Customize Access Permissions for Admin Teams

By default, Chrome River has granted all the administrators at your organization access to all screens and turned the Access Permissions admin screen off. This is considered the best-practice setup because it ensures your organization will automatically receive every new feature that is enabled for all Chrome River customers.

However, customers with large admin teams, outsourced IT, or another need for varying levels of administrative permission may wish to fine-tune their control of the options each type of admin can access. Additionally, some customers may not want to have every new Chrome River feature activated for all admin users. The Access Permissions Admin screen enables your organization to control which features and options are available to each user.

Once your organization starts creating new access-permissions policies, you will need to watch the Chrome River Release Notes to be notified of enhancements and then manually activate them for the appropriate users via those policies.

What Are Permissions, Policies, and Grants? 

Access to Chrome River's features is controlled at three different levels:

  • Permissions are individual actions that may be taken on each admin screen, e.g., View, Edit, or Delete.
  • Policies are groups of permissions, e.g., you could have a Read-Only policy that disables some or all actions and an Edit policy that allows users to access some or all actions.
  • Grants allow you to assign each policy to groups of users to determine which permissions they have, e.g., all C-Level employees could be granted access to just the Read-Only policy. The same user may have multiple grants as long as they have multiple roles.

Step 1: Create a Full Admin Policy and Grant Access To It

Before you begin to customize your organization's access permissions, the first step is to create a new policy called "Full Admin" that contains all the same permissions found in the Administrator Default Access policy that was created when your organization started using Chrome River. This is because users assigned to any new policies you create will also have access to the Administrator Default Access Policy, so you will need to limit its permissions in Step 2.

It is essential that you duplicate all the permissions in the original Administrator Default Access policy to ensure that Chrome River and the designated admin(s) at your organization can still control all the necessary access permissions once you start creating other custom access-permissions policies.

Once you have created the Full Admin policy, you will need to add it as an entity to your organization's Rules Group Exception (RGE) entity type, assign the Full Admin entity to specific users via that RGE, and then create a grant that activates the policy for those users.

A. Create a Full Admin Policy

In the Admin Settings Menu, click SECURITY > ACCESS PERMISSIONS and then click the POLICIES tab. Select Administrator Default Access and familiarize yourself with the permissions granted by this policy.

CAPAT - View Default.png

Now click the PLUS button and name the policy "Full Admin." Check the same individual permissions found in the Administrator Default Access policy and click SAVE.

CAPAT - Create Full Admin.png

B. Add a Full Admin Entity to the Rules Group Exception Entity Type

Navigate to MASTER DATA > ENTITIES, select the Rules Group Exception entity type, scroll down to the Entities section, and click PLUS.

If the Rules Group Exception entity type no longer exists for your organization, your Chrome River Implementation Team contact will be able to help you re-create it.

CAPAT - Add to RGE.png

Give the new entity the name and code "FullAdmin" and click SAVE.

CAPAT - New Entity.png

C. Assign the Full Admin Entity to the Appropriate Users

Next, you'll need to assign this policy to the Chrome River user created for your organization and any other users who should have full admin rights for access permissions. Navigate to MASTER DATA > PEOPLE and select the Chrome River user.

  • Usually this user is named "Chrome River [Your Organization's Name]."

Click RELATIONSHIP ATTRIBUTES and then click ADD RELATIONSHIP ATTRIBUTE.

CAPAT - Add Relat to CR User.png

Select the following for the new relationship attribute:

  • Role: Part Of
  • Entity Type: Rules Group Exception
  • Entity: Full Admin

CAPAT - Relat Att.png

Click SAVE.

Repeat these steps for any other users who should have full admin rights for access permissions.

  • In addition to giving them the Full Admin relationship attribute, be sure each user has the Admin check box selected under Permissions.

CAPAT - Admin Checkbox.png

D. Create a Grant to Activate the Full Admin Policy

Last, you'll need to create a grant that assigns the Full Admin policy to the relationship attribute you added for each user above. Navigate to SECURITY > ACCESS PERMISSIONS > GRANTS and click PLUS.

CAPAT - Create Grant.png

Name the grant "Full Admin" and select the same relationship attributes as in Step C, above:

  • Role: Part Of
  • Entity Type: Rules Group Exception
  • Entity: Full Admin

Select the Full Admin policy from the Policy drop-down box and click SAVE.

CAPAT - Grant Specs.png

Step 2: Remove Default Admin Permissions

Now that you have created a Full Admin policy, you will need to remove most or all of the permissions selected in the Administrator Default Access policy that was created when your organization started using Chrome River. This is because users assigned to any new policies you create will also have access to that Administrator Default Access policy.

Navigate to SECURITY > ACCESS PERMISSIONS > POLICIES, select the ADMINISTRATOR DEFAULT ACCESS policy, and click EDIT.

It is recommended that you uncheck all permissions except "Show In Admin Menu" under Messages, then click SAVE.

CAPAT - Limit to Messages.png

Choosing just this permission for your Administrator Default Access policy will act as a fail-safe in case an error is made when granting users access to a policy. If a user should have access to certain admin functions but only sees the Messages screen listed in the Admin menu, they will know to contact your organization's Chrome River administrator to investigate.

Step 3: Create a New Custom Policy

Now you may group the various permissions into policies and grant specific users access to each policy.

See Sample Admin Access Permissions Matrix, below, for an example of the way your company might want to distribute the various permissions among different user roles.

  • For example, you may wish to create one policy for users who handle messaging and a different policy for users who handle exports or data.

Each policy may include anything from access to an entire group of screens to access to only a few functions on a single screen.

See "Create a Policy" in Access Permissions Admin Screen for complete details on creating a policy.

Step 4: Add a Corresponding Entity to the Rules Group Exception (RGE) Entity Type

In order to assign the policy you created to specific users via a grant, you must first add an entity that corresponds with that policy to the Rules Group Exception (RGE) entity type.

See "Add a Policy Entity to the Rules Group Exception (RGE) Entity Type" in Access Permissions Admin Screen for complete details.

For more information on creating new entities, see "Create a New Entity" in Entities Admin Screen.

Step 5: Assign the Entity to the Appropriate Users

Next, you'll need to assign this policy to each user who should have access to it via their record on the Person admin screen.

See "Assign the Policy Entity to the Appropriate Users" in Access Permissions Admin Screen for complete details.

Step 6: Create a Grant to Activate the Policy for Users

Now that you have your policy, a corresponding entity, and users who have been assigned that entity as a relationship attribute, you may create a grant that will activate the policy for those users.

Each grant must be assigned to a unique entity, but the same user may have multiple grants as long as they have multiple roles.

See "Create a Grant" in Access Permissions Admin Screen for complete details on creating a grant.

Sample Admin Access Permissions Matrix

While every organization will have its own roles and requirements, we have created a sample matrix of admin access permissions that will show you one way your company might want to distribute the various permissions among different user roles.

Click here to download the Sample Admin Access Permissions Matrix.

Column A lists all the functions available on the Access Permissions admin screen that are being used by this sample company. Columns B–E represent four different user roles and indicate which of the permissions in Column A are activated for each role.

What Is a Super Admin and Why Do We Need One?

A Super Admin is a user who can control access to every feature of Chrome River for all other admins. Even if the Access Permissions screen is turned off for all your other admins, the Super Admin will be able to see it and use it to control permissions.

When your organization first implemented Chrome River, one or two of your admins were given Super Admin permissions. However, if those users have departed and no one was designated to replace them as a Super Admin, the Access Permissions admin screen may not be visible to anyone in your organization. If this has occurred, contact the Chrome River Configuration Team by opening a Help Desk case to have one or more Super Admins designated.

Was this article helpful?