NOTICE: You are in the old ClientSpace Help system. Please link to the new ClientSpace Help here https://extranet.clientspace.net/helpdoc/home/ClientSpace.htm
Security Entities
Security Entities
Entities are the security objects used by the application to check what rights a user has to view, create or modify a system object. Entities are most commonly created by securing a Dataform or dataform field. Securing a dataform creates a Security Entity with the same name as the dataform, for example, if you secure the WhatDo dataform a security entity of gen_WhatDo is created (gen_zWhatDo for a custom dataform). In a similar way, securing a dataform field will generate a security entity for the field of dataformname_fieldname.
So securing the YouWant field on the WhatDo dataform will create a security entity named gen_WhatDo_YouWant. When a dataform or field is marked as secure, and that entity applied to a role, this item is unavailable in the system unless a user is either a Global Admin or a member of a role with at least View only rights for that security entity. In this way, you can apply very granular security to dataform objects. This security is also hierarchical, meaning if you secure a fieldset on a dataform, all of the fields inside the fieldset are secured by default, effectively hiding them unless the user has at least view rights to the fieldset. Careful application of Security entities and role security can make dataform configuration incredibly robust, allowing the application to have a customized look and feel for different groups of users without having a large number of dataforms.
Security entities can also be artificially created as part of the development process to secure items that are not generated by the system such as processes or custom objects like dashboards. The CRM entity, for example, is an object which provides a method for securing the Sales prospecting modules of ClientSpace. As with dataform field entities, the CRM_Phone entity controls rights to the Telephone field on the org and so on.
Similarly, business object security can be used to secure specific attributes of the system, such as the biz_clientservicecase_massupdate object that secures the mass update button for the client service case dashboard, or the biz_workflow_cm_accept that provides the user access to the Accept link on the Client Master page.
Another example is Incident_AllowTaskMaintenance. Ordinarily, only the Owner or Assigned To user can edit task fields. Adding the Incident_AllowTaskMaintenance entity to a user allows them to edit certain fields on a task even if they are not the Owner or Assigned To user.
Adding a dataform entity to a security role allows the administrator to secure dataform records in the following ways:
- View: user can view the record (form or field) but is unable to add or manipulate the record.
- Add:* user can add new dataforms of that type, or insert information into a field. Add rights apply anywhere in the system dataforms may be added, whether that is within a multiform list, from a dashboard or from the + symbol on a dataform link.
- Edit:* user can adjust a dataform or field.
- Admin: user has full rights to a dataform or field, inclusive of all other rights.
* Add and Edit
It is important to note that add and edit are not necessarily inclusive, meaning you can give add but not edit rights, or vice versa. In the role above the user can edit an existing Client Master form, but not create the original form. It is further important to note that dataform security only applies to dataforms on workspaces the user has access to, so unless you are a global admin, workspace security supersedes dataform security. You will only have access to employee dataforms for example for employees of workspaces that you have access to, allowing workspace security to work even outside of the workspace, such as on a dashboard.
Admin Security is powerful
Admin Security supercedes all other rights for dataforms to include special security such as the Row Level security for Secured case types. Do not apply admin rights to a dataform unless you are absolutely sure you want the role members to have Global Admin Access for that dataform.
Security Inheritence in NEXT
NEXT Entity security is Hierarchical, meaning that it is inherited from the parent object. This means that unsecured fields in a secured fieldset will inherit the security of the fieldset ie: an unsecured field in a secured fieldset where the user role has view rights will display the unsecured field as read-only. Users with Add rights to the fieldset will see the field as unlocked until it is filled, then the field will become read-only and so on.
Securing a fieldset with View rights affects all of the fields within that field set
ClientSpace Next has been enhanced to allow hierarchical security, basically any field within a fieldset inherits the security applied to the fieldset (to a point). Individual field security within the fieldset is still respected.
In the above example, Fieldset Test 1 has been secured with Edit rights, none of the fields within the fieldset have their own security so they inherit the security of the fieldset and are also secured with Edit rights.
Fieldset Test 2 has been secured with View rights and the luState field within fieldset 2 has also been secured, but with Edit rights applied.
Fields within Fieldset 2 inherit the Fieldset security unless they have their own security, so CheckTestToo and DateToo are View only, while luState which has it's own security can be edited.
It is important to note that there must be a minimum of view rights for a field or fieldset to appear on the form. In the following image, security has been flipped:
Fieldset Test 1 has been secured with View rights, none of the fields within the fieldset have their own security so they inherit the security of the fieldset and are also secured with View rights.
Fieldset Test 2 has been secured with Edit rights and the luState field within fieldset 2 has also been secured, but with View rights applied.
Fields within Fieldset 2 inherit the Fieldset security unless they have their own security, so CheckTestToo and DateToo are editable, while luState which has it's own security cannot be edited.
Best Practice
Draw a diagram of the dataform prior to adding security to it in order to map out how you would like the field access to occur. This will allow you to envision the different users that will need access to the dataform, and help you to better plan out how to architect the security and associated user roles.
The following list defines Standard Security Entities included in our PEO product at the time of this publishing. Your ClientSpace installation may have a different list of available entities which include custom security entities. Where entities are system generated, such as for dataform or template security, guidelines have been provided which discuss the standardized formats used to generate the entity name (see above).
| Entity | Description | Required Rights |
|---|---|---|
| biz_ClientDistressCallOwner | Used to configure a user to be set as the owner on distress calls. | |
| biz_ClientServiceCase_Email_Notifications | Enables a user to received email from the nightly CSC notification process. | View |
| biz_clientservicecase_massupdate | Controls access to the Mass Update button on the Case Search dashboard | |
| biz_clientservicecase_subscriptions | Allows access to the "Case Type Subscriptions" link on the user profile. | |
| biz_clientteam_massupdate | Controls access to the Mass Update button on the Team Search dashboard | |
| biz_CommissionDetail_SalesEntity | Add/Edit | |
| biz_crm_show_snapshot | Allows the user to see the Client Snapshot if they have access to the workspace | View |
| biz_pricing_batch_can_override_admin_percent | ||
| biz_pricing_batch_multibatch | Enables use of multiple comparison batches | |
| biz_pricing_code_can_view_header | View | |
| biz_pricing_state_can_override_premium_discount | ||
| biz_pricing_submitted_batch | Users with View rights to this entity will be able to edit pricing fields when the Batch is in Submitted and Underwriting status. Otherwise, the pricing fields can only be edited when the Batch is in New status. | View |
| biz_pricingconsole_canchangeuser | Users allowed to change pricing console user filter | |
| biz_pricingconsole_breakdown | User allowed to see the pricing breakdown matrix at the bottom of the pricing console and in the pricing widget on the workspace landing page. | View |
| biz_surcharge_can_view_header | View | |
| biz_surcharges_clientsetup | SecEntity associated with Client Setup Field access on the Pricing Console. | |
| biz_view_pc_gp_after_commissions | Allow visibility to Pricing Console Gross Profit After Commissions | View |
| biz_workflow_benefitbenefitplan_activate | Controls access to the Company Benefits Plan workflow link - activate | View |
| biz_workflow_benefitbenefitplan_expire | Controls access to the Company Benefits Plan workflow link - expire | View |
| biz_workflow_benefitbenefitplan_pending | Controls access to the Company Benefits Plan workflow link - set to pending | View |
| biz_workflow_benefitbenefitplan_reject | Controls access to the Company Benefits Plan workflow link - reject | View |
| biz_workflow_benefitbenefitplan_select | Controls access to the Company Benefits Plan workflow link - select | View |
| biz_workflow_benefitplan_activate | Controls access to the Administrative Benefits Plan workflow link - activate | View |
| biz_workflow_benefitplan_cancel | Controls access to the Administrative Benefits Plan workflow link - cancel | View |
| biz_workflow_benefitplan_expire | Controls access to the Administrative Benefits Plan workflow link - expire | View |
| biz_workflow_benefitplan_pending | Controls access to the Administrative Benefits Plan workflow link - pending | View |
| biz_workflow_benefitplan_renew | Controls access to the Administrative Benefits Plan workflow link - renew | View |
| biz_workflow_cm_accept | Controls access to Client Master pricing workflow link - accept | Edit |
| biz_workflow_cm_activate | Controls access to Client Master pricing workflow link - activate | Edit |
| biz_workflow_cm_activate_future | Controls access to Client Master pricing workflow link - activate future (based on activation date) | Edit |
| biz_workflow_cm_activate_now | Controls access to Client Master pricing workflow link - activate now | Edit |
| biz_workflow_cm_approve | Controls access to Client Master pricing workflow link - approve | Edit |
| biz_workflow_cm_clone | Controls access to Client Master pricing workflow link - clone (pricing batch) | Edit |
| biz_workflow_cm_contract_signed | Controls access to Client Master pricing workflow link - contract signed | Edit |
| biz_workflow_cm_create_batch | Controls access to Client Master pricing workflow link - | Edit |
| biz_workflow_cm_decline | Controls access to Client Master pricing workflow link - decline an existing batch | Edit |
| biz_workflow_cm_expire | Controls access to Client Master pricing workflow link - expire an existing batch | Edit |
| biz_workflow_cm_kill | Controls access to Client Master pricing workflow link - kill an existing batch | Edit |
| biz_workflow_cm_reactivate | Allows the reactivation of RFP's that were set to Dead | Edit |
| biz_workflow_cm_reinstate | Allows you to re-instate a terminated client | Edit |
| biz_workflow_cm_reprocess | Allows you to re-process a batch, sets it back to pre-submit | Edit |
| biz_workflow_cm_submit | Allows you to submit a batch from the Client Master header link | Edit |
| biz_workflow_cm_terminate | Allows you to Terminate a client from the Client Master Header link (moves client to Pending Termination Status) | Edit |
| biz_workflow_coi_approve | Allows access to the Approve link on Certificate of Insurance | View |
| biz_workflow_coi_cancel | Allows access to the Cancel link on Certificate of Insurance | View |
| biz_workflow_coi_expire | Allows access to the Expire link on Certificate of Insurance | View |
| biz_workflow_coi_issue | Allows access to the Issue link on Certificate of Insurance | View |
| biz_workflow_employeebenefits_renew | Controls access to the Renew Link on the EmployeeBenefits dataform | View |
| biz_workflow_pb_accept | Controls access to the Pricing Batch workflow link - accept | Edit |
| biz_workflow_pb_activate | Controls access to the Pricing Batch workflow link - activate | Edit |
| biz_workflow_pb_activate_future | Controls access to the Pricing Batch workflow link - activate future - based on activation date | Edit |
| biz_workflow_pb_approve | Controls access to the Pricing Batch workflow link - approve | Edit |
| biz_workflow_pb_clone | Controls access to the Pricing Batch workflow link - clone | Edit |
| biz_workflow_pb_decline | Controls access to the Pricing Batch workflow link - decline | Edit |
| biz_workflow_pb_kill | Controls access to the Pricing Batch workflow link - kill | Edit |
| biz_workflow_pb_submit | Controls access to the Pricing Batch workflow link - submit | Edit |
| biz_workflow_pc_activate | Controls access to the Pricing Code workflow link - activate | Edit |
| biz_workflow_pc_decline | Controls access to the Pricing Code workflow link - decline | Edit |
| biz_workflow_policy_sendcoi | Controls access to the Workers' Comp Policy action link to send certificates of insurance | View |
| biz_workflow_ps_activate | Controls access to the Pricing State workflow link - activate | Edit |
| biz_workflow_ps_approve | Controls access to the Pricing State workflow link - approve | Edit |
| biz_workflow_ps_decline | Controls access to the Pricing State workflow link - decline | Edit |
| biz_workflow_ps_kill | Controls access to the Pricing State workflow link - kill | Edit |
| biz_workflow_ps_submit | Controls access to the Pricing State workflow link - submit | Edit |
| CRM_CanSaveDuplicates | Controls whether a CRM user can save a duplicate organization or must request a review | View |
| gen_dataformname | Dataform security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| gen_dataformName_field | Dataform Field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| Incident_Can_Add_Without_Dataform | Task - allows the user to add Tasks to the system without an associated dataform. Used on some Task dashboards. | View |
| Incident_AllowTaskMaintance | Put the Add button on the Home dashboard and the Task Search Module. Still presents the workspace selector. | |
| Incident_Fieldname | Controls field-specific security on the task - not configurable | View/Add/Edit |
Incident_Dash_CanViewAllUsers | Unlocks the User search field on the Task Search Module. | |
| Incident_Can_Add_Without_Dataform | Put the Add button on the Home dashboard and the Task Search Module. Still presents the workspace selector. | |
| Incident_IsActive | Secures the Active option on Tasks. This does not affect mass updates through the task manager. Users with rights to perform mass updates can still mark a task as Inactive by completing and archiving the task. | View |
| PricingConsole | At least View rights required to provide access to Pricing Console. For more information, read Configuring Pricing Console Security in ClientSpace PEO. | View |
| ProfitibilityBreakdown | Allows the user to view the profit information at the bottom of the Pricing Console. | View |
| QuickEdit | At least Add rights required to provide access to Enhanced Pricing Console Quick Edit Form | Add/Edit/Admin |
| QuickEdit_ClientModifier | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_CurrentEffectiveCompRate | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_EffectiveCompRate | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_fkCompCodeID | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_FullTimeEmployees | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_GrossPayroll | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_OverrideBAF | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_PartTimeEmployees | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_PayFrequency | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_PremiumDiscount | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_State | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_SUTA | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| QuickEdit_SUTARate | Works like dataform field security - allowable rights View/Add/Edit/Admin | View/Add/Edit/Admin |
| SurchargeType_ClientSetup | SecEntity associated with ClientSetup Surcharge Type. | View/Add/Edit/Admin |
| tblContact_IsActive | Security on the Contact table | View/Add/Edit |
| tblOrganization_IsActive | Security on the Organization table | View/Add/Edit |
| SYS_ImportManager | Provides access to manage imports via the Import Management Module | Admin |
| template_templatename_member | Template security (replacing TemplateName with the actual name of the associated template) - Allows a user to create workspaces for this template. | View/Add/Edit |
| {TableName}_$Attachment | Security entity used to secure the Dataform Attachment Action item | View/Add/Edit/Admin |
CRM_$Attachment | Security entity used to secure the Organization and Contact attachment Action item | View/Add/Edit/Admin |
| Incident_$Attachment | Security entity used to secure the Task Attachment Action item | View/Add/Edit/Admin |
| UnderwriterApprView | Allows user access to all Approval records. (NOT real-time -- only applies when the Approval is created) | View/Add/Edit/Admin |
Related articles
NOTICE: You are in the old ClientSpace Help system. Please link to the new ClientSpace Help here https://extranet.clientspace.net/helpdoc/home/ClientSpace.htm