Security Rights & Security Roles

Although we like to think the best of our coworkers—at least in most cases—allowing every Employee to have unrestricted access to every feature within any data management system can be a concern for data security and integrity. To that end, PensionPro allows Employees to be supplied with Security Rights depending on which PensionPro features each Employee should be allowed to have access to, and uses Security Roles to simplify the process of managing Security Rights for different groups of Employees.

 

Note: Some items may not be available in all tiers.

 

Article Contents

 

 


 

Security Rights

 

Tier Availability:  Track, Team, Business 

 

A Security Right represents permission for an Employee (in other words, a PensionPro user) to perform some function within PensionPro. Although PensionPro does not restrict firms from assigning all Security Rights to all Employees, this might not always be in the firm's best interest—especially in terms of data security. It may not be desirable to allow every Employee to make changes to firm-wide preferences, or to alter Project Templates or execute Power Tools. PensionPro's recommendation is to follow best data security practices by only assigning Employees the Security Rights necessary to perform their assigned duties.

 

In the event that an Employee does not have the appropriate Security Rights necessary to perform an action, the associated menu item or icon may be unavailable, or will be grayed out and cannot be selected.

 

For a comprehensive list of all Security Rights, refer to the section Appendix A: List of Security Rights.

 


 

Security Roles

 

Tier Availability:  Business 

 

As opposed to managing Security Rights individually for every Employee, PensionPro also provides the ability to assign a Security Role to the Employee. Security Rights are then assigned to each Role, rather than each Employee.

 

For example, a Plan Administrator Role may have Security Rights that allow them to add and edit Plan and Project data, but a Sales Role may have an alternate set of Rights that pertain to SalesPitch and managing Contacts. In this case, Security Roles can provide a quick understanding of the Security Rights an Employee has. What's more, if ten Employees are assigned to a Plan Administrator Role, and the Security Rights need to be adjusted for that Role, the change only needs to be made once, rather than ten times (once for each Employee).

 

Note: Security Roles are separate from Employee Plan Roles and must be assigned to Employees directly; adding an Employee to a Plan Role does not alter their Security Rights.

 


 

Managing Security Roles

 

Security Rights Required:  Maintenance, Security Management

 

To access Security Role settings:

 

  1. Navigate to Maintenance > Preferences > Security Management.
  2. Select the Security Roles view. Any existing Security Roles will be displayed in the grid.

 

To add a Security Role:

 

  1. Select Addadd.png at the top-right of the grid.
  2. Specify a Role Name.
  3. To add a Security Right, select the Rights dropdown, then select the desired Security Right from the list. The Security Right will be added to the box below the Rights field.
  4. To remove a Security Right, locate the Security Right in the box below the Rights field, then select Removeremove.png on the right.
  5. (Optional) Use the Employees field to assign Employees to this Security Role. Employees that are currently assigned to another Security Role will not be available for selection.
  6. When finished, select Save.

 

Hovering over an existing Security Role displays the Editedit.png, Copycopy.png, and Deletedelete.png options on the right.

 

The Security Roles grid provides Created On, Created By, Updated On, and Updated By columns to track any Rights changes that are made to Security Roles.

 


 

The System Administrator Role

 

Every new instance of PensionPro contains the System Administrator Role by default. This Role cannot be deleted, and contains nearly all available Security Rights, which cannot be edited. Any Employee assigned the System Administrator Role will have unrestricted access to all areas of PensionPro; as such, PensionPro recommends that this Role be used sparingly. Generally, this Role should only be granted to the firm's systems administrator or other principal user.

 

To prevent a situation where all users are locked out of Security Management features, PensionPro requires at least one Employee to be assigned the System Administrator Role.

 

Note: For security reasons, the System Administrator Role is not assigned the Authorized IP Exempt Security Right, preventing the account from being accessed outside of any authorized networks when IP Address Whitelisting is in effect.

 


 

Assigning Rights and Roles

 

Security Rights or Roles are assigned on a per-Employee basis. This can be performed from either the Employee tab of the Employee in question, or within the Security Management preferences.

 


 

From the Employee Tab

 

Security Rights Required:  Add/Edit Employee  

 

  1. Search for and open the desired Employee record in a new Employee tab.
  2. Select the Security Rights view. The grid displays all currently-assigned Security Rights.
  3. Select Editedit.png at the top-right of the grid. The Edit Security Rights window displays.
  4. To assign a Security Role, select the desired Role from the Security Role dropdown. All of the Security Rights associated with that Role will be applied, and cannot be directly managed.
  5. In lieu of a Security Role, Security Rights can be managed directly:
    • To add a Security Right, select the Available Rights dropdown, then select the desired Security Right from the list. The Security Right will be added to the box below the Available Rights field.
    • To remove a Security Right, locate the Security Right in the box below the Available Rights field, then select Removedelete.png on the right.
  6. When finished, select Save.
    • Changes may not take effect until the next time the Employee logs in to PensionPro.

 


 

From Security Management

 

Tier Availability:  Business 

Security Rights Required:  Maintenance, Security Management

 

  1. Navigate to Maintenance > Preferences > Security Management.
  2. Select the Employee Security view. The grid displays all active Employees and their assigned Security Role or Security Rights.
  3. Hover over an Employee and select Editedit.png to the right. The Edit Employee Security window displays.
  4. Select the Security Based On dropdown and choose either Security Roles or Security Rights as desired.
  5. If using Security Roles, select the desired Role from the Role dropdown. All of the Security Rights associated with that Role will be applied, and cannot be directly managed.
  6. If using Security Rights, all Rights are managed directly:
    • To add a Security Right, select the Rights dropdown, then select the desired Security Right from the list. The Security Right will be added to the box below the Rights field.
    • To remove a Security Right, locate the Security Right in the box below the Rights field, then select Removedelete.png on the right.
  7. When finished, select Save.
    • Changes may not take effect until the next time the Employee logs in to PensionPro.

 


 

Frequently Asked Questions

 

  • Can I give an employee access to a Security Role and then grant them additional Security Rights? No. An Employee is either assigned to a Security Role, or Security Rights are applied individually; there is no way to combine these two methods. If necessary, the Security Role can be updated to include the new Rights for all Employees assigned to that Role, or a new Role can be created.

 


 

Appendix A: List of Security Rights

 

Access LMS
  • User can select Moremore_header.png > ProPass Learning in the PensionPro header to access the ProPass platform
  • User is included in the monthly fee calculation for ProPass billing
Access Merge Documents
  • User can access Communications > Merge Documents, and can add and edit Merge Document Templates
Access Power Tools
  • User can access the Power Tools menu in the Navigation Panel, and can utilize any available Power Tool
Access Query Tool
  • User can access and utilize PensionPro Fetch
Access Update Power Tools
  • User can access the Power Tools > Import > Update category of Power Tools for updating records via spreadsheet import.
Access SalesPitch
  • User can view, add, and edit most SalesPitch items
  • User is added to the Scoreboard
  • User is included in the monthly fee calculation for SalesPitch billing
Access SalesPitch Conversion Tool
  • User can convert Proposals to Plans via the SalesPitch Conversion Tool
Account Maintenance
  • User can access Moremore_header.png > Account Maintenance, and can manage firm account and billing information
Add/Edit API Access
  • User can add, edit, and delete API keys within the API Access view in Firm maintenance.
Add/Edit Client
  • User can create Client records using Add Data > Client
  • User can edit existing information on the Client tab
Add/Edit Contact
  • User can create Contact records using Add Data > Contact
  • User can edit existing information on the Contact tab
Add/Edit E-Signature Templates
  • User can access Maintenance > E-Signature Templates, and can add and edit E-Signature Templates for use with the DocuSign integration
Add/Edit Employee
  • User can create Employee records using Add Data > Employee
  • User can edit existing information on the Employee tab
    • This includes assigning Security and Location Rights and Worktrays
Add/Edit Event
  • User can add and edit Events in the Events Dashboard
Add/Edit Event Configurations
  • User can access Maintenance > Preferences > Event Configuration, and can add and edit Event Configurations
Add/Edit Fee Schedule
  • User can access the Fee Schedule view within PensionPro Preferences, and can add and edit Fee Schedule Templates
  • User can add and edit Fee Schedules within the Plan tab > Fee Schedules view
Add/Edit Interaction
  • User can create Interaction records using Add Data > Interaction
  • User can add or edit Interaction records within the Interactions view of any relevant tab
Add/Edit Plan
  • User can create Plan records using Add Data > Plan, or from the Client tab > Plans view
  • User can edit existing information on the Plan tab
Add/Edit Plan Cycles
  • User can create Plan Cycle records within the Plan tab > Plan Cycles view
  • User can edit information on the Plan Cycle tab
Add/Edit Plan Doc Specs
  • User can access Maintenance > Preferences > Document Specifications, and can add and edit Document Specifications Templates
  • User can add and edit Document Specification Versions within the Plan tab > Specifications view
Add/Edit Project
  • User can launch Projects using Add Data > Project, or from the Plan tab > Projects view
  • User can edit existing information on the Project tab
Alter Due Dates
  • User can edit a Project's External Deadline
  • User can edit a Task's Due Date
Authorized IP Address Exempt
  • User can access PensionPro from any IP address, regardless of authorization
Blast Email
  • User can access Communications > Blast Email, and can create, edit, and send Blast Email Templates
Create E-Signature Requests
  • User can access the Moremore_options.png > Send E-Signature Document option with a File selected to send the File to DocuSign for E-Signature
Create Merge Documents
  • User can access the Moremore_options.png > Create Merge Documents option in the appropriate tab header to launch the Merge Document Creation tool
Delete Documents
  • User can delete Files from any relevant view within the Plan and Project tabs
Delete Interactions
  • User can delete Interaction records from the Interactions view of any relevant tab
Delete Notes
  • User can delete Notes from the Notes view of any relevant tab
Delete Secure File Exchange
  • User can delete Secure File Exchange items from Communications > Secure File Exchange
Edit Other To-Dos
  • User can edit and delete To-Do items that are not assigned to them
Edit PlanSponsorLink Styling
  • User can access the PlanSponsorLink Style view within PensionPro Preferences, and edit appearance of PlanSponsorLink
Edit/Merge Company Names
  • User can edit existing information on the Company tab
  • User can access the Moremore_options.pngMerge option on the Company tab > General view to merge Company data
Maintenance
  • User can access the Maintenance menu, including the following items:
    • Data Deletion
    • Firms/Locations
    • List Values
    • PensionPro Preferences
    • Project Templates
    • Time Codes
    • Worktray Management
Manage Authorized IP Addresses
  • User can access Maintenance > Preferences > Authorized IP Addresses, and can add and edit IP addresses
Manage Contact Security
  • User can access the following options within the Moremore_options.png menu on the Contact tab:
    • Reset MFA to reset the Contact's Multi-Factor Authentication preferences on PlanSponsorLink
    • Set Password to generate a new temporary PlanSponsorLink password for the Contact
Manage Single Sign-On
  • User can access Single Sign-On within PensionPro Preferences and edit SSO settings.
Management Reports
  • User can access Reporting > Management Reports and run any reports in that category
Manager
  • User can access the My Projects Dashboard
  • User can remove the completion state for a Task, re-opening the Task for activity
  • User can reassign a Project's Tasks within the Moremore_options.png menu on the Project tab
  • User can reassign Tasks across multiple Projects within the Moremore_options.png menu on the Employee tab
PSL MFA Security
  • User can enable/disable Multi-Factor Authentication requirements for PlanSponsorLink users
Reassign Tasks
  • User can reassign Tasks to another Employee or Worktray, or remove the assignment from a Task
Security Management
  • User can access Maintenance > Preferences > Security Management, where the user can:
    • Add and edit Security Roles
    • Assign Security Rights and Roles to Employees
    • Manage Employee Multi-Factor Authentication settings
Single Sign-On Exempt
  • User bypasses identity provider authorization and signs in using their PensionPro password.
Task Override
  • User can override Tasks to advance a Project
  • User can abort Projects
View Events
  • User can access Dashboards > Events
View Other Dashboards
  • User can view the Dashboards of other Employees from the My Tasks Dashboard
View Other Secure File Exchanges
  • User can view the inbox of other Employees within Communications > Secure File Exchange

 

 


 

Appendix B: Recommended Rights by Role

 

Security Right
Manager Team Leader Plan Admin Distribution Conversion Sales
Access Merge Documents x x x      
Access Power Tools x x        
Access LMS x
x
x x x  
Access Query Tool x x x   x x
Access Update Power Tools x x        
Access SalesPitch         x x
Access SalesPitch Conversion Tool         x x
Account Maintenance x          
Add/Edit Client x x x   x  
Add/Edit Contact x x x   x x
Add/Edit E-Signature Templates x x        
Add/Edit Employee x x        
Add/Edit Event x x        
Add/Edit Event Configurations x x        
Add/Edit Fee Schedule x x        
Add/Edit Interaction x x x x x x
Add/Edit Plan x x x   x  
Add/Edit Plan Cycles x x x   x  
Add/Edit Plan Doc Specs x x x   x  
Add/Edit Project x x x x x  
Alter Due Dates x x        
Authorized IP Exempt            
Blast Email x x        
Create E-Signature Requests x x x x x x
Create Merge Documents x x x      
Delete Documents x x        
Delete Interactions x x        
Delete Notes x x        
Delete Secure File Exchange x x        
Edit Other To-Dos x x        
Edit PlanSponsorLink Styling x          
Edit/Merge Company Names x x        
Maintenance x x        
Manage Authorized IP Addresses x          
Manage Contact Security x x x x    
Manage Single Sign-On x
         
Management Reports x x        
Manager x x        
PSL MFA Security x          
Reassign Tasks x x        
Security Management x          
Single Sign-On Exempt            
Task Override x x        
View Events x x x   x x
View Other Dashboards x x        
View Other Secure File Exchanges x x x x