Introduction
GEMS Administrators can create User Roles and assign their GEMS users to specific User Roles. These User Roles contain Access Levels that apply to all users within the User Role. Access Levels can be configured to:
limit users' access to entity Screens and Screen Fields;
allow users to view or edit only data for specific entities or entities with a particular characteristic (e.g., jurisdiction);
Restrict users' access to Documents, Activities, entire entities, and modules.
User Roles can be created and managed by clicking Admin Hub> GEMS Administration> User Role Management.
Please note: Outside of managing Access Levels, User Roles also allow Admin Users to push out certain customizations to all members of a User Role.
These customizations include:
New or customized Homepage Tabs via User Menu> Page Settings> Manage Homepage Tabs;
Customized Entity Snapshots via Snapshot Management.
For more information on Homepage Tab Customization, please see Homepage Tabs. For more information on customizing Snapshot Layouts, see the Snapshot Management section.
Access Levels
Each user role can contain a number of Access Levels. Access Levels limit what information a user can see and what functions they can perform within GEMS on certain items.
Access Levels can be one of the following access types:
None - users cannot see that the item exists
Browse - Edit Users can only view the item (Browse Users are unaffected)
Change - Edit Users can modify the properties or content of the item but cannot delete it (Browse Users are unaffected)
Full Control - Edit Users can modify and delete the item (Browse Users are unaffected)
How Users Roles and Access Levels Work Together
There are three levels of security in which GEMS looks at in order: User Type, Role Type, and finally the Access Levels assigned to that role type.
Upon logging in GEMS evaluates the user type of the person logging in are they a Browse User or Edit User. Then what role has been assigned to them and finally are there any restrictions through the access levels that are needed to apply.
The first level of security for a GEMS user is the user type, that is, whether they are a Browse User or an Edit User as discussed above. This will be decided first and foremost if they can edit data or not.
The next level of security is the role type. GEMS checks to see if, for example, they are besides an Edit User, are they Admin Role Type also. It will also check if that role has specific access levels and if there are special snapshots or views set up for that user. For more information on customizing a Snapshot, Entity Snapshot Tutorial.
The final level of security is the access levels. GEMS works on the basis that every user has access to everything permitted by their user type and their role type. Any restrictions to this level of permissions must be done using access levels.
Please note: A user with a Browse “User Type” cannot be given edit access through access levels.
The following table illustrates some of the common types of users that may need to be set up for an organization:
Description | GEMS User Type | GEMS Default User Role Type | Access Level |
A user who is allowed to browse all data in GEMS but not allowed to edit data or access administrative functions | Browse User | User | None specified |
A user who is allowed to browse all data in GEMS and edit certain sections but not delete any data or access administrative functions | Edit User | User | Browse access given to all screens and other areas of GEMS. ‘Change’ access given to specific areas |
A user who is allowed to browse all data in GEMS, edit and delete certain sections but not access administrative functions | Edit User | User | Browse access given to all screens and other areas of GEMS. ‘Full Control’ access given to specific areas |
A user who is allowed to edit and delete data in all areas of GEMS but does not have access to Admin functions | Edit User | User | None specified |
A user who is allowed to edit all data in GEMS and also have full administrator access | Edit User | User Admin |
|
A user who is allowed to edit all data in GEMS and have access to the user management admin functions | Edit User | User Admin | The Admin User Role will have access levels defined giving ‘None’ permission to all functions other than User Management. |
Examples of user types, user roles and access levels in action
Let’s look at how these different user types, user roles, and access levels might be implemented in practice. An organization has the following access requirements:
John and Mary from the Legal department require full edit access to all data in GEMS. Mary should also have administrator permissions so that she can act as a backup administrator. However, Mary should not have the ability to change her own access levels or that of others.
Cristina from Finance needs edit access to the Financials screens only.
Philip from Tax needs browse access only.
Vikram from IT has full access to edit data in GEMS and also full Administrator access.
The following roles are created for this organization:
User Role Name | GEMS Default User Type | GEMS Default User Role Type | Access Level | People Assigned |
Legal | Edit User | User |
| John Mary |
Finance Edit | Edit User | User | Screen/ All Screens/ Browse Screen/ Specific Screen/ Financials > Full Control | Cristina |
Tax | Browse User | User |
| Philip |
Admin | Edit User | Admin |
| Vikram |
Backup Admin | Edit User | Admin | Security Management > None | Mary |
Managing Roles
When creating a user in GEMS, the administrator will need to consider what access that individual needs and which roles to assign them. By managing those roles an administrator can assign, edit and create a secure environment that meets their needs.
Please note: Managing roles can only be performed by those Administrators who have been set up with Admin Type Roles.
Using the figure below as reference, from the Admin Hub, the GEMS administrator will choose GEMS Administrator > User Role Management
This will open a User Role Search Results screen with all the different User Roles already existing on the system. From the User Role Search Results screen, the administrator can:
Create New User Roles, see Creating a New User Role
Modifying Membership in User Roles, see Modifying/Assigning User Role Membership
Creating Access Levels
Modifying Access Levels
Search the list for User Role that needs to be edited, see Modifying/Assigning User Role Membership or Click on the Add button to create a new user role, see Creating a New User Role.
Please note: If the administrator deletes a User Role, GEMS will automatically assign any users currently within this user role to the default “Edit User Role”.
Creating a New User Role
Once it has been determined that a new user role is needed, the administrator will click on the add button, highlighted below.
An administrator will be required to add a clear description, choose whether this is an Admin or User Type role. If needed, add a note to clarify when this role should be used or why it was created. For more information on each field, refer to the table below the image.
Field | Description |
Description | Uniquely identifies the User Role. |
Type | Select either Admin or User. The available Access Levels differ for Administrator type User Roles versus User type User Roles. Administrator Roles have Access Levels specific to GEMS administration and management. User Roles have Access Levels specific to Entity records. |
Notes | Enter the reason the User Role was created. |
Inherit Access Rights From Role | If User Roles have similar Access Levels, this can be used to clone the original User Role’s Access Levels. This field copies the access levels of the selected user role to the new user role at the time of creating the new user role. However, future changes to the access levels of the selected user role are not reflected in the new user role. This field is an ‘at the time of creation’ field only and the two roles are not linked for the future. |
Please note: That instead of recreating a User Role from the beginning, the administrator may duplicate a previous role using the Inherit Access Rights From Role. Then make the changes as necessary.
Once the information is filled in, click the Save button. To add members to the user role and to define access levels for the user role, follow the procedures described in the Assigning Membership to a User Role and Access Levels.
Modifying/Assigning User Role Membership
To open an already created User Role, simply click on the User Role from the User Search Result Screen as seen below.
Assigning Membership to a User Role
Assigning membership to a User Role for a single or multiple users is a key element to providing access to GEMS for a GEMS User. There are two ways to assign membership to a GEMS User.
From the user role section - this is ideal for adding multiple users to the same user role.
From the user details section - this is ideal for adding or changing the user role for a specific user.
Assigning Membership to a User Role – from the user role section
To add a user as a member of a user role, navigate to the user role details.
Once the administrator has opened the User Role that requires changes, click on the Membership link to view those GEMS Users who are members.
On the Members of User Role Search Screen, click on Add User Role Members.
Then the administrator selects the GEMS User(s) they wish to make members of this user role.
Click GO to add these GEMS Users to this particular User Role.
Once it is time to remove GEMS Users from a User Role, the administrator will access the Membership and the Members of User Role Search as if they were adding a GEMS User to a User Role, as discussed above.
Then when the Membership, Members of User Role Search Screen displays, as seen below. Click on the GEMS User or Users that are no longer part of this User Role. Then Click GO next to Remove Members as highlighted below.
The administrator will receive a message prompting them if this is correct, that they want this to happen. To confirm click OK.
Please note: That every GEMS User must be a member of at least one User type User Role and when removed from a “User” role, users will be automatically added to the default edit user role.
Assigning Membership to a User Role – from the user details section
To assign or unassign a GEMS User from a specific User Role through their GEMS User Details. Open the GEMS User from the Admin Hub, GEMS Administration, User Management. Find the GEMS User that requires a role change, Click on User Role Membership to view the GEMS user’s roles
For more information on GEMS User Management, see the GEMS User Management Tutorial.
Please note: A user must be a member of the user role, as discussed above in Modifying/Assigning User Role Membership.
Please note: If a GEMS User has the User type User Role removed, a default User Type Role will automatically be assigned the default User Type Role.
Click Change User Membership.
Next click on the checkbox next to the User Role, that is being replaced. Then click on the Change User Membership as shown below.
Click on the new User Role, as shown below. If this is a User Type Role, GEMS will automatically switch from one role to the other.
Access Levels
Access Levels provide the Administrator a way to limit a GEMS User’s access to information in GEMS. This could be something as simple as restricting a GEMS User from viewing data for a specific entity or as complex as only allowing the GEMS User to edit only one set of data on a specific screen for one entity.
Please note: Browse User Types can never be given access to edit data.
Please note: An Admin User Role alone is never enough to edit entity data.
Please note: An Admin User Role alone is never enough to edit entity data.
Adding Access Levels to a User Role
Once the Administrator opens a User Role, click on Access Levels to view the list of already configured Access Levels for that User Role.
After reviewing the list, if new access levels are needed, click the New Access Level button.
Fill in the form starting with the Item Type to apply the Access Level to.
Please note: Item Type for Admin User Role Type will display additional options to choose from.
Once the Item Type is chosen, the Access Type is selected next. Access Types are ranges of items based on the selected Item Type, e.g., all instances of Items, a specific Item, or a custom range.
Please note: Custom Access Type, i.e., custom ranges of Items, can be created; for more information, see Creating Custom Access Types.
If "Specific [Item]" was selected in the "Access Type" field, then that Item can be entered in the "Item(s)" field via its Lookup List icon. If the Access Type is a range of Items (e.g., "All [Items]" or a custom Access Type), then the "Item(s)" field should be skipped, as the Items to be restricted have already been determined.
Please note: Multiple Lookup Items can be selected from the Lookup List for this field.
In the "Access Level" field, choose what level of access is needed from the following:
None - Users cannot see that the item exists.
Browse - Edit Users can see the item but cannot modify it (Browse Users are not affected by this option).
Change - Edit Users can modify the Item's properties but cannot delete the Item (Browse Users are not affected by this option).
Full Control - Edit Users can modify and delete the Item (Browse Users are not affected by this option).
Next, add a description to allow others to understand why this User Role was created.
Click Save and the new Access Level is enforced for all users within the User Role.
Example: Creating an Access Level to Restrict a Screen
Any screen that is accessed from an entity's Snapshot or Navigation Menu can be restricted when adding an Access Level via the Screen Item Type.
To restrict a Screen when creating an Access Level, begin by choosing "Screen" in the "Item Type" field. Change the "Access Type" field to "Specific Screen."
Please note: If "All Screens" is selected as the Access Type, the only Access Levels available later will be "Browse" and "Full Control."
Find the specific Screen or Screens to be restricted using the Lookup List for the "Item(s)" field.
Select the appropriate Screens by ticking the checkboxes next to the Screens and clicking Go.
Select the appropriate Access Level in the "Access Level" field, then click Save.
Example: Creating an Access Level to Restrict a Screen Field
Any field located within a Screen can be restricted when adding an Access Level via the Screen Field Item Type.
To restrict a Screen Field when creating an Access Level, begin by choosing "Screen Field" in the "Item Type" field. Change the "Access Type" field to "Specific Field." Then click the Lookup List icon for the "Item(s)" field.
The Screen Field Lookup List will return all the Screen Fields that can be restricted. Change the search parameters to return the desired Screen Field or Fields.
Select the Screen Field or Fields that need to be restricted by ticking their checkboxes, then click Go.
Finally, assign the desired Access Level, add a description, then click Save.
Creating Custom Access Types
If there is a need to create an access level to a specific subset of data in GEMS, the administrator can create a custom access type. Once created the custom access type can be used in different User Roles.
The administrator will first select the Item Type, similar to creating any New Access Level, then click on the next to the Access Type as highlighted in the figure below.
The Access Types Search Results Screen shows the list of already created customized Access Type, to create a new access type, click on New Access Type as highlighted in the figure below.
Next, provide a name for the new Access Type to be created and then click on Criteria.
Then the Query Builder screen will appear, select the field, from the ’In Feld’, the Condition, and the Value, that you are looking to set as the parameter for the Access Type.
Please note: The Query Builder functions similar to the Advanced Search function.
Please note: In the criteria, the ‘In Field” is a drop-down that contains all the related fields to the Item Type chosen.
Click the Search button to review the subset of data.
Once the administrator is satisfied with the results, click the Done button as seen in the figure below, to save the Search.
Return to the New Access Type Screen, click Use It Now, and then the Save button as seen below.
The administrator will now see the new Access Type in the New Access Levels Screen as seen below.
Examples of Types of Access Levels
For convenience, below are some common examples of access levels for User and Admin Role Types that can be used in GEMS. The table includes which Item Type, Access Type, the specific Item, and the correct Access Level.
Examples: User Role Access Levels
Required Action | Item Type | Access Type | Item(s) | Access Level |
Hide “My Page Settings” Link | My Page Settings Link | N/A | - | None |
Prevent a group of GEMS Users from editing a specific business entity | Entity&Person | Specific Entity or Person | Entity Name | Browse |
Hide the Address Screen | Menu Item | Specific Menu Item | Addresses | None |
Give a group of GEMS Users read-only access to Reference ID field | Specific Screen | Specific Field | Reference ID | Browse |
Prevent a group of GEMS Users from changing Settings in Homepage Tabs Panels | Web Part Settings | N/A | - | None |
Prevent a group of GEMS Users from adding new Homepage Tabs | Homepage Tabs - Add | N/A | - | None |
Examples: Admin Role Access Levels
Please note: Admin Role Access Level will have additional Items Types.
Required Action | Item Type | Access Type | Items | Access Level |
Prevent a group of GEMS Users from adding access levels | Security Management | N/A | - | None |
Give a group of GEMS Users read-only access to Users’ details | Users | All Users | - | Browse |
Editing Access Levels
Once an Access Level is created, several items can be edited, access level, or description.
Please note: The Item Type and Access Type cannot be edited. If the administrator needs to change the Item Type and Access Type, they will be required to delete the incorrect Access Level and create a new one.
Open the User Role, as discussed in Managing Roles, then click the edit icon for the specific Access Level that needs to revise as highlighted in the figure below.
Once the Screen opens, as seen below, revise the Item, Access Level, and Description as highlighted in the figure below. Then click on Save when finished.
Please note: Only those fields that become active can be revised. This will be dependent on the Item Type and Access Type.
Deleting an Access Level
When an Access Level is no longer needed in a User Role or if that Access Level is no longer configured exactly as needed, it can be deleted.
The administrator will click on the checkbox next to the Access Level to mark that Access Level for deletion, then click GO.
Setting Homepage User Preferences for Users
An Admin user can set the Homepage user preference for all Browse users associated with a particular User Role or can be set for all Browse Users in GEMS.
Please note: All new GEMS users will have these settings enabled upon the system being shipped.
If these settings have not yet been enabled, they can be turned on for all browse users through the Admin Hub > GEMS Settings > System Management > Options > Bulk Update User Preferences in the left navigation menu. Click on Edit to change the settings.
Please note: This change will take effect the next time a User logs in.
If the administrator would like to change this option for all Browse Users who are members of a particular User Role, navigate to the user role details as described in Managing Roles.
Once the screen User Role Details Screen is open, click on the Bulk Update User Preferences link in the left navigation menu. Then click Edit. The administrator will have two options to Enable the Home Hub, by Enabling the‘ Home’ Tab and selecting to show additional tabs when the Home Hub is on, by Show All Tabs When ‘Home’ Tab Enabled.
When both are selected the Browse Users in that role will see the Home Hub and any other tabs that are created on the system.
By default, ‘No change’ will ensure their existing setting will remain in force for this user preference. When finished click on SAVE.
Click Save.