Securing RiSE websites
In order to make your content secure, you can configure iMIS with secure settings. You can grant access to content, or apply restrictions, for certain users.
Review the following list and apply the suggested configuration, if applicable:
- Review licensing. System administrators must modify licensing information whenever new iMIS features are purchased or new users are added to an existing license. Verify your licensing information is up-to-date.
- Set up your staff users with the appropriate permissions:
- Review and assign user credentials (user class and any roles, groups, authorization levels, and access keywords defined in each user record). The content and capabilities each user has access to when logged on to your site depends on the credentials assigned to that user.
- Add security roles. Security roles grant specific administrative privileges to users, such as the right to edit an iMIS definition object in the Document system.
- Add security groups. Security groups can grant specific access to all members of a group. Use security groups to limit access to sensitive content for a group of individuals, rather than specifying individual access for each member of the group.
- Assign Staff access and Module authorization levels. On the same window in the Staff site, you can configure settings for user-specific correspondence and staff access to specific areas of the Staff site.
- Define content authority groups. Content authority groups help control who has access to edit specific areas of content within iMIS. Content authority groups contain several group roles that allow for different content permissions.
- Review and configure the Contact security queries. These system settings allow for granular security settings when viewing contact records, and provide system-wide permission to view the public profile information of other users.
- Set Access settings on content, queries, and other documents. Access settings give you a consistent way to apply security and grant permissions to folders and objects throughout iMIS: entire websites, individual navigation items, content records, queries, business objects, and the wide array of objects that you can define, import, and store in the Document system.
- Use IQA to create groups. After query sources are defined, define the group elements on the Group tab. Staff users can create a dynamic group that includes contacts based on any filters in IQA. These groups can be used to grant access to items in iMIS using Access settings.
- Assign additional administrator roles for staff and non-staff users. A staff user can assign the Company Administrator role to a contact. Company Administrators can manage organization and employee profile information, manage the roster, and pay bills for the organization and its employees. Chapter Administrators are able to assign or remove the Chapter Administrator role to other chapter members, pay dues for chapter members, as well as edit chapter member profile pages.
- Add contacts to the Campaign Management security groups. Staff users can add other staff users to the CampaignMgr, CampaignAdmin, or CampaignUser groups to grant them appropriate permissions to marketing campaigns.
- Review and configure security settings for Communities. Individual iMIS communities have their own security settings. You can secure a community to a certain group of people, control who has access to create wikis, and set administrators for a community.
- Optionally, you can configure products such that purchasers can be added to specific groups. Staff users can define a product that offers group-based access to content. As users are added to groups based on their purchase, they will inherit the security settings already defined for that group.
Tips and troubleshooting
Following is information to help troubleshoot logon issues.
Conflicts from shared Windows logins
iMIS employs the ASP.NET login controls and uses HTTP cookies for state information. If two different iMIS users share the same Microsoft Windows logon information on the same client system, iMIS features that use cookie data can confuse one user with the other. To avoid this problem, always ensure that every iMIS user has a unique Windows username and password.
Note: If you are not self-hosted, you must contact your host for assistance modifying web.config files.
Authorization persistence: web clients
By default, authentication record authorization is persistent for web users. To disable this option, edit the web.config file used for the iMIS application.
Authorization changes: locating and disabling
By default, users are allowed to change their password, but not their user name. To allow user name changes, edit the content record that contains the Change Logon Password content item and select the checkbox Allow username change. The option to change passwords can be enabled or disabled in the same way.
- All users (Casual, Public, and Full) can change their user name and password through the My Account page when the setting option is enabled.
- Full users who belong to the SysAdmin role can change the user name and password for other users in the Staff site. (Community > Security > Users).