User-level security: Roles and Groups

Together, security roles and security groups let you control access to the ASP.NET-based features of iMIS; in contrast, older features of iMIS are secured using authorization levels (see Authorization levels: Desktop views). Security role and group assignments are defined in user records.

Security roles grant specific administrative privileges to user records. For example, one security role might let you use and edit an iMIS definition object in the Document System, while another role might let you use that object but not edit (or even see) its properties.
Security groups control which iMIS features group members see and which capabilities within each feature they can use.

Note: User-level security is separate from object-level security (see Preconfigured security sets), which restricts objects (folders, queries, reports) in the Document System.

Roles: SysAdmin

The default SysAdmin role grants privileges much like those of the MANAGER user record. Only a Full user can be a SysAdmin. Each SysAdmin can:

Edit user records, including logon names (unless that privilege is disabled in the web.config file for iMIS)
Use System Setup
Use Tools (if licensed)
Administer Issues (if licensed)
- Start e-mail server
- Set up module

Groups

The following table describes the security groups that affect user privileges.

Group	Description	iMIS Feature
CampaignAdmin	Enables full-control access to the Campaign functionality and its objects	Marketing
CampaignMgr	Enables read/add/edit/delete access to the Campaign functionality, and read/edit access to its objects	Marketing
CampaignUser	Enables read-only access to the Campaign functionality and its objects	Marketing
Certification Admin	Enables full-control access to the Certification functionality and its objects	Certification
Certification Manager	Enables read/add/edit/delete access to the Certification functionality, and read/edit access to its objects	Certification
Certification User	Enables read-only access to the Certification functionality and its objects	Certification
EventUser	Controls security for IQA integration	Events
FRUser	Controls security for IQA integration	Fundraising
OpportunityAdmin	Enables full-control access to Process Manager and its objects	Process Manager
OpportunityCreator	In Process Manager, enables add privileges for projects, and read/edit/delete access to created projects, but read-only access to projects created by others	Process Manager
OpportunityMgr	Enables read/add/edit/delete access to Process Manager, and read/edit access to its objects	Process Manager
OpportunityOwners	Enables addition to a project's Owner or Contact group	Process Manager
OpportunityUser	Enables read-only access to Process Manager and its objects	Process Manager
OrderUser	Controls security for IQA integration	Orders
Reporting	Enables access to IQA query links	IQA
RFMAdmin	Enables full-control access to the RFM application and its objects	Marketing
RFMMgr	Enables read/add/edit/delete access to the RFM application, and read/edit access to its objects	Marketing
RFMUser	Enables read-only access to the RFM functionality and its objects	Marketing
SegAdmin	Enables full-control access to the Segmentation functionality and its objects	Marketing
SegMgr	Enables read/add/edit/delete access to the Segmentation functionality, and read/edit access to its objects	Marketing
SegUser	Enables read-only access to the Segmentation functionality and its objects	Marketing

Group membership controls web access

Group membership determines whether a user sees Marketing and/or Process Manager from a web client.

To grant access to Marketing, place users in one of these groups:
- CampaignAdmin
- CampaignMgr
- CampaignUser
- RFMAdmin
- RFMMgr
- RFMUser
- SegAdmin
- SegMgr
- SegUser

To grant access to Process Manager, place users in one of these groups:
- OpportunityAdmin
- OpportunityCreator
- OpportunityMgr
- OpportunityOwners
- OpportunityUser

Note: Casual licensing prevents access Marketing or Process Manager, regardless of group assignments.