Limited Access - Hierarchy-based mode - Overview
NOTE: Throughout the documentation describing Limited Access, the word “manager” is frequently used as a generic term to describe all users who have access to the Administrative areas of the software. In this context, manager is not meant to indicate a job description or position.
Limited access is a security mechanism capable of giving managers access to only certain projects, task groups, employees or employee groups while in the administrative areas of the software. For example; you may want a manager to be able to view and report on some projects while excluding access to other projects. Limited access is required to apply this level of control.
Hierarchy-based mode is one of the 2 ways limited access can be configured. The other is Manager-level mode.
In the Hierarchy-based mode, you assign access security to projects, employees, etc., via pools of managers called ‘Access Groups’. Access groups can be organized to emulate your company’s departments, divisions, etc. Creating access groups and nesting these groups makes it easier to give, modify or deny permission to many managers at once.
Hierarchy-based mode is most beneficial when there are changes or additions to assignments. When a new manager joins a department, business unit, team, etc., there is no need to manually assign access to all the different projects and employees the manager requires. You make the new manager a member of an existing access group and then all items available to the access group are automatically available to the new manager. The same time-savings are evident when a new item is created (project, task group, employee or employee group). After creating a new item, you assign the applicable access groups to it to make it available to the appropriate managers.
The use of hierarchical (nested) access groups also means that permissions are automatically assigned based on the hierarchy. This means that when a lower-level access group is assigned to a project, all the parent access groups in the chain automatically have access to the project.
In typical practice, when adding or editing a project, task group, employee or employee group (via the item’s properties window), there is a Limited Access field from which you are able to select which access groups are able to view and report on the particular item. The managers who are members of the selected access group, and any parent access groups in the hierarchy branch, are permitted to view and report on the item. Note that Access Groups only need to be designed for those employees with security rights to the Administrative areas of the software. Employees who are restricted to the time entry tool do not need to be considered in the hierarchy.
Once limited access is applied, again using projects as an example, managers presented with a list of projects when creating assignments, running reports, etc., only see the projects they are permitted to view. A summary list of the views and tools modified by applying limited access is provided in another topic.
TABLE : Simplified deployment of limited access applied to projects
|
Access Group 1 (Headquarters) |
Access Group 2A (Division A) |
Access Group 2B (Division B) |
Project A |
|
|
|
Project B |
|
|
|
Project C |
|
|
|
Project D |
|
|
|
Project E |
|
|
|
Project F |
|
|
|
As represented in the table above, projects A through F have each been limited to one or more Access Groups. When a member of Access Group 2B is in the administrative areas of the software, only projects B, D, and E are available. The same access control can be applied to task groups, employees or employee groups
Creating and using hierarchy-based limited access is a 3-step process. You first design and create the access group structure, make each manager a member of one or more access groups and then assign the access groups to projects, task groups, employees and employee groups.
The following diagram summarizes the 3 steps. Each step is detailed in the topics that follow.
1. Create the Access
Group structure/hierarchy using the Limited Access tab.
2. Assign the managers to the Access Groups as required.
3. Assign Access Groups to projects, task groups, employees and employee groups.