Account Access Control
Do you have some accounts that you want only specific
operators to access?
The absolutely correct approach to account isolation involves
separate networks, physical offices, and LANs. Anything else
has complications. For example, how would data segregation
affect your compliance to laws limiting the calls your company
can make to the debtor in a day, or do you need to worry
about a sharp operator that sets up a sniffer on your network?
Ours is a simple and comprehensive solution, but it may
not apply if you require legally contracted segregation
procedures. For those types of account isolation, please
consult your local technical security experts to set up a
secure environment for you, with separate servers, networks,
and offices, as needed to fulfill your contract.
Collect!'s Account Access Control cannot promise complete
assurance that an unauthorized user will not gain access to
confidential account information, (only the correct approach
described above can offer that) but it does offer you very
flexible and comprehensive options that are easy to implement.
These are outlined below.
Our solutions provide these features:
1. You can mark accounts confidential, and access to a
confidential account can be restricted to a specific operator
or group of operators.
2. You can designate which operators have limited access to
files, and which operators have full access for administrative
purposes and you can organize your operators into security
groups of arbitrary size.
3. You can select from two levels of isolation, the most strict
where the confidential accounts do not show up at all when
the restricted operator searches, and a second level intended
to allow your staff to answer and route incoming phone calls
while severely limiting the information displayed to the
restricted operator answering the call.
Our solutions involve the following:
1. An Operator is granted access to any account that has
their ID in the Operator or Sales field on the Debtor form.
2. The Debtor Detail form has two fields that may be used
to fine-tune account access further. These fields are
named Clerk and Access.
You can select from the list of IDs to pick an operator
or team for either of these fields.
a) An Operator is granted access to any account that has
their ID in one of these fields or the Team ID of a team to
which they belong.
b) An Operator is granted access to any account which has
nothing set in these fields, unless the operator is "locked out"
as described below.
3. The account access control security capability allows
very flexible user groupings. An Operator can belong to a
team that belongs to a team that belongs to a team,
nesting levels up to an arbitrary number of levels.
4. The Operator Security form has several switches pertaining
to security.
a) A switch to enable Security (with a
check mark).
b) A switch Strict to control whether
accounts the user does not have access to are shown
with limited data or not at all.
c) A switch Locked out by default to lock
the Operator out of all accounts that do not have their ID in
the areas noted above, including accounts that have no
other access control settings set in the Debtor Detail. (By
default, if there are no settings set in the Debtor Detail, the
account is accessible to all operators.)
d) A field Client # to specify a particular
Client whose accounts the Operator can access. This
includes any Clients "Owned by" the Client # you specify.
e) A switch Apply to Client Accounts to
restrict browsing Clients to the particular Client or
Client hierarchy you have specified in the "Client #" field.
How To Set Up Account Access Control
Account access control may be set up from the Debtor
form or the Operator Security form, depending on how
you intend to restrict your accounts.
There are four main ways to set up account access control:
- Restrict by Account
- Restrict by Lock Out
- Restrict by Client
- Restrict with Client Type Operator
Each of these is described below.
Restrict By Account
This method restricts access on an account by account
basis.
1. For each Debtor that you want to restrict access to, place
an operator ID or a security team ID into the Access
or Clerk field in the Debtor Detail form.
This will enable the Operator or Team to see this account.
2. For each restricted operator, switch ON Security
with a check mark, and optionally, switch ON 'Strict.
This must be done for every operator for whom security
applies. An Operator with these switches off can
see everything, regardless of any other settings.
3. If you want groups of people to access accounts, create an
Operator Team for each security group and use that team ID in
the Debtor Detail Access
or Clerk field.
Restrict By Lock Out
This method restricts all accounts based on Operator settings.
1. For each Operator that you want to restrict from accessing
accounts, in the Operator Security section of the Operator form,
switch ON Security with a check mark,
and optionally, switch ON Strict.
2. Switch ON Locked out by default.
These settings will prevent the Operator from viewing any
account that does not have their ID in one or several of
the following fields, or the Team ID of a team that they
belong to.
- Debtor Operator field
- Debtor Sales field
- Debtor Detail Clerk field
- Debtor Detail Access field
Operators are also UNABLE TO VIEW
accounts with no settings at all in the Debtor Detail.
Restrict By Client
This method restricts access based on Operator settings
and Client #.
1. Put the a Client # in the Operator Security section of the
Operator form. This will restrict the Operator to viewing only
the accounts belonging to that Client #.
2. Switch ON Security with a check mark,
and optionally, switch ON Strict. These
switches must be set to enable access control by
client. An Operator with these switches off can see
everything, regardless other settings.
Client ownership is a hierarchical system that allows
you to use the Owned by client in the
Client form. If the Client # you enter for the Operator owns
other clients, they will also be visible to the particular
operator through the Browse Debtors or Find By menus.
3. Optionally, switch ON Apply to client accounts
if you want this Operator to be able to browse and edit
Clients or add a new Client. This will restrict viewing to
only the Client # specified in the "Client #" field or any
Clients "owned by" that Client #.
If an Operator creates a new Client when Apply
to client accounts is switched ON, the new Client will
automatically be "owned by" the Operator Security Client #
setting. Collect! will write the Client # to the "Owned by" field
on the new Client.
Restrict With Client Type Operator
This method simply sets up a Client Operator with access
to their own accounts.
1. In the Operator form, select Client in
the Type field and put in a Client # in the Client #
field that becomes visible beneath the field
labeled Actual. This will restrict the
Operator to only view accounts for the Client you specify.
Leaving the Client # empty for a Client type
Operator will produce wrong results.
2. We recommend that you try out User Level 98, Guest,
for your Client operators. Then you can enable other fields
or menu items as needed.
Client ownership is a hierarchical system that allows
you to use the Owned by client in the
Client form. You can enable your Clients to search for
debtors using the Browse Find By menu. They will not be
able to view records that they do not own. Clients who
own other clients are able to see all records in their
hierarchical tree, but no others.
Please refer to Help topic,
Enabling Your Clients to Browse for Records, for details.
How To Use Account Access Control
Sign on as an operator who does not have access to a
specific account. You should see the following.
If you have Strict turned ON:
You cannot find the Debtor when you Browse All Debtors,
use Browse Find By, or print a report. If you have been
assigned accounts in your WIP that you do not have
access to, (an account assignment error) the account is
displayed as described when Strict
is turned OFF below.
If you have Strict turned OFF:
The idea is that in a small office all people will answer the
phone, and basic information is needed to be able to route
incoming calls to appropriately authorized people, while
keeping as much information as possible private.
You will see a mostly empty Debtor as an account
placeholder for each confidential account. The name
shows N/A. Only the information shown below is
displayed on the confidential account.
- File number
- Last worked date
- Operator assigned to the account
- Current amount owing on the account
- Group number
- Group member number
When you use Browse Find By functions, you will be able
to locate the account, but it will mostly be blank as described
above. No demographic information is displayed. This ensures
the privacy of the individual and you cannot access any related
information.
- To route an incoming call, you have a File number
and an Operator ID to help you find an appropriate authority with
access to that account.
- To answer questions about an account in a group, the
Owing is shown.
- To help avoid making more than one call per day to an
account, the Worked date field is also displayed.
Beyond that, the Operator has no further information about
the account. This ensures account privacy, yet enables
your office to seamlessly operate as a team.
If you are a CLIENT OPERATOR:
If you sign in as a Client Operator, you should only be
able to see your own accounts. When using Browse Find By
functions, you can only find accounts for your Client #.
Client ownership is a hierarchical system that allows
you to use the Owned by client in the
Client form. Clients who own other clients are able to
browse for all records in their hierarchical tree, but
no others.
How The System Determines Access
How does the system decide if an operator has
access to an account?
A restricted operator has access to an account if:
1. The account does not have an Access ID entered in
the Debtor Detail form, UNLESS the operator is "Locked out
by default," as described above.
2. The Operator, Sales, Clerk or Access fields contain
the ID of the operator or the Team ID of a team the
operator belongs to.
3. The account belongs to a client whose Client #
matches the entry in the Operator Security Client #,
also includes Client #'s that client owns.
4. For Client type Operators, the Client # matches the
client the account belongs to, also includes Client #'s
that client owns.
Collect! determines whether or not an Operator
is granted access to an account in the following order.
1. Client Access
2. Locked Out By Default
3. Operator ID
4. Sales ID
5. Debtor Detail - Clerk ID
6. Debtor Detail - Access ID
7. Team List
What happens when a user arrives on a
confidential account?
There may be some instances in the system where, due to
account assignment error or some other error, the operator
sees an account that is confidential to them. In that case,
only the fields listed above are displayed to the operator.
They also have no control over the account and only the OK,
Next and Prior command buttons are active. All other access
to the confidential account information is prohibited.
How does account access control work with Web Host?
When a user that has security enabled logs on to the
Web Host, their team membership is enumerated and the
associated team IDs stored in the web user's team List.
Each user has connection information and the team List
is associated with the user ID.
When a Web Host user signs on, Collect! creates a new
connection information record and attaches the user's team
list to the user's connection information structure. When
the user logs out, the team List associated with the user
is deleted.
As each request is received from the web, Collect! switches
the user context and replaces the system team List pointer
with the team List of the operator. This allows the web based
data access to transparently use the operator's access
control settings.
Limitations To Account Security
The following important conditions and limitations apply
when using account access control.
Speed
The user rights are not indexed and are transparent to your
searches except that debtors the user hasn't got access to
are discarded at a low level in the system. If a user has
rights to only 1 record in 10,000 then the system will likely
have to search all 10,00 records before it finds the one the
user has rights to.
Limited Use
Do not use a security enabled operator incorrectly. If you
want to do a batch operation or anything complex, such as
statistical calculations, then you should sign on as an
unrestricted operator.
The Account Security function is not intended to work with
batch operations, or anything complex unless the complex
task is specifically planned for and is designed to support
Security in both Strict and Non-strict forms, depending on
your requirements.
If you use complex plans or control files that look at
debtor groups please be aware that account security
will restrict the data available to unauthorized users.
See Also
- Enabling Your Clients to Browse for Records
- Operator Security
|
Was this page helpful? Do you have any comments on this document? Can we make it better? If so how may we improve this page.
Please click this link to send us your comments: helpinfo@collect.org