Setting Record Security

Record security lets you restrict access to individual records as well as areas within records, for example workflow notes. When record security is turned on in System Configuration, a lock icon appears in the record page. The icon displays as an open lock when record security is not applied to the record.  The lock is closed when security is applied.  IQ displays your access level for the record, when you place your mouse on the lock icon. Note: If security has been set for a record, users with Read access will not see the lock icon. Record security is available for People, Mail, Workflow and Document records as well as Reports. Your ability to secure records is controlled by your User ID setting for the Record Security Lock in each of those modules.

To set security for a record or report:

1. On the record page, click the lock icon.

2. In the Record Security dialog, select the access to apply to all users by clicking in the General Access Level field, or set access for specific users by entering their names in an Access Level field. Optionally, you can select a profile from the Profile drop-down list to quickly set record security for a predefined list of user(s), group(s) or department(s).

3. Click the Save button.

General Access defaults to Full. Click in this field and select Edit, Read, or None if you want to restrict access to that level for all users. To limit access to specific users, groups, or departments, click the search icon next to the Full, Edit, Read, or None field and select the user(s), group(s), or department(s) to whom you want to assign that level of access. Users you select in this way are granted the specified level of access; all other non-selected users default to the General Access level.

Record security set for a specific user takes precedence over record security applied as part of a group or department. For example, if a user is given Edit access as an individual and is also part of a group that is given Read access, that user will have Edit access to the record. When a user belongs to more than one group or department, and the level of access for those groups or departments is inconsistent, the more permissive access is used. The same holds true when there is an inconsistency between group and department access.

To change security for multiple records:

1. Search for the People, Mail, Workflow or Document records you want to change.

2. On the Search Results page, select the check box next to the records.

3. Select the Change Security action.

4. The Overwrite Record Security dialog page appears with a combined list of Users and Groups for each Access Level.

• IQ will display a warning at the top of the dialog if any of the selected records cannot be updated if you lack full access to the record.

• The General Access Level is automatically set to the lowest (most restrictive) level used in the selected records.

• A list of the General Access levels used in the selected records is displayed to the right of the field.

• Click in the field to select another General Access Level or select No Change if you would like the General Access Level to remain as it was before selecting the Change Security action and only overwrite the specific access levels (Full, Edit, etc.) for Users, Groups and Departments.

• If the same User, Group or Department appears in multiple access levels, you will need to remove them so that they only appear in one access level.

5. Click the Save button after making the appropriate changes.

To remove security for a record or report:

1. On the record page, select the lock icon.

2. Click the Delete button in the Record Security dialog box.

Access Levels

When a record is restricted, the user's access to it is determined by the access level.

Full – The user can view, edit, delete, and adjust security for the record.

Edit – The user can view and edit the record. All fields and all actions except Delete are available.

Read – The user can view the record. No fields are available and no actions appear that would modify the record.

Use – This access level is only available for People, Document Directory and Workflow Templates. The user can view and add Mail, Workflow or other types of records using these People records, but is not able to edit the content of the People record. Documents added to a directory get Edit access for users with Use access to the directory. Users can create workflow for templates that grant Use access or above, but cannot edit the template.

None – The user has no access to the record. If the record is found as a result of a search, no identifying information is displayed on the Search Results page. Instead, the user sees only the words Secured Record.

Note: A user with Full access to a record cannot remove that access either as an individual or as part of a group or department. Only another user with Full access to the record can do this. This limitation prevents a user from accidentally locking everyone out of a record.

Workflow Records

Access to workflow notes and step notes can be restricted through record security, and record security for an attached document can be set through the workflow.

To set record security for a workflow or step note, select the Secure This Note check box at the top of the Add Note dialog box. When you click the Save button, the Record Security dialog box appears for access level selection. You can change note security clicking the Record Security link that appears at the top of the Edit Note page.

To set record security for an attached document, click the Documents tab and then click the document name link. Select the Record Security action on the document record page.

To set record security for an attached file, click the Attachments tab and then click the Attach File link. Click the Record Security link at the to of the Edit Note page. If you're attaching a new file, select the Secure This Attachment check box at the top of the Attach File to Workflow dialog box.

The following restrictions apply to secured Workflow records.

• Any user with at least Read access to a Workflow record can use the Send Info Copy action to send an email to any IQ user regardless of the recipients' access level. However, the recipients will be limited in their ability to view or edit the workflow based on their access level.

• Only users with Full or Edit access to a secured Workflow are available for assigning or reassigning of Workflows. If a Workflow is assigned to a user who does not have access to it (if it was assigned to a user before security was set restricting his access or if group/department membership changed in such a way that the user is prevented from accessing the record), the user is provided with a list of users with Full access to the record who can grant access to it.

• Auto Routing queues steps only to users with Full or Edit access to a secured Workflow. The Auto Route user/group list takes precedence over the Routing Rule. If there are valid users or groups in the Auto Route, they supersede users and groups in the Routing Rule.

Documents

Whenever record security is set or changed for a document, a notation is placed on the Status Log panel that shows the date, time, and user who changed the security. If record security is set for a document, the list of users that can be assigned to the document is limited to users with Read, Edit or Full access. When a new version of a document is created, the newly created version will inherit the record security from the previous version. Likewise, when you add or change security for an existing document, the Apply Security to all document versions checkbox is selected by default.

Record security can also be applied to a Directory. Security is inherited by new documents in the directory and can be applied to any documents that already exist. Directory security controls a user's ability to browse directories in the Document Library view, while security on the document controls user access directly to the document. So a user can find and use documents using other searches if they have permissions to the document, even if they are not allowed access to browse the directory and folder location for that document.