Access Profiles

From AgileApps Support Wiki
Revision as of 12:20, 13 August 2020 by imported>Aeric

GearIcon.png > Administration > Access Management > Access Profiles

An Access Profile specifies a collection of permissions that can be applied to multiple users.

About Access Profiles

Each User is assigned an access profile, which can be shared by other users.

An Access Profile specifies:

  • The network locations (IP addresses) from which it is possible to login
  • Global record-access permissions that apply to all objects, in all applications
  • The global record-access permissions are view, create, update, and delete.
  • They apply to those objects the user is allowed to see, by virtue of their Role in the application.
  • Administrative permissions
  • If checked, the user is granted all administrative permissions
  • If unchecked, a list of administrative permissions is displayed. Permissions can then be individually selected.

The default access profiles are:

  • Administrator - Provides the permissions needed by the Sys Admin
  • Regular User - Provides permissions that are more appropriate for normal users

The initial system user is assigned the Administrator profile, making them a Sys Admin. By default, the Sys Admin can change the Administrative Permissions associated with each Access Profile, and can add additional Access Profiles, as needed.

Global Access Permissions, Applications, and Roles

When users are granted any of the global access permissions, they automatically have access to all installed applications (and all objects they contain)--whether or not Application Access was explicitly granted.

But the records they see can still be restricted by Role (unless they have been granted the Global View permission.

When a user is explicitly granted Application Access, the Role(s) they can assume are assigned by the administrator. The Role, in turn, determines which records are visible to the user.

On the other hand, if Application Access is not explicitly granted, then the user has no Role in the application:

  • If granted the Global View permission, the user can see all records in the application, in all objects, because there are no Role-based restrictions.
  • If granted any of the other Global permissions (but not Global View), they can run any application, and work with any object, but they won't be able to see any records (even if they created the records themselves).

Thumbsup.gif

Best Practice:
Reserve global permissions for administrators.

Working with Access Profiles

Lock-tiny.gif

Users that have the Access Control permission can modify Access Profiles. 

Create an Access Profile

  1. Go to GearIcon.png > Administration > Access Management > Access Profiles
  2. Click New Access Profile.
  3. Fill in the Access Profile InformationAccess Profile Information.
  4. Click [Save]

Edit an Access Profile

  1. Go to GearIcon.png > Administration > Access Management > Access Profiles
  2. Click [New Profile] or select an existing profile
  3. Fill in the Access Profile Settings below
  4. Click [Save]

Create an Empty Profile for Fine-Grained Record Access Control

The privileges granted in Roles and Access Profiles are additive. If either the Access Profile or the Role grants permission to perform some operation on an object, then the user has that permission.

To ensure that users have only those permissions specified in the Role, create a completely empty Access Profile. When a user is assigned that Access Role, then the privileges available to them are completely defined by their Role.

Create a Developer Profile

Application designers and developers will need a profile that lets them do some administrative activities, customize application components, and do advanced coding. Using the Regular User profile as a base, consider adding the following selections for application designers and developers:

  • Global Permissions - View, Create, Update, and Delete records
  • Access Control/User Management - To create test users
  • Create/Delete Views/Reports/Homepages
  • Make Views/Reports Visible to Others
  • Manage Global Views/Reports
  • Print using Views and Reports
  • Import and Export Data
  • Customize Objects
  • Manage Applications
  • Manage Packages
  • Manage Translation Workbench
  • Manage Develop Features
  • Manage Debug Log

Access Profile Settings

Access Profile Information

Give the Profile a name, and a general description. (You reference the profile by name when assigning it to a user.)

Login IP Address Restrictions

For extra security, enter ranges of IP addresses from which users are allowed to access the platform. If a user attempts to login from a computer on a network outside of the specified range, access to the platform is denied.

Lock-tiny.gif

Users that have the Access Control permission can specify the range of IP addresses from which user logins are allowed. 
To configure an IP address range
  1. Click GearIcon.png > Administration > Access Management > Access Profiles
  2. Select the Access Profile of interest, or create a new one
  3. Enter an IP address range in the text area, following these guidelines:
    • A maximum of 25 IP address ranges can be specified
    • Enter one range per row in the text area
    • Add, Modify and Delete the entries, as needed
    • Accepted format is xxx.xxx.xxx.xxx - yyy.yyy.yyy.yyy, where:
      • xxx and yyy are numbers in the range 0-255
      • xxx.xxx.xxx.xxx is less than or equal to yyy.yyy.yyy.yyy
    • To specify a single IP address, use the same IP address for the start and endpoint of the range: 192.168.1.10 - 192.168.1.10
How it works
  • When a user attempts to log in, the IP address of the system the request originated from is checked against the configured settings. If the address is in the allowed range, the user can continue the login process. Otherwise, login is denied.
  • Access violations are recorded in the audit log, identifying both the user and the IP address from which the login attempt originated
  • Login restrictions apply to all user logins - using a web browser, Email Edition, mobile access, or REST APIs.
  • The restrictions do not apply to Customer Support logins.

Global Permissions

Specify the operations a user can perform on all objects that an application Role gives them access to:

  • View Records
  • Create Records
  • Update Records
  • Delete Records
Learn more: Access Profiles#Global Access Permissions, Applications, and Roles

Administrative Permissions

Administrative Permissions are assigned in an Access Profile. They allow a user to customize selected aspects of the platform. (Data Access Permissions, in contrast, determine what objects, records, and fields a user can see by virtue of their role and team memberships.)

Thumbsup.gif

Tip: Users given Administrative Permissions should have the following skills:

  • Familiarity with the platform and your organization's business processes
  • Good understanding of the Application Design Guide
  • Excellent understanding of the area(s) they will be modifying
User and Ownership Controls
User Management - Create and manage users and teams
Access Control - Manage roles and password policies
Change Ownership of my Team's Records
Manage Personal Setup
Reporting Controls
Create/Delete Views/Reports/Homepages
Export Views and Reports
Make Views/Reports Visible to Others
Manage Global Views/Reports
Print using Views and Reports
Data Management Controls
Access Mass Data Operations
Import and Export Data
Manage Audit Log
Manage Recycle Bin
Application Controls
Customize Objects
Manage Applications - Add/Update/Delete platform applications
Manage Packages
Manage Translation Workbench
Development Controls
Use Development Features - Work with classes, pages, sites, and other development features
Manage Debug Log
Manage Sandboxes (Only appears if sandboxes are enabled)
Account Controls
Manage Tenants and Company Capabilities
Proxy Login Access
Proxy Login Configuration
Customer Support Login
Support Cases - View and modify support cases filed by others