Managing security groups (user roles)
Security groups define what functions a user can perform. Your organization may refer to security groups as user roles. A user can belong to only one security group.
When a user is created on the Diligent One 平台, a default role is assigned, either User or System Admin. For details, see 添加和管理用户. Additional security groups can be created in the Policy Manager app.
The Access group is the security group and is a required field. See Managing users.
Note
If you use Policy Portal, set up a Policy_Portal_Group with no permissions assigned. With SSO enabled, users are redirected to the Policy Portal where they can view and search for documents for the target audience they belong to. See Using the Policy Portal.
You may have as many security groups as you want. When you create security groups, consider your organization's needs and audit requirements. For example, you may or may not need to separate Document Reviewers and Owners from individuals that have rights to create and edit documents. Suggested security groups follow. You may also want a security group for auditors.
- System Administrators (SysAdmin)
- Super Users
- Document Creator/Editor
- Document Reviewer
- Document Owner
Add a security group
-
From the left menu, select Administration then Security Groups.
-
Select the Security Groups button.
-
Give the security group a case-sensitive Name. When you move from the name field, the system checks to make sure the case-sensitive name is not in use.
-
Add a Description.
-
Select Active to make the security group immediately available for users to be assigned.
-
Select the Access Rights to grant access to Policy Manager menus, pages, and functions to the users assigned to the security group. Select Expand All to view all Access Rights. For details on each Access Right, see Access Rights details.
-
Select Save.
Manage a security group
-
From the left menu, select Administration then Security Groups.
-
Select any of the following for the security group:
Edit to update the information.
Clone a security group then make edits to the Access Rights to create a new security group.
Delete to remove the security group. If a security group has active users, the is grayed out and you cannot delete the security group.
Access Rights details
Access Rights may granted (selected) for a menu, a page, and/or the fields on a page. The highest level of security in a group typically allows access to view the function. Selecting sub-settings allow the users to manage the function via add, delete, or edit selections. For example, the following setting allows the user to view the document components (re-usable content). Because the remaining selection are not selected, the user cannot create, delete, or edit a document component.
[x] Allow Access to Components Page
[ ] Can create document components
[ ] Can delete document component
[ ] Can edit document component
A description of each of the Access Rights follows.
Access Rights | Description and typical access (Your organization may vary based on requirements.) | |
Allow access to Additional Fields page
|
An additional field is a user defined field (UDF) for:
For function details, see Managing additional fields. This access is typically enabled for System Administrators or Super Users. |
|
Allow access to Administration menu |
The Administration menu is used to configure the system to meet your organization's needs. For function details, see Administration. This access is typically enabled for System Administrators or Super Users. |
|
Allow access to System Report page |
The Reports menu is used to generate a report, search a report, and export a report to Excel. For function details, see Reports. This access is typically enabled for individuals who view reports. For users who need to create, edit, or delete a report, see the Access Right Allow access Reports. |
|
Allow access to Agency settings |
Agency settings are used to configure functions, such as allowing document uploads, syncing with Diligent One apps, and enabling spell check. For function details, see Managing agency settings. This access is typically enabled for System Administrators or Super Users. |
|
Can use Search |
The search feature is used to find documents, document components, and other content. For an example of a search function, see Search with document details. There are other search functions in the system. This access is typically enabled for all users. |
|
Allow access to Case Queue page
|
The case queue is the review queue which is a group of users assigned to handle a document review, approval, or other actions. For function details, see Managing review queues. This access is typically enabled for System Administrators or Super Users. |
|
Allow Access to Components Page
|
Document components are re-usable content for use when creating documents and document templates. For function details, see Using document components. This access is typically enabled for Document Owners, System Administrators, or Super Users. |
|
Allow access to Configure Attributes page |
Configuring attributes is advanced functionality that may cause damage to the system. Attributes should only be changed in conjunction with your Diligent Customer Success Manager. For function details, see Configuring categories, values, and attributes. This access is typically not granted unless you are working in conjunction with a Diligent Customer Success Manager and add access under their direction. |
|
Allow access to Configure Categories page
|
Categories and values are internal name/value pairs where you can match an internal code with what you want the user to see. Categories (Reference Domains) have associated child Values (Reference Codes). For function details, see Configuring categories, values, and attributes. This access is typically enabled for System Administrators or Super Users. |
|
Allow access to Configure Values page
|
Categories and values are internal name/value pairs where you can match an internal code with what you want the user to see. Categories (Reference Domains) have associated child Values (Reference Codes). For function details, see Configuring categories, values, and attributes. This access is typically enabled for System Administrators or Super Users. |
|
Allow access Dashboard
|
Dashboards provide an overview of the state of documents and information on current and upcoming review cycles. For function details, see Dashboards. All users are typically given full Dashboard access. |
|
Can edit public document component |
Users edit documents on the Document Editor tab. This includes adding document selections and components. For function details, see Using the Document Editor. This access is typically enabled for Document Owners, Document Editors, Document Reviewers, System Administrators, and Super Users. |
|
Allow Access to Documents Page (See the sub-selections on the right in this table.) |
User accesses to the Documents Page can vary based on the security group. Suggestions follow.
|
|
Allow access to Document Template Assignment page
|
A document template saves time and ensures consistency when you create a new document. A template can be automatically assigned using template assignment rules. For function details, see Configuring template assignments. This access is typically enabled for SysAdmin, Super User, and Document Creator/Editor. |
|
Allow access to incident report page |
This option is not used in Policy Manager. |
|
Can receive intra-system message |
This option is not used in Policy Manager. |
|
Allow access to Notifications page
|
Email notifications are set at the review cycle level (such as DRAFTING, REVISING, and so on). For function details, see Managing notifications. This access is typically enabled for SysAdmin, Super User, Document Creator/Editor, and Document Owner. |
|
Allow access to Work Flow Assignment page
|
A review flow (work flow) identifies the review cycle with system-defined phases (such as DRAFTING) and prescribed tasks, as set by the organization. For function details, see Managing review flows and tasks and Mapping review flow assignments to documents. This access is typically enabled for SysAdmin, Super User, Document Creator/Editor, and Document Owner. Also see these Access Rights: |
|
Allow access to Work Flow Snippets page |
Snippets are reusable collections of phases and/or tasks that can be added to a review cycle to save time and ensure accuracy. You may insert a snippet in the review flow. For function details, see Managing review flow snippets. This access is typically enabled for SysAdmin, Super User, and Document Creator/Editor. Also see these Access Rights: |
|
Allow access to set starter snippet |
The default starter snippet adds required phases and settings, such as predecessors to ensure each phase is complete before going to the next phase. For function details, see Managing review flows and tasks and Managing review flow snippets. This access is typically enabled for SysAdmin, Super User, and Document Creator/Editor. |
|
Can view Regulations
|
You can catalog regulations, laws, or other outside governance requirements and add documents to create auditable reference of requirements. For function details, see Regulations. This access is typically enabled for SysAdmin, Super User, Document Creator/Editor, and Document Owner. |
|
|
To allow access to create, delete, or edit a report. For function details, see Allow access to System Report page. This access is typically enabled for people who need to view and manage reports. To limit access to viewing a report, see the Access Right Allow access to System Report page. |
|
Allow access to Work Flow page
|
A review flow (work flow) identifies the review cycle with system-defined phases (such as DRAFTING) and prescribed tasks, as set by the organization. For function details, see Managing review flows and tasks. This access is typically enabled for SysAdmin, Super User, Document Creator/Editor, and Document Owner. Also see these Access Rights: |
|
Allow access to Review Frequency page |
Review frequencies are associated with documents to identify how often the documents are reviewed. For function details, see Managing review frequencies. This access is typically enabled for SysAdmin, Super User, Document Creator/Editor, and Document Owner. Also see Allow Access to Documents Page, Access Right Review frequency. |
|
Allow access to Review Queue page
|
A review queue is a group of users assigned to handle the review, approval, or other actions. For function details, see Managing review queues. This access is typically enabled for SysAdmin, Super User, Document Creator/Editor, and Document Owner. |
|
Allow access to Security Groups page
|
Security groups define what functions a user can perform. This access is typically enabled for SysAdmin and Super User. |
|
Allow access to Tag Group page |
Tag groups are used to search for related documents. For function details, see Tag groups are used to search for related documents. This access is typically enabled for SysAdmin, Super User, Document Creator/Editor, and Document Owner. |
|
Allow access Tasks page
|
Users may be automatically assigned tasks, or they can take ownership of a task if they are in the task's review queue. For function details, see Taking or releasing ownership of a task. This access is typically enabled for SysAdmin, Super User, and Document Reviewers. It can be assigned to all users, in case there is an issue with ownership, such as a reviewer being unavailable. |
|
Allow access to Users page
|
Administrators can add users and update user information. For function details, see Managing users. This access is typically enabled for SysAdmin and, possibly, Super User. |
|
Allow Access to Widgets Page
|
A widget is used to display often repeated content, such as a disclaimer that is used multiple times in documents, document components, and document templates. For function details, see Using Widgets and Managing document widgets. This access is typically enabled for SysAdmin, Super User, and Document Creator/Editor. |