Managing iMIS security settings

Related videos

Security configuration settings can be found in various areas throughout iMIS. Granting access or applying restrictions to certain users depends on what you are wanting to grant or restrict access to. This article goes over the many security options you can configure throughout iMIS.

Contact security settings

Some of the most important security configuration settings are the three Contact security queries found in the Staff site at Settings > Contact > Contact security.

These queries affect the Lucene Search indexing, but they also determine who can see who in iMIS. The queries here determine what contacts certain people have access to. For example, if you try to access the data for someone who you are not granted access to, most iMIS content items will hide, or not display for the unauthorized contact.

In addition, if you have the option Limit users who can view data for other contacts enabled on certain content items, then the content item will hide even when the contact views other contacts they have access to see via these queries. For more detailed information about these queries, see Contact security.

System Administrators and Staff users

The two main types of administrative users are system administrators (SysAdmin) and staff users. The differences between the two users are the following:

  • Staff have access to view contacts, events, dashboards and reports, and to do transactions on behalf of other contacts. They do not, by default, have access to RiSE or Campaigns, but can be granted these permissions. They can never have access to Security, Intelligent Query Architect (IQA), Business Object Designer (BOD), Process Automation, or system settings.
  • System administrators have all the permissions of staff, plus they also have access to RiSE and system settings. System administrators are super users with access to everything in the system, including the following:
    • Assign logon credentials and user type (Public, Casual, Full)
    • Add roles and groups
    • Assign access for staff users
    • Assign the System Administrator role to other users
    • Disable user accounts

Staff users can be granted access to Site Builder, Page Builder, Tagging, and Easy Edit by being added to Content Authority Groups (CAGs). Staff users can also be granted access to Campaigns by being added to the Campaign groups (Marketing > Campaigns > Settings > Security Groups).

Additional user security configuration can be accessed from Community > Security > Users. From here, system administrators can grant access to certain areas of content for different users. For more information about the various security levels that can be applied to individual users, see Module authorization levels.

Content Authority Groups

Content Authority Groups (CAGs) are extremely important. Creating CAGs help you control who has access to edit content within iMIS, and to what extent. For example, you can allow someone to edit content, but not delete content. They are a great way to let non-administrator users create content for your site.

Content authority groups contain several group roles that allow for different content permissions. Although you can add anyone in your iMIS database, including members, to a content authority group, you will want to be cautious when specifying members of the group. Adding the wrong person or designating the wrong role to someone can grant an user edit permissions that you generally wouldn’t want them to have.

For more information about how dynamic content authority groups are, see Defining content authority groups.

Access Settings

Access Settings give you a consistent way to apply security (grant permissions) to folders and objects throughout iMIS: entire websites, individual navigation items, content records, queries, business objects, and the wide array of objects that you can define, import, and store in the Document system.

Access Settings are immensely flexible: they let you tie an object’s permissions to iMIS security roles, security groups, specific users, member types, or your organization’s staff (licensed iMIS users). See Using Access Settings for more information.

Within Access Settings there are preconfigured security sets. Throughout iMIS, whenever you configure Access Settings, you see a drop-down list of available security settings that you can apply to individual folders and objects. These security sets offer you easier control and faster iMIS performance than defining custom ones. For more information, see Preconfigured security sets.

You also have the ability to grant access to specific groups, roles, and users. Although this feature is very powerful, we recommend using it sparingly because it can impact performance. For more information, see Custom security groups.

Product purchase groups

Products can be set up so that users are added to a group. This group can be used to grant access to particular content, such as downloadable and online products. The content that you grant access to can simply be a secure web page that only the purchaser should have access to, or it could contain a downloadable file. The security setting for only allowing a group to access a specific content record is found on the content record's Access Settings tab.

Granting specific access to a product is defined when creating or editing the individual product. These two security features can be combined so that when purchasers buy the product, they are granted access to the content record. See Granting access to secure website content and the associated video for more information.

Creating groups with IQA

Staff users can create groups based off of an IQA query. After query sources are defined, you can select the Group tab to define the group elements. This feature allows Staff users to create a group that automatically refreshes the query to determine the members of the group by the query results. By assigning members to this dynamic group, users can create a group, for example, that includes only active members of a certain member type. These groups can be used to grant access to items in iMIS using Access Settings. For more information, see Creating Groups with IQA.

Communities

Individual iMIS communities also have their own security settings. For example, you could secure a community to a certain group of people, you can control who has access to create wikis, and you can set administrators for a community. For more information, see Administering communities.

Company Administrator

The Company Administrator is a versatile role that allows company administrators to manage organizational specific tasks in a variety of ways. The Company Administrator for an organization can manage organization profile information, manage the roster, update account information for organization members, register members for events, and manage billing for the organization. They also have the ability to bill transactions to the organization. Note that this permission may also be granted to any organization they are a part of by changing the settings in Settings > Contacts > General.

A staff user can assign the Company Administrator role to a member, and they can assign the role to contacts that are not part of the organization. Contacts are able to be Company Administrator for more than one organization.

If you navigate to a member’s profile page and click the Participation tab, you’ll see the Organizations section. For people that are not Company Administrators, they will only see their primary organization, but for people that are Company Administrators for more than one company, they will see those companies listed here. See Managing organizations for more information.

Committee administrators

The Committee Administrator has the ability to add committee members (existing and new contacts), edit member type and term dates, assign the committee administrator role to a committee member, and update committee memberships through the website. See Managing committees for more information.

Chapter administrators

As a Staff user, you can assign the Chapter Administrator role to non-Staff members of your chapters. Chapter Administrators are able to assign or remove the Chapter Administrator role to other chapter members, pay dues on behalf of chapter members, as well as edit chapter member profile pages.

Chapter members will be able to access their chapters directly from the Member Quick Start Site. On the initial login page, chapter members will see a link to their chapters. Members can also access their chapters from the Participation tab on their profile page. See Managing chapters for more information.

Company, Committee, and Chapter administrators

This chart compares the responsibilities between the Company Administrator, Committee Administrator, and Chapter Administrator.

Company Administrators can perform actions on records linked to the company for which they are the administrator. Chapter Administrators can perform actions on records within a given chapter. The Chapter Administrator role requires a Group Admin PLUS license. For more information on these roles, see Managing iMIS security settings.

Note: System administrators (SysAdmins) have all the permissions of staff, plus they also have access to RiSE and system settings. System administrators are super users with access to everything in the system, including the following:
-Assign logon credentials and user type (Public, Casual, Full)
-Add roles and groups
-Assign access for staff users
-Assign the System Administrator role to other users
-Disable user accounts

  Company Administrator Committee Administrator Chapter Administrator
(fee-based)

 

Chapter Administrator
(non-fee based)

License required? No No Yes
(Requires Group Admin PLUS license)		 Yes
(Requires Group Admin PLUS license)
Can add contacts to the group? Yes
Company Administrators can add new contacts to the organization. 		Yes No Yes
Chapter Administrators can add new contacts to the organization.
Can edit contacts in the group? Yes No Yes Yes
Can edit the group? Yes
Company Administrators can edit the organization. 		No No Yes
Can add new roles? Yes Yes Yes
The Chapter Administrator can add the Chapter Administrator role only. 		Yes
The Chapter Administrator can add the Chapter Administrator role only.
Can edit roles? Yes
Company Administrators can edit two roles only: Member and Company Administrator.		 Yes
Committee Administrators can edit multiple roles (committee positions).		 No Yes
Can delete roles? Yes No Yes
The Chapter Administrator can delete the Chapter Administrator role only. 		Yes
Can assign the role to other members? Yes
Company Administrators can assign the Company Administrator role to other members within their company participant list. 		Yes Yes Yes
Can edit relationships on members' profile pages?

No

Administrators cannot edit Relationships on a member's personal profile page. Editing a relationship must be done by a Staff user or System Administrator.
Can select other queries or email? No
Only staff users can edit the queries. 		No
Only staff users can edit the queries. 		No
Only staff users can edit the queries. 		No
Only staff users can edit the queries.
Can pay invoices and membership renewals for members? Yes
Company Administrators can pay invoices and membership renewals for members. They can also join as a member On Behalf Of contacts in the company, and the invoice can be billed to the company. 		No Yes
Chapter Administrators can pay invoices and membership renewals for members. The invoice cannot be billed to the chapter. 		Yes
Chapter Administrators can pay invoices and membership renewals for members. The invoice cannot be billed to the chapter.
Can register members for events and bill registrations to the organization?

Yes

Company Administrators can only register members for events that are in their primary organization.

Company Administrators cannot see members from any other company for which they are also a Company Administrator.

 No No No