How To Restrict Access To Accounts
Do you have some accounts that you want only specific operators to access?
The absolutely correct approach to account isolation involves separate networks, physical offices,
and LANs. Anything else has complications. For example, how would data segregation affect your
compliance to laws limiting the calls your company can make to the debtor in a day, or do you need
to worry about a sharp operator that sets up a sniffer on your network?
Ours is a simple and comprehensive solution, but it may not apply if you require legally contracted
segregation procedures. For those types of account isolation, please consult your local technical
security experts to set up a secure environment for you, with separate servers, networks, and
offices, as needed to fulfill your contract.
Collect!'s Account Access Control cannot promise complete assurance that an unauthorized user will
not gain access to confidential account information, (only the correct approach described above can
offer that) but it does offer you very flexible and comprehensive options that are easy to implement.
These are outlined below.
The security options also work for client operators like sales people. When enabled, you can
restrict access to clients to operators by filling in the Client Operator, Assign Accounts
to Operator, or Assign Sales to Operator fields. If you have Distribution Teams, you can
specify a team on the Client Operator field.
Our solutions provide these features:
- You can mark accounts confidential, and access to a confidential account can be restricted to
a specific operator or group of operators.
- You can designate which operators have limited access to files, and which operators have full
access for administrative purposes and you can organize your operators into security groups
of arbitrary size.
- You can select from two levels of isolation, the most strict where the confidential accounts
do not show up at all when the restricted operator searches, and a second level intended to
allow your staff to answer and route incoming phone calls while severely limiting the
information displayed to the restricted operator answering the call.
Our solutions involve the following:
- An Operator is granted access to any account that has their ID in the Operator or Sales field
on the Debtor form.
- The Debtor Detail form has two fields that may be used to fine-tune account access further.
These fields are named Clerk and Access. You can select
from the list of IDs to pick an operator or team for either of these fields.
- An Operator is granted access to any account that has their ID in one of these fields or
the Team ID of a team to which they belong.
- An Operator is granted access to any account which has nothing set in these fields, unless
the operator is "locked out" as described below.
- The account access control security capability allows very flexible user groupings. An Operator
can belong to a team that belongs to a team that belongs to a team, nesting levels up to an
arbitrary number of levels.
- The Operator Security form has several switches pertaining to security.
- A switch to enable Security (with a check mark).
- A switch Strict to control whether accounts the user does not have access
to are shown with limited data or not at all.
- A switch Locked out by default to lock the Operator out of all accounts
that do not have their ID in the areas noted above, including accounts that have no other
access control settings set in the Debtor Detail. (By default, if there are no settings
set in the Debtor Detail, the account is accessible to all operators.)
- A field Client # to specify a particular Client whose accounts the Operator
can access. This includes any Clients "Owned by" the Client # you specify.
- A switch Apply to Client Accounts to restrict browsing Clients to the
particular Client or Client hierarchy you have specified in the "Client #" field.
How To Set Up Account Access Control
Account access control may be set up from the Debtor form or the Operator Security form, depending
on how you intend to restrict your accounts.
There are four main ways to set up account access control:
- Restrict by Account
- Restrict by Lock Out
- Restrict by Client
- Restrict with Client Type Operator
Each of these is described below.
Restrict By Account
This method restricts access on an account by account basis.
- For each Debtor that you want to restrict access to, place an operator ID or a security team
ID into the Access field in the Debtor Detail form. This will enable the
Operator or Team to see this account.
- For each restricted operator, switch ON Security with a check mark, and
optionally, switch ON 'Strict'. This must be done for every operator for whom
security applies. An Operator with these switches off can see everything, regardless
of any other settings.
- If you want groups of people to access accounts, create an Operator Team for each security group
and use that team ID in the Debtor Detail Access or Clerk
field.
Restrict By Lock Out
This method restricts all accounts based on Operator settings.
- For each Operator that you want to restrict from accessing accounts, in the Operator Security
section of the Operator form, switch ON Security with a check mark, and
optionally, switch ON Strict.
- Switch ON Locked out by default.
These settings will prevent the Operator from viewing any account that does not have their ID in
one or several of the following fields, or the Team ID of a team that they belong to.
- Debtor Operator field
- Debtor Sales field
- Debtor Detail Clerk field
- Debtor Detail Access field
Operators are also UNABLE TO VIEW accounts with no settings at all in the Debtor Detail.
Restrict By Client
This method restricts access based on Operator settings and Client #.
- Put the a Client # in the Operator Security section of the Operator form. This will restrict
the Operator to viewing only the accounts belonging to that Client #.
- Switch ON Security with a check mark, and optionally, switch ON
Strict. These switches must be set to enable access control by client.
An Operator with these switches off can see everything, regardless other
settings.
Client ownership is a hierarchical system that allows you to use the Owned by
client in the Client form. If the Client # you enter for the Operator owns other
clients, they will also be visible to the particular operator through the Browse Debtors or
Find By menus.
- Optionally, switch ON Apply to client accounts if you want this Operator to
be able to browse and edit Clients or add a new Client. This will restrict viewing to only the
Client # specified in the "Client #" field or any Clients "owned by" that Client #.
If an Operator creates a new Client when Apply to client accounts is
switched ON, the new Client will automatically be "owned by" the Operator Security Client #
setting. Collect! will write the Client # to the "Owned by" field on the new Client.
Restrict With Client Type Operator
This method simply sets up a Client Operator with access to their own accounts.
- In the Operator form, select Client in the Type field and put in a Client #
in the Client # field that becomes visible beneath the field labeled
Actual. This will restrict the Operator to only view accounts for the Client
you specify.
Leaving the Client # empty for a Client type Operator will produce wrong results.
- We recommend that you try out User Level 98, Guest, for your Client operators. Then you can
enable other fields or menu items as needed.
Client ownership is a hierarchical system that allows you to use the Owned by
client in the Client form. You can enable your Clients to search for debtors using
the Browse Find By menu. They will not be able to view records that they do not own. Clients
who own other clients are able to see all records in their hierarchical tree, but no others.
How To Use Account Access Control
Sign on as an operator who does not have access to a specific account. You should see the following.
If you have Strict turned ON:
You cannot find the Debtor when you Browse All Debtors, use Browse Find By, or print a report. If
you have been assigned accounts in your WIP that you do not have access to, (an account assignment
error) the account is displayed as described when Strict is turned OFF below.
If you have Strict turned OFF:
The idea is that in a small office all people will answer the phone, and basic information is needed
to be able to route incoming calls to appropriately authorized people, while keeping as much
information as possible private.
You will see a mostly empty Debtor as an account placeholder for each confidential account. The name
shows N/A. Only the information shown below is displayed on the confidential account.
- File number
- Last worked date
- Operator assigned to the account
- Current amount owing on the account
- Group number
- Group member number
When you use Browse Find By functions, you will be able to locate the account, but it will mostly
be blank as described above. No demographic information is displayed. This ensures the privacy of
the individual and you cannot access any related information.
- To route an incoming call, you have a File number and an Operator ID to help you find an
appropriate authority with access to that account.
- To answer questions about an account in a group, the Owing is shown.
- To help avoid making more than one call per day to an account, the Worked date field is also
displayed.
Beyond that, the Operator has no further information about the account. This ensures account
privacy, yet enables your office to seamlessly operate as a team.
If you are a CLIENT OPERATOR:
If you sign in as a Client Operator, you should only be able to see your own accounts. When using
Browse Find By functions, you can only find accounts for your Client #. Client ownership is a
hierarchical system that allows you to use the Owned by client in the Client form.
Clients who own other clients are able to browse for all records in their hierarchical tree, but
no others.
How The System Determines Access
How does the system decide if an operator has access to an account?
A restricted operator has access to an account if:
- The account does not have an Access ID entered in the Debtor Detail form, UNLESS the operator
is "Locked out by default," as described above.
- The Operator, Sales, Clerk or Access fields contain the ID of the operator or the Team ID of
a team the operator belongs to.
- The account belongs to a client whose Client # matches the entry in the Operator Security
Client #, also includes Client #'s that client owns.
- For Client type Operators, the Client # matches the client the account belongs to, also includes
Client #'s that client owns.
Collect! determines whether or not an Operator is granted access to an account in the
following order.
- Client Access
- Locked Out By Default
- Operator ID
- Sales ID
- Debtor Detail - Clerk ID
- Debtor Detail - Access ID
- Team List
What happens when a user arrives on a confidential account?
There may be some instances in the system where, due to account assignment error or some other error,
the operator sees an account that is confidential to them. In that case, only the fields listed
above are displayed to the operator. They also have no control over the account and only the OK,
Next and Prior command buttons are active. All other access to the confidential account information
is prohibited.
How does account access control work with Web Host?
When a user that has security enabled logs on to the Web Host, their team membership is enumerated
and the associated team IDs stored in the web user's team List. Each user has connection information
and the team List is associated with the user ID.
When a Web Host user signs on, Collect! creates a new connection information record and attaches the
user's team list to the user's connection information structure. When the user logs out, the team
List associated with the user is deleted.
As each request is received from the web, Collect! switches the user context and replaces the system
team List pointer with the team List of the operator. This allows the web based data access to
transparently use the operator's access control settings.
Limitations To Account Security
The following important conditions and limitations apply when using account access control.
Speed
The user rights are not indexed and are transparent to your searches except that debtors the user
hasn't got access to are discarded at a low level in the system. If a user has rights to only 1
record in 10,000 then the system will likely have to search all 10,00 records before it finds the
one the user has rights to.
Limited Use
Do not use a security enabled operator incorrectly. If you want to do a batch operation or anything
complex, such as statistical calculations, then you should sign on as an unrestricted operator.
The Account Security function is not intended to work with batch operations, or anything complex
unless the complex task is specifically planned for and is designed to support Security in both
Strict and Non-strict forms, depending on your requirements.
If you use complex plans or control files that look at debtor groups please be aware that account
security will restrict the data available to unauthorized users.
|
Was this page helpful? Do you have any comments on this document? Can we make it better? If so how may we improve this page.
Please click this link to send us your comments: helpinfo@collect.org