Follow

Using Security Management

 

Security Management (formerly Security Role Management) gives Firms with large numbers of employees the ability to quickly control and maintain employee Security Roles and Security Rights.

 

The Security Roles tab allows you to create Security Roles which are a collection of Security Rights. Users can then assign a Security Role to the appropriate employees, granting those employees the Security Rights listed under that Security Role.

Individual Security Rights can still be granted to individual employees by using the Employee Security tab.

Employees either belong to a single Security Role or they have their Security Rights managed individually.

 

The Multi-Factor Authentication tab will be visible when the Multi-Factor Authentication feature switch is enabled and allows for the management of Employee's Multi-Factor Authentication settings.

 

Tier Availability: Business

Security Rights Required: Add/Edit Employee, MaintenanceSecurity Management

 

Menu:

 

Security Management Rights

In order to use Security Management, users must have the Add/Edit EmployeeMaintenance, and Security Management Security Rights. 

  • Add/Edit Employee - Allows the user to add a new Employee from the application menu as well as add and edit user Security Rights from the Employee Details tab.
  • Maintenance - Allows the user access to Maintenance Menu items.
  • Security Management - Allows the user to maintain the list of Security Roles and their assigned Security Rights.

For steps on how to add these Security Rights to an Employee inside the Desktop Application, please review Adding Employees and Security Rights. If the Employee is currently logged in after rights are granted, then that user must click Application > Refresh Security.

 

Accessing Security Management

Once a user has the Add/Edit EmployeeMaintenance, and Security Management Security Rights, that user may access the Security Management feature.

Access Security Management

  1. From the Application Menu, click Maintenance > Preferences > Security Management.
  2. The Security Management feature will open in the user's default browser.
    • PensionPro supports the latest versions of Chrome, Edge, Firefox, and Internet Explorer 11.

Using the System Administrator Role

Security Management comes with a default "System Administrator" Role. This role cannot be edited or deleted and contains all available security rights. Any active user assigned this role will have unrestricted access to all areas of PensionPro.

At least one active user must be assigned the System Administrator role before any other users can be assigned additional Security Roles. A system administrator or principal would typically be assigned the System Administrator Role.

To assign a user to the System Administrator Role:

  1. Click once on the System Administrator role to highlight it.
  2. Click the Edit button to the right of the grid.
  3. Click inside the Employees box of the Edit Security Role pop up that appears and select the employee(s) that should be assigned the System Administrator role.
  4. Click Save.

Adding a Security Role

Users can add a Security Role from the Toolbar after accessing Security Management.

  1. Click on the Add button located on the right side of the grid.
  2. Enter Role Name and a brief Description of the role.
    • A description is not required.
  3. Click inside the Rights box and select the security rights to be included within the role.
    • Users can select "Add all Rights" to provide all rights to the role. Rights can be individually removed from the role by clicking the X button located to the right of each right.
  4. Assign employees to the role by clicking inside the Employees box and selecting the employee name that should be assigned to the role. Selected employees will appear in the box.
    • Multiple employees can be added to the role at once.
    • An employee can only be assigned to 1 role.
      • Remove an employee from the Role by clicking the X button next to their name.
    • Employees marked as Inactive in PensionPro will not appear in the Employees dropdown.
  5. Click Save

Editing a Security Role

Users can edit a role from the editor.

Edit a Security Role

  1. Click once on a Security Role to highlight it. 
  2. Click the Edit button. 
  3. Edit the desired information. 
  4. Click Save

Deleting a Security Role

Users can delete a Security Role from the toolbar. Please note, deleting a Security Role will affect any employee that was previously assigned that Security Role. Users assigned to a Security Role that was deleted will not lose their rights. Their role assignment will be removed, but the rights they had when they were assigned from that role will remain.

It is recommended that a new Security Role is assigned to the employee before deleting the existing Security Role. Users can also use the Employee Security tab to find employees who do not belong to a Security Role and assign them to one or change their individual Security Rights.

 

Delete a Security Role

  1. Click once on a Security Role to highlight it.
  2. Click the Delete button to the right of the grid.
  3. A message will appear asking the user to confirm they would like to remove all employees from the role.
    • The affected employees will retain the same Security Rights originally associated with the role. 
  4. Click Yes to confirm and delete the role.

Assigning Security Roles to Employees

Now that Security Roles have been created, users can assign those Security Roles to employees. It is required to have at least one user assigned the System Administrator role to act as the system administrator for role and rights management. Security Roles can be assigned to employees by either assigning from the Security Management screen, Employee Security screen, or by assigning within Employee Details in the Desktop Application.

Assigning from Security Management > Security Roles tab

  1. From the Application Menu, click Maintenance > Preferences > Security Management.
  2. The Security Management feature will open in the user's default browser.
    • PensionPro supports the latest versions of Chrome, Edge, Firefox, and Internet Explorer 11.
  3. Click once on a Security Role to highlight it.
  4. Click the Edit button to the right of the grid.
  5. Assign employees to the role by clicking inside the Employees box and selecting the employee name that should be assigned to the role. Selected employees will appear in the box.
    • Multiple employees can be added to the role at once.
    • An employee can only be assigned to 1 role.
      • Remove an employee from the Role by clicking the X button next to their name.
    • Employees marked as Inactive in PensionPro will not appear in the Employees dropdown.
  6. Click Save

 

Assigning from Security Management > Employee Security tab

  1. From the Application Menu, click Maintenance > Preferences > Security Management.
  2. The Security Management feature will open in the user's default browser.
    • PensionPro supports the latest versions of Chrome, Edge, Firefox, and Internet Explorer 11.
  3. Click once on an Employee row to highlight it.
  4. Click the Edit button to the right of the grid.
  5. Set Security Based On to Security Roles. Select a Security Role from the dropdown
  6. Click Save

    Note
    : Changing an Employee's Security Method from Security Roles to Security Rights will keep all of the Security Rights the employee had under that Security Role. You can Add or Remove individual Security Rights for the Employee.

Assigning from Employee Details in Desktop Application

  1. Click the Company Directory located in the upper-lefthand corner of PensionPro.
  2. Double-click on an Employee's name to open their Employee Details screen.
  3. Click the Security Rights tab.
  4. Click the Edit button to the right of the Security Rights grid.
  5. Click the Security Role dropdown menu and select the target Security Role from the menu.
    • The dropdown will read "None" if no Security Role is selected.
    • Users can either choose to select a Security Role or select "None" from the Security Role menu and choose individual rights. Users cannot select a Security Role and add additional Security Rights. 
  6. Click Save.

Users can also find how to add roles in Adding Employees and Security Rights

Employees Assigned to Security Roles

Users have the ability to view all employees assigned to each Security Role. This information can be viewed in the Security Roles grid along with the Role Name, Description and added Security Rights. Users can click the Export button on the Security Management screen to export a report of this information.

Multi-Factor Authentication

Multi-Factor Authentication is a feature that must be enabled in order to access the MFA features in Security Management and Workflow.

Turning MFA on for Employees

  1. From the Application Menu, click Maintenance > Preferences > Security Management.
  2. Click on the Multi-Factor Authentication tab
  3. Select 1 or more Employees and click Edit
  4. Set MFA Status to Enforced to require Employees to verify themselves with a code delivered to them by your choice of Email or Text. Set to Disabled to let Employee log in without verifying themselves.
  5. Set Reset MFA Settings to Yes to wipe selected Employees' MFA Settings and required them to verify themselves at next login if their MFA Status is Enforced

Setting Available MFA Options 

When an Employee logs in and MFA Status is Enforced, they will be able to select how they want to receive their 6-digit code from a list of delivery methods that you allow for your firm. You can allow Email, Text, or both.

  1. From the Application Menu, click Maintenance > Preferences > PensionPro.
  2. Select the Data Security Preference Type
  3. Click Edit and select the Available MFA Options you will let Employees use.

When you change the Available MFA Options, Employees that have MFA Status Enforced will be required to verify themselves at next login.

 

Employee's Preferred MFA Option

When an Employee is going through the MFA process for the first time at log in, their first selection becomes their default Preferred MFA Option. When the Employee logs in, they will see their Preferred MFA Option at the top of the list at the log in screen. An Employee can change their Preferred MFA Option in Employee Details > Account

The system will automatically remember an Employee's machine and IP address who submitted a successful verification code for the next 60 days. An Employee will not be prompted to provide a new verification code unless:

  • 60 days have elapsed since last verification code was submitted for that machine and IP address
  • The System Administrator Reset MFA Settings in Security Management
  • The System Administrator changes Available MFA Options in Data Security Preferences
  • The Employee changes their Preferred MFA Option in Account.

Note: This code is remembered by the machine and IP address combination. Each unique combination will be saved for 60 days.

An Employee using Text can change their phone number by pressing the Change button. This will wipe the current phone number if they had one on file and exit the application. The Employee can set up their new number the next time they log in.

The Employee can select any of the Available MFA Options at the log in screen regardless of their Preferred MFA Option.

Due to privacy concerns, no one can see an Employee's Preferred MFA Option and Phone Number except for that Employee.

 

Using the Security Management Toolbar

The Security Role Toolbar allows users to effectively navigate and manage their Security Roles in the editor.

  • Export
    • Click the Export button from the toolbar to export a list of Roles to view their description,  assigned rights and assigned employees to each role.
  • Group
    • Grouping can be added by clicking the Grouping button and then clicking and dragging a column header to the Grouping bar that displays.
      • Only Role Name and Description columns can be grouped
  • Filter
    • Click the Filter button to add filters to the Role Name and Description columns.
    • Click the Filter button that appears on the column headers to filter by data within that column.
  • Sort
    • Click a column header to sort by that column.
      • Only Role Name and Description columns can be sorted. 
      • Click once to sort in ascending order.
      • Click again to sort in descending order.
      • Click a third time to remove sorting.
    • Users can click the Clear Sort button to remove sorting at any time.
  • Refresh
    • Click the Refresh button at any time to refresh the page and view any changes.

Frequently Asked Questions

  • If I create an Administrator Security Role, does that automatically give those rights to employees I've set up as an "Administrator" Employee Plan Role in PensionPro? No. Users must still assign the Security Role to the employees that should have that level of access. Security Management is not directly tied to Employee Plan Role assignments.

 

  • I am on the Business Tier, but I don't see the Security Management feature.
    In order to use the Security Management feature, you will need to be on the Business Tier and you must have the Add/Edit Employee and Security Management rights.

 

  • Can I give an employee access to a Security Role and then grant them additional security rights? Users can only be assigned either a Security Role or be assigned individual rights. Users cannot assign a role to an employee and then grant that employee supplemental rights. 

 

  • All of my employees were assigned Security Roles and they were deleted. Are we locked out of access to PensionPro? No. Before any users were assigned a Security Role, at least one user was granted the System Administrator Security Role. That user can create new roles and assign them to each employee to provide the necessary security roles/rights to each user.

 

  • Can I view who updated a Security Role and when? On the Security Management screen, users can view who updated a Security Role and when that update was made in the Updated By and Updated On columns of the grid respectively. These columns update when there is a change made to the name, description, rights, or assigned employees for a Security Role.

 

 

Feature feedback

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments