Create custom security roles

In the course of regular business for your organization, you need to control access to your client files. Different engagement teams require access to their specific client files, but they are restricted from accessing other clients' materials. Some staff require access to all client files for an engagement, while others only need to access the documents assigned to them.

You can manage access to your organization's engagements and the related engagement material in Cloud using security roles.

The built-in security roles cover the more common types of security access that you might want to give to your users. You can, however, also create custom roles for your organization.

To create custom security roles:

  1. Ensure that you have the Settings Admin role or the equivalent privileges.

  2. From the Cloud menu, select Settings.

  3. Select Security | Role Permissions.

    Security Role Permissions

  4. Select Add Role.

  5. Complete the following fields:

    • Name

    • Description

    • Applies To: (Staff or Contacts)

    • Scope (System-wide, Content within entities or both)

    The New Role dialog.

  6. Select Next.

  7. Select one or more permissions to add those permissions to the role. When you are finished, select OK.

    The bottom of the Role Permissions dialog. The permissions to create, read, edit, delete and share files are all selected.

    Best Practice: Note that there are two Share permissions: A and S. The Share (A) permission allows the user to share all available entity or entity content permissions to themselves and other users, even if it would grant them a higher level of access than they currently possess. For example, if you create a custom system-wide role that has only the Share (A) permission for entities, users with this role will be able to grant themselves and other users the Owner role on any entity. If this is a security concern for your firm, we recommend using the Share (S) permission instead, which offers the same functionality but restricts the user from sharing entities or entity content that they cannot access. To learn more, see Built-in roles.