Assigning security credentials and staff access

Quick Tutorial Full Training

System administrators (SysAdmin) can grant access to certain areas of content for different users. System administrators are super users with access to everything in the system, including the following:

  • Assign logon credentials and user type (Public or Full)
  • Add roles and groups
  • Assign access for staff users
  • Assign the System Administrator role to other users
  • Disable user accounts

Note: Staff users do not have the access levels and permissions necessary to assign staff access. See Overview of security throughout iMIS for more information.

To perform any of the above, navigate directly to the contact’s account page, then click the Security tab. Alternatively, go to Community > Security > Users and search for the desired user.

In This Article 

User credentials

If the contact listed in the Contact information area is not an iMIS user, the fields in the User credentials area are empty. Click the red icon (X) to delete or change the username.

User credentials area

The following fields appear in the User credentials area:

  • Logon – Displays this authentication record's logon name (user name). No user selected displays when the authentication record is not linked to a user record. Click the add icon (+) to create user logon credentials.
  • Password/Confirm password – Input fields for changing an existing password. By default, passwords must contain at least seven characters with at least one numeric character and at least one alphabetic character.
  • Note: iMIS provides enhanced password hashing to secure all user login passwords. This enhanced password security complies with PCI 3.2 guidelines.

  • Email – When you create a new authentication record, if the iMIS contact record includes an email address, iMIS populates the Create User Logon window with that address. However, the value that is displayed in this area of the Users window is always the value that is stored in the ASP.NET authentication store.
  • Locked out – Indicates whether this authentication record is temporarily blocked from gaining access to iMIS. By default, iMIS locks out an authentication record after five failed attempts to log on.
  • User Class – Specifies the license to apply to this user, which controls all subsequent authorization.
  • Password Reset – System administrators can send the user an email with a link to reset their password. At least one active public site with Everyone Full Control access is required to use this feature. For more information, see Resetting passwords.

Note: Only those contacts with the user class of Full User are able to see the Staff Access areas and be assigned to the On behalf of role.

User information

Note: Staff users do not have access to update any of the areas under User information.

The User information area displays after user credentials are entered.

User information area

The following fields are displayed in the User information area:

  • Disabled – Select this option if you do not want the selected user account to be used immediately.
  • Effective date – Enter the date when these credentials become valid.
  • Expiration date – In iMIS, the Expiration date for an account is a rolling date based on the last login (sign-in) date. By default, the expiration date is five years from the last login date, and this date is reset after every login.

      Changing the Expiration date

      Do the following to configure the account expiration date based on the last login date:

      1. Go to Settings > Contacts > Account Management.
      2. Specify a new value in the Default expiration date, in years from last login field. Whenever a user signs in, their account expiration date is reset to that login date plus the number of years specified in the Default expiration date, in years from last login field. For example, if this value is 3, and a user signs in on January 1, 2018, their account expiration date is set to January 1, 2021.

      Note: The value entered into the Default expiration date, in years from last login field must be greater than 0.

Security roles

Security roles (Community > Security > Roles) grant specific administrative privileges to user records. There are system roles that cannot be deleted:

  • SysAdmin - Requires a valid email address. System administrators can expect to receive emails requiring their attention in order to maintain the security and performance of their iMIS systems. System administrators have access to all areas of the staff site. See Overview of security throughout iMIS and Module authorization levels.
  • CompanyAdministrator -Do not use this role; instead, assign someone a company administrator through the organization account page. See Assigning the company administrator role for one or more companies.
  • OnBehalfOf - Can only be assigned to a Full User. See On Behalf Of.
  • RemoteService - Allows users to remotely access the REST API. If external API calls are missing the RemoteService role on the service account, the API calls will fail until it is added. The RemoteService role is not required for client-side iParts, only for B2B (an application requiring its own username and password) access.
  • Everyone - Dynamically assigned to authenticated and guest users. This role is hidden and cannot be added to a user's account.
  • Content Administrator - Dynamically assigned to members of any Master Admin Content Authority Group. This role is hidden and cannot be added to a user's account.

Assigning a role to a contact

Do the following to assign a role to a contact:

  1. Go to Community > Security > Users.
  2. Search for the user, then select their ID.
  3. From the Roles section, select Add.
  4. Note: It is not recommended to use the CompanyAdministrator security role. The Company Administrator role should be assigned to users through the user's organization (Managing organizations).

  5. Select the available role, then click OK.
  6. Save the changes.

Creating and editing security roles

Do the following to add or edit security roles:

  1. Go to Community > Security > Roles.
  2. Select Add a role or select an existing one.
  3. Enter a Name and Description.

Warning! Do not remove a user's SysAdmin role without also lowering the System authorization level (see Assigning staff access). If the levels and roles do not agree, the system will have access conflicts.

Security groups

Security groups grant specific access to all individuals who are members of the group. The following security groups affect user privileges.

Table 1: Security groups

Group

Description

CampaignAdmin

Enables full-control access to the Campaign functionality and its objects

CampaignMgr

Enables read/add/edit/delete access to the Campaign functionality, and read/edit access to its objects

CampaignUser

Enables read-only access to the Campaign functionality and its objects

Certification Admin

Used to send emails to the appropriate contacts when certification enrollees complete program stages

Certification Manager

Used to send emails to the appropriate contacts when certification enrollees complete program stages

Certification User

Used to send emails to the appropriate contacts when certification enrollees complete program stages

EventUser

Controls security for IQA integration

FRUser

Controls security for IQA integration

OpportunityAdmin

Enables full-control access to Process Manager and its objects

OpportunityCreator

Enables add access to projects in Process Manager, and read/edit/delete access to created projects, but read-only access to projects created by others

OpportunityMgr

Enables read/add/edit/delete access to Process Manager, and read/edit access to its objects

OpportunityOwners

Enables add access to a project's Owner or Contact group

OpportunityUser

Enables read-only access to Process Manager and its objects

OrderUser

Controls security for IQA integration

Reporting

Enables access to the Reports navigation item and is required to access the Reports sub navigation items. See Reporting Users Full Control.

RFMAdmin

Enables full-control access to the RFM application and its objects

RFMMgr

Enables read/add/edit/delete access to the RFM application, and read/edit access to its objects

RFMUser

Enables read-only access to the RFM functionality and its objects

SegAdmin

Enables full-control access to the Segmentation functionality and its objects

SegMgr

Enables read/add/edit/delete access to the Segmentation functionality, and read/edit access to its objects

SegUser

Enables read-only access to the Segmentation functionality and its objects

Assigning a user to a security group

Do the following to assign a user to a security group:

  1. Navigate to the contact’s account page.
  2. Click the Security tab.
  3. From the User information section, locate Security groups then select Add.
  4. Select a group, or multiple groups, to which you want to assign the user. Click OK.
  5. Save your changes.

Assigning the system administrator role

To assign someone as a system administrator, do the following:

  1. Navigate to the contact’s account page.
  2. Click the Security tab.
  3. From the User class field, select Full user.
  4. From the Roles section, select Add.
  5. Enable SysAdmin, then click OK.
  6. On behalf of and sys admin roles

  7. Expand the Staff access section and update each drop-down to level 8.
  8. Click Save.

Assigning someone as a staff user

The Staff access area includes settings for user-specific correspondence and Module authorization levels. This section only appears if the User class is Full user.

Note: By default, this section is collapsed. Simply click on the arrow next to Staff access to expand this section.

To assign someone as a staff user, do the following:

  1. Navigate to the contact’s account page.
  2. Click the Security tab.
  3. From the User class field, select Full user. Assigning someone as a Full user grants them access to the Staff site. Although the user has the Full user role, they will not have access to all areas of the Staff site. You must update the module authorization levels to determine what specific areas of the Staff site they will have access to.
  4. Expand the Staff access section, and select the appropriate levels for the user. For more information, see Module authorization levels.