cause a Role Collision when the roles of Risk Admin and Risk Action Assignee are given to the same user together.
This is because the Risk Admin role has higher permissions than the Assignee,
Therefore directly adding the Assignee role will restrict the Risk Admin as the Action Assignee would.
It is highly advised to assign ONE role per Module to each User.
Assigning a Division #
Select which Division to assign to the User,
At least one Division is required,
Ensure you only assign the highest level division that a user requires.
If they sit in an entire department set them as that department, not each team within
(Critical Note: Divisional Record Restriction ONLY works with a Divisional Role also assigned to the User)
Division Example (1) #
In the below example, the User would have,
Divisional Risk, Audit and Control Admin
They’d have Divisional Access to Symbiant (And all Subsidiaries)
(Note: As Symbiant is the Root division you’d have Divisional Access to everything in and under Symbiant)
Division Example (1.1) #
In the below example, the User would have,
Divisional Risk, Audit and Control Admin
They’d have Divisional Access to Symbiant/UK/Sales (And all Subsidiaries)
(Note: As Sales is a Subsidiary you’d only have Divisional Access to everything in and under Sales)
(Critical Note: You can’t access anything higher than your assigned division (Only in and under))
Division Example (1.2) #
In the below example, the User would have,
Divisional Risk, Audit and Control Admin
They’d have Divisional Access to Symbiant/UK/Sales/Team A (And all Subsidiaries)
(Note: As Team A is a Subsidiary you’d only have Divisional Access to everything in and under Team A)
(Critical Note: You can’t access anything higher than your assigned division (Only in and under))
Division Example (2) #
In the below example, the User would have,
Divisional Risk, Audit and Control Viewer (A Read Only Role)
They’d have Divisional Access to Symbiant/Uk/Sales/Team A (And all Subsidiaries)
As well as Divisional Access to Symbiant/US/Sales (And all Subsidiaries)
(Note: Users can be within multiple Divisions, across Subsidiary and even Root Divisions)
Division Example (3) #
In the below example, the User would have,
Divisional Risk Manager
They’d have Divisional Access to Symbiant/Uk (And all Subsidiaries)
As well as Divisional Access to Symbiant/US (And all Subsidiaries)
(Note: Users can be within multiple Divisions, across Subsidiary and even Root Divisions)
Division Example (4) #
In the below example, the User would have,
Divisional Risk Admin
They’d have Divisional Access to Symbiant/Uk/Sales/Team A (And all Subsidiaries)
They’d have Divisional Access to Symbiant/Uk/Sales/Team B (And all Subsidiaries)
(Note: The user has been assigned all subsidiary divisions of Sales, yet they still won’t see anything in Sales as it’s still higher!)
Saving a Users Roles and Divisions #
Once you have completed assigning roles and a division, save at the top right.
