What are Roles?

Every user must be assigned to a role, as a System user you can only be assigned to a single role for the entire system.  As a site user you are assigned a role for each site you have access to, site users also having more restricted access than system users.  A role is used to assign common functions e.g. what access to the system does the user have and as a way of grouping users in other areas of the system.

What are Security Levels?

Security levels are a sub set of Role permissions, just the Data Room: prefixed ones.  Security levels are there to allow various combinations of permissions at indvidual Data Room level.  There is no set number of security levels as the number depends on what requirements you have.  A users security level is set at Data Room Level by either them being a member of a particular role or individually selecting them for a user.

Please note any Data Room permissions you set at Role level are only defaults, they are overridden when specified at Data Room Level.  Ideally all Data Rooms should override the default.

Initial Recommendations

For backward compatibility we allow Custom Data Room Level when setting up a new Role, but we do not recommend this is used for new roles.  So before setting up a new role we recommend you have at least these inital Security Levels setup:

• DataRoom No Accesss : Nothing Checked.
• DataRoom Admin
• DataRoom Automater : In some cases may be no different to admin, so not required.
• DataRoom Read & Write
• DataRoom Read & Write (Own Only)
• DataRoom Read Only

The design of roles really depends on how granular you are going to need to set security, so below is just a very simple example of roles to setup:

• Standard User : With Custom Data Room Level set to DataRoom No Access.  You want to be controlling data room access, so by setting default of no access they need to specifically be given access to new Data Rooms.
• Admin : With Custom Data Room Level set to DataRoom Admin.
• No Access : With Custom Data Room Level set to DataRoom No Access, this is so you can set a default role to No Access in scenarios where initially you don't want people having access to items.
• Automater : With Custom Data Room Level set to DataRoom No Access and Management Tools: Data Room (Secured by Allow Design permission only) checked.

Setting Data Room Security Level

To set security levels go to Admin > Data Rooms > Advanced Options > Data Room Level Security.

Now you can either map a users role to a security level or specify the user directly, which will take precendent over the role.  If you have an Active Directory Group this can be used to populate the User security levels, for this to work the ProcessDataRoomSecurityGroups Timer Job must be also setup in the Job Scheduler.

You can set automation defaults when creating an automation document from within say a Knowledge Library.  When you create a new automation from a document it will create a Data Room, you can set the default role the user creating the automation will get usually Automater and the default role for all other users, usually set to No Access until it is ready to release.

Notes

• Please remember that Data Room Security and Item inc Document Security are two different things.  When you create an automation from a document it creates a data room, that original document still exists in e.g. the Knowledge Library and will still have its own security set in their controlling Edit and View etc.
• You can use the Data Room Level security a role or user has been given for the Data Room in the read only and field visibility options on a form.
• Plan your security before setting it e.g. if it is a Data Room that everyone needs at least Read access to, don't leave the default access as No Access and assign every role manually.  Set the default as Read and then only assign the roles that need different access.
• Do not confuse the above with securing individual items, for an article on that please see Data Room Item Security