Although we like to think the best of our coworkers—at least in most cases—allowing every Employee to have unrestricted access to every feature within any data management system can be a concern for data security and integrity. To that end, PensionPro allows Employees to be supplied with Security Rights depending on which PensionPro features each Employee should be allowed to have access to, and uses Security Roles to simplify the process of managing Security Rights for different groups of Employees.
Article Contents
- Security Rights
- Security Roles
- Assigning Rights and Roles
- Frequently Asked Questions
- Appendix A: List of Security Rights
- Appendix B: Recommended Rights by Role
Security Rights
Tier Availability: Track, Team, Business
A Security Right represents permission for an Employee (in other words, a PensionPro user) to perform some function within PensionPro. Although PensionPro does not restrict firms from assigning all Security Rights to all Employees, this might not always be in the firm's best interest—especially in terms of data security. It may not be desirable to allow every Employee to make changes to firm-wide preferences, or to alter Project Templates or execute Power Tools. PensionPro's recommendation is to follow best data security practices by only assigning Employees the Security Rights necessary to perform their assigned duties.
In the event that an Employee does not have the appropriate Security Rights necessary to perform an action, the associated menu item or icon may be unavailable, or will be grayed out and cannot be selected.
For a comprehensive list of all Security Rights, refer to the section Appendix A: List of Security Rights.
Security Roles
Tier Availability: Business
As opposed to managing Security Rights individually for every Employee, PensionPro also provides the ability to assign a Security Role to the Employee. Security Rights are then assigned to each Role, rather than each Employee.
For example, a Plan Administrator Role may have Security Rights that allow them to add and edit Plan and Project data, but a Sales Role may have an alternate set of Rights that pertain to SalesPitch and managing Contacts. In this case, Security Roles can provide a quick understanding of the Security Rights an Employee has. What's more, if ten Employees are assigned to a Plan Administrator Role, and the Security Rights need to be adjusted for that Role, the change only needs to be made once, rather than ten times (once for each Employee).
Managing Security Roles
Security Rights Required: Maintenance, Security Management
To access Security Role settings:
- Navigate to Maintenance > Preferences > Security Management.
- Select the Security Roles view. Any existing Security Roles will be displayed in the grid.
To add a Security Role:
- Select Add at the top-right of the grid.
- Specify a Role Name.
- To add a Security Right, select the Rights dropdown, then select the desired Security Right from the list. The Security Right will be added to the box below the Rights field.
- To remove a Security Right, locate the Security Right in the box below the Rights field, then select Remove on the right.
- (Optional) Use the Employees field to assign Employees to this Security Role. Employees that are currently assigned to another Security Role will not be available for selection.
- When finished, select Save.
Hovering over an existing Security Role displays the Edit, Copy, and Delete options on the right.
The Security Roles grid provides Created On, Created By, Updated On, and Updated By columns to track any Rights changes that are made to Security Roles.
The System Administrator Role
Every new instance of PensionPro contains the System Administrator Role by default. This Role cannot be deleted, and contains nearly all available Security Rights, which cannot be edited. Any Employee assigned the System Administrator Role will have unrestricted access to all areas of PensionPro; as such, PensionPro recommends that this Role be used sparingly. Generally, this Role should only be granted to the firm's systems administrator or other principal user.
To prevent a situation where all users are locked out of Security Management features, PensionPro requires at least one Employee to be assigned the System Administrator Role.
Assigning Rights and Roles
Security Rights or Roles are assigned on a per-Employee basis. This can be performed from either the Employee tab of the Employee in question, or within the Security Management preferences.
From the Employee Tab
Security Rights Required: Add/Edit Employee
- Search for and open the desired Employee record in a new Employee tab.
- Select the Security Rights view. The grid displays all currently-assigned Security Rights.
- Select Edit at the top-right of the grid. The Edit Security Rights window displays.
- To assign a Security Role, select the desired Role from the Security Role dropdown. All of the Security Rights associated with that Role will be applied, and cannot be directly managed.
- In lieu of a Security Role, Security Rights can be managed directly:
- To add a Security Right, select the Available Rights dropdown, then select the desired Security Right from the list. The Security Right will be added to the box below the Available Rights field.
- To remove a Security Right, locate the Security Right in the box below the Available Rights field, then select Remove on the right.
- When finished, select Save.
- Changes may not take effect until the next time the Employee logs in to PensionPro.
From Security Management
Tier Availability: Business
Security Rights Required: Maintenance, Security Management
- Navigate to Maintenance > Preferences > Security Management.
- Select the Employee Security view. The grid displays all active Employees and their assigned Security Role or Security Rights.
- Hover over an Employee and select Edit to the right. The Edit Employee Security window displays.
- Select the Security Based On dropdown and choose either Security Roles or Security Rights as desired.
- If using Security Roles, select the desired Role from the Role dropdown. All of the Security Rights associated with that Role will be applied, and cannot be directly managed.
- If using Security Rights, all Rights are managed directly:
- To add a Security Right, select the Rights dropdown, then select the desired Security Right from the list. The Security Right will be added to the box below the Rights field.
- To remove a Security Right, locate the Security Right in the box below the Rights field, then select Remove on the right.
- When finished, select Save.
- Changes may not take effect until the next time the Employee logs in to PensionPro.
Frequently Asked Questions
- Can I give an employee access to a Security Role and then grant them additional Security Rights? No. An Employee is either assigned to a Security Role, or Security Rights are applied individually; there is no way to combine these two methods. If necessary, the Security Role can be updated to include the new Rights for all Employees assigned to that Role, or a new Role can be created.
Appendix A: List of Security Rights
Access LMS |
|
Access Merge Documents |
|
Access Power Tools |
|
Access Query Tool |
|
Access Update Power Tools |
|
Access SalesPitch |
|
Access SalesPitch Conversion Tool |
|
Account Maintenance |
|
Add/Edit API Access |
|
Add/Edit Client |
|
Add/Edit Contact |
|
Add/Edit E-Signature Templates |
|
Add/Edit Employee |
|
Add/Edit Event |
|
Add/Edit Event Configurations |
|
Add/Edit Fee Schedule |
|
Add/Edit Interaction |
|
Add/Edit Plan |
|
Add/Edit Plan Cycles |
|
Add/Edit Plan Doc Specs |
|
Add/Edit Project |
|
Alter Due Dates |
|
Authorized IP Address Exempt |
|
Blast Email |
|
Create E-Signature Requests |
|
Create Merge Documents |
|
Delete Documents |
|
Delete Interactions |
|
Delete Notes |
|
Delete Secure File Exchange |
|
Edit Other To-Dos |
|
Edit PlanSponsorLink Styling |
|
Edit/Merge Company Names |
|
Maintenance |
|
Manage Authorized IP Addresses |
|
Manage Contact Security |
|
Manage Single Sign-On |
|
Management Reports |
|
Manager |
|
PSL MFA Security |
|
Reassign Tasks |
|
Security Management |
|
Single Sign-On Exempt |
|
Task Override |
|
View Events |
|
View Other Dashboards |
|
View Other Secure File Exchanges |
|
Appendix B: Recommended Rights by Role
Security Right |
Manager | Team Leader | Plan Admin | Distribution | Conversion | Sales |
---|---|---|---|---|---|---|
Access Merge Documents | x | x | x | |||
Access Power Tools | x | x | ||||
Access LMS | x |
x |
x | x | x | |
Access Query Tool | x | x | x | x | x | |
Access Update Power Tools | x | x | ||||
Access SalesPitch | x | x | ||||
Access SalesPitch Conversion Tool | x | x | ||||
Account Maintenance | x | |||||
Add/Edit Client | x | x | x | x | ||
Add/Edit Contact | x | x | x | x | x | |
Add/Edit E-Signature Templates | x | x | ||||
Add/Edit Employee | x | x | ||||
Add/Edit Event | x | x | ||||
Add/Edit Event Configurations | x | x | ||||
Add/Edit Fee Schedule | x | x | ||||
Add/Edit Interaction | x | x | x | x | x | x |
Add/Edit Plan | x | x | x | x | ||
Add/Edit Plan Cycles | x | x | x | x | ||
Add/Edit Plan Doc Specs | x | x | x | x | ||
Add/Edit Project | x | x | x | x | x | |
Alter Due Dates | x | x | ||||
Authorized IP Exempt | ||||||
Blast Email | x | x | ||||
Create E-Signature Requests | x | x | x | x | x | x |
Create Merge Documents | x | x | x | |||
Delete Documents | x | x | ||||
Delete Interactions | x | x | ||||
Delete Notes | x | x | ||||
Delete Secure File Exchange | x | x | ||||
Edit Other To-Dos | x | x | ||||
Edit PlanSponsorLink Styling | x | |||||
Edit/Merge Company Names | x | x | ||||
Maintenance | x | x | ||||
Manage Authorized IP Addresses | x | |||||
Manage Contact Security | x | x | x | x | ||
Manage Single Sign-On | x |
|||||
Management Reports | x | x | ||||
Manager | x | x | ||||
PSL MFA Security | x | |||||
Reassign Tasks | x | x | ||||
Security Management | x | |||||
Single Sign-On Exempt | ||||||
Task Override | x | x | ||||
View Events | x | x | x | x | x | |
View Other Dashboards | x | x | ||||
View Other Secure File Exchanges | x | x | x | x |