Role Based Access and Restricting Data by Business Unit
Account Name - Frankston City Council
Region - APAC
Client Version - 24.2
Description of the issue: Customer would like to achieve role based access in the system and restrict specific set of users to not view any data such as Events, Documents, CRM record from different business units.
Use Case: Youth Services team should not be able to search and look up for events that are hosted by Arts & Culture Team. In a similar way, Arts & Culture Team should not be able to search for Events hosted by Youth Services Team.
Youth Services team does use registration module for workshop and programs that requires users to register and also submit sensitive/confidential documents during the process. As all the information is coming in Backoffice, the organization is considering this as a privacy breach where this cannot be restricted.
What you've already tried or suggested - I had done couple of calls with customer to understand their requirement where we have looked into setting access up with a different role altogether and using access management measures to some extent but not 100%. We (MT) also recommended a process review with consultant to further understand what type of access levels do they want to achieve which they weren't happy to pay for, as the process review didn't guarantee that it will help them with a confirmed solution.
Document Access Privilege does allow restriction by sensitivity but that doesn't restrict users to view a document if they had access to specific sensitivity level such as Confidential.
The other complexity around setting up restrictions is too complex, as there are lot of different areas where the event information can be accessed from such as Searching from Events Grid, Invoices, Calendar, CRM, etc. I'm considering if this is an approach we should be following or is it simply not achievable. The last solution I've stumbled is to create another organization in the system, but that may have its own quirks and may result in managing multiple database (which customer is not considering at the moment)
Business Impact: If role based access cannot be achieved in the system, customer is considering to use a different system where they can setup access levels but also restrict users with above use case.
Any insights on how should we be progressing this as customer is consider a decision whether Enterprise will be a right fit in this case or not? Thanks
@...
-
Himanshu - Take a look at the following - https://supportcenter.ungerboeck.com/hc/en-us/articles/204561778-AR-Security-Control-for-Accounts-and-Contacts
I would suggest discussing if this is the correct route with others before diving in all the way but it sounds like what they might be looking for.
-
Thanks Mike, the above works great where we could restrict CRM Info. In a case where account is shared between two units, i guess in that case it will not work. Any thoughts on how do we hide events not related to a specific unit. I have looked into access privilege - Allow Event Modification by Coordinator but users can still search it and see which account has booked certain events. Is there a way we could block off or limiting the search here?
-
Himanshu - I've seen some customers have an AR Control option for “shared” or they leave AR Control blank. This would address the case where an account is shared. AR Control still feels like the right play here as it sounds like the CRM data needs to be hidden as well.
If the event information is the only concern, I would look at “Allow Event Modification by Coordinator". Be sure to also go to Event Management Configuration off the Main Menu and make sure all the check boxes are set under the Access and Security subsection on the General tab. You could also look at the “Allow Event Modification by Event Account Rep / Salesperson” access privilege.
Please sign in to leave a comment.
Comments
3 comments
Date Votes