Almost every page in Connections can have its security customized. This can range from who can read the page to what they are allowed to do there as well. But with the ability to do mostly anything you want with granting or revoking access to pages and their modules, there can be a bit of a learning curve.
Note: Administrators have access to all areas of the application regardless of security settings. This includes organization and individual dialog pages.
Most pages in the application will have a security icon at the top of the menu on the right side of the page. This link will display the security settings for the current page and may have a separate tab for default security on items that can be created for the current page. Such as default project security for the department or for an individual the default security for a new individual metric.
Page Security will define the access to the page you opened the security settings from.
Default Security defines a security template that new pages/items will be created with. This does not change the existing security on any of the pages that have already been created.
Each security entry defines a role, user, or security group with each of the 5 security permissions for a specific security section. Every section should have an Everyone entry which applies to everyone in your organization.
Access Roles: There are 5 security roles for each entry. Each entry consists of a group or individual and an associated access role with optional create permissions.
- Reader: The user/group can read the page.
- Example: Giving Reader access to a department dialog to department members so that everyone in the department can see what went on during the meeting.
- Editor: Same as Reader but can also edit the page and anything on the page that doesn't have separate security.
- Example: This would be common for anyone who needs to interact with a page but does not manage access to the page such as a project Member.
- Full Access: Same permissions as editor, but has the ability to modify the page security and default security associated with the page.
- Example: Grant full access to a user/group when they need to modify permissions to a specific project/metric beyond the typical defaults.
- Denied: The user/group cannot read the page. This will override any permissions granting access to the page that may be from other groups or entries that apply to the specified user/group.
- Example: Add a Vendor security group to department dialog security with Deny access to prevent users in that group from viewing department dialogs even if their department role would otherwise allow it.
- Not Set: The user/group is neither granted nor revoked access from this entry.
- Example: Use this to not give the Everyone entry access to a dialog and allow only that Given Individual and their Reports To.
Create Security is separate from the regular page security roles listed above. On pages such as the organization, departments, projects, and individuals there are additional pages that can be created on each. In the example below, the Organization Leader can create Departments, Projects, Users and Metrics for the organization and the Organization Editor can create Metrics, Dialogs, and Commitments.
Note: The person who creates an item in Connections, such as a department, project, metric, or task will have implicit Full Access to that item even if it is not listed on the page's security settings.
Included Security Groups: These are the built-in security groups that you will mostly be using to configure access to pages in Connections.
- Everyone (Organization Member): includes absolutely everyone in the organization.
- Organization Editor: security group that is added to most pages and usually has close to full access.
- Organization Leader: a group that is added to most pages in Connections. The closest thing to being an administrator.
- Department Member: all people that are listed on the Individuals tab for a department.
- Department Editor: department members that have additional permissions to modify data on the department such as creating and editing project tasks/metrics/dialogs/commitments.
- Department Leader: department members with the ability to modify departmental security and promote others to Department Leader/Editor roles.
- Metric Owner: all people on the owner's list of the metric.
- Person Responsible: all people on the responsible list for the task
- Given Individual: the person whose page this is
- Reports To: the direct person(s) this individual reports to
- Reports To (and above): also includes management all the way up the reporting tree
- Project Roles (Sponsor/Leader/Member/Consultant): the four default roles for the project team. Each can be configured separately for each project.
- Specific User (ex: Dan Brown): security applies to only this person. Useful for special exception security
- Custom Security Group: a group created by your administrators that can be added to any page. The list of people that belong to these groups is managed on the security page for the organization under the Security Groups tab.
An individual in Connections may meet multiple criteria within a security section. In such a case the security will be combined through all roles that apply to the individual. The individual may be able to read the page via the Everyone settings and then have the ability to Update and Delete from the Department Editor security group. In the case of a Deny being set on one of the applicable entries for the individual, it would override any security set from the other roles, and that individual would not be able to access the page.
Below is the overall hierarchy for security in Connections. List items in bold have their own security pages. The rest of the list items inherit their permissions from the page they can be found on. For example, organization dialogs get their permissions from the Organization Dialog defaults section on the Default Security tab for the organization security page.
Note: Anything on the page that isn't listed on this security hierarchy, such as Related Links, is included in the page security for the page where it resides.
- Organization Metric
- Organization Dialog
- Organization Dialog Task
- Project Metric
- Project Task
- Project Dialog
- Project Dialog Task
- Core Values
- Department Metric
- Department Dialog
- Department Dialog Task
- Project Metric
- Project Task
- Project Dialog
- Project Dialog Task
- Individual Metric
- Personal Task
- Basic Role
- Basic Role Task
- Individual Dialog
- Individual Dialog Task
- Individual Commitment
- Personal Development Goal
- Individual Performance Report (The individual and people up the reporting tree from the individual can view this report)
At the top of the security hierarchy are the default settings for the whole organization. Your administrators can define at the site level what security is added to newly created Departments and Individuals by default. Anything not specifically mentioned on the list above such as Related Links is lumped in with the page itself and shares the same security as the overall page.
When security is changed for descendants/sub-pages, such as changing project metric security on the project page, the existing descendant's security is not changed. The update made for project metrics will define the default security settings for all metrics created afterward on that project. In order to pass these new settings to existing metrics the security settings would need to be propagated to those descendents.
(security propagation not implemented yet in the application interface) Since the organization dialogs do not have their own page you do not need to propagate the changes in order for them to take effect. This means that all bold security items in the list below will require propagation from the item above them to update existing security.
Another common goal is to give individual dialog access to the individual's manager. By default, this is the case that the Reports To role has access to read the Given Individual's dialogs.