Security considerations

Roles and sharing

A security role is a set of permissions that you can assign to your users on Cloud. Each role enables your staff to do one or more of the following things:

  • view content

  • update existing content

  • create new content

  • delete content

  • share content with other users

Your users can access information based on the roles that have been assigned to them. You can apply these roles very broadly, creating a security architecture that requires very little maintenance. Alternatively, you can assign these roles more selectively, providing you better control over who can access each file or activity on Cloud.

Assigning a system-wide role

This is the broadest way to grant access to content on Cloud. On a user's profile, you can grant security roles for all relevant content across the entire organization.

Firm-wide roles give this user permissions for all entities in a firm and for all content within these entities.

For example, Abco Smith has the Settings Admin role and the Viewer role applied as system-wide roles.

Firm-Wide Roles can be granted from the Staff page.

The Settings Admin role enables Abco to ready and modify the Settings page. The Viewer role lets him to see the details for all entities in his organization, and he can also view all files and activities for those entities.

Sharing entities

If you do not want a user to view all content in an organization, you can instead grant access to information on a client or departmental basis. When you share an entity, you grant a security role for the entity itself and for all files or activities under that entity.

Entity-wide roles give this user permission to this entity and to all content within it.

For example, Jenkins Smith has been assigned the Editor role on the client entity Diamond Jewelers.

This user has been granted the Editor role for a specific entity.

When Jenkins accesses Cloud, he will be able to see the client entity for Diamond Jewelers. With the Editor role, he can edit the details for this entity, and he can also create and edit files and activities under this entity.

Sharing files and activities

If you know that users should not have access to all content under an entity, you can instead grant access to each file or activity individually. This enables you to have very specific control over the information that your users can access.

This user can see this entity, but they only have access to one of the files within it.

For example, Carl John is working on the audit for Superior Furniture. His manager will assign him some files for this client, but she does not want John to have access to all client files.

First, she assigns Carl the Entity Access role on Superior Furniture. This enables Carl to see the entity, but it doesn't grant access to any files or activities under the entity.

This user has the Entity Access role for the selected entity.

Next, she shares the VarianceAnalysis.xlsx file and she assigns the Owner role to Carl.

This user has the Owner role for the selected file.

Carl now has access to this file on Cloud. With the Owner role, he can view, edit, or even delete the file, and he can share this file with other Cloud users.

Limited content

Normally, when you create new activities or add files to Cloud, users with a system-wide role for this type of content will be able to access these new items by default. Users who have roles on the entity for the new activities or files will also be able to access them.

You can choose to further restrict access to any files, activities, or entities by making them Limited. Limited content is only visible to the owner and staff members with the Admin role. The owner can share the content by granting roles to other staff members as normal, but it will not be visible to any other users.

Limited content has a small lock icon in the name field.

This document on the Files page is limited. Users will not be able to see this file unless the owner assigns them a specific role for the file.