Privacy - System Admin

Satuit Access Approval

Satuit has implemented a new security feature to allow you to grant access to your database for a member of our support staff for assistance purposes. The default access level is set to No Access. Each Satuit client will need to have two users specified for Access Approval.

• No access type is configured – By selecting this option you have chosen not to grant any access to log into your database
• Grant Single Login Access – You have authorized a single login to access your database; once the login has occurred the access type will default back to no access
• Grant Access until; enter date – This will allow you to set a date range on how long you would like to allow access to your database
• Grant Access Indefinitely – This will allow you to allow access indefinitely or until you change the access option

All the logins will be tracked with the Application Access Log.

Team Privacy Overview

Satuit offers a team-centric data privacy module for managing users' permission to view records. A summary of the features is below.

• Each record is assigned a "Privacy Scope". The Privacy Scope is what determines the overall visibility of the record. The possible values for this are:
• Global – Everyone can view the record
• Team – Only team members and their managers may view the record
• Private – Only the user and his or her manager(s) may view the record
• Teams are organized hierarchically so that managers may view records assigned to their team members
• A user's permission to view records is dependent upon the records' Privacy Scope (i.e. Private, Team, or Global) and the user's Team Membership. If a record's Privacy Scope is set to Team then only members of the specified team will be able to view it
• Team-Based Data Privacy is turned off by default for all customers. For those who require additional privacy constraints, please contact Client Services for more information

Theory of Operation

When Team-Based Data Privacy is enabled, a record's visibility is restricted according to its Privacy Scope and the user's Team Membership (when we say "record" we refer to an item from one of the main blue tabs, i.e. Business, Contact, Activity, Sales Opportunity, Document, Account, or Mass Mailing.

All users in Satuit can be assigned to one or more teams using the Team Membership tool. In addition, users can be organized into a hierarchy representing the organizational management structure. Users will most likely be assigned to only one team; however, it is possible to assign them to multiple teams.

Team-Based Data Privacy is based upon the notion of "scope". There are three possible values for scope: "Global”, "Private" and "Team". If the scope of a record is set to "Global" then everyone can view the record regardless of their Team Membership. For example, a user who is not assigned to any team can view records defined as "Global".

When a record's scope is set to "Private" only the owner and their manager(s) (as defined in the team hierarchy) can view the record. Managers do not need to be defined explicitly as team members as they are implicitly included in the team because the owner of the record reports to them (the owner being the Satuit rep to which that record is assigned).

The default scope for all records is "Global". This is in keeping with earlier versions of Satuit: everyone can view all records. However, administrators can set the default Privacy Scope per record type (i.e. the initial Privacy Scope assigned to a record upon creation). In addition, users may change the Privacy Scope for both new and existing records, thus overriding the default Privacy Scope. For example, if the default Privacy Scope for Activities has been set to "Private", then all new Activities created will by default only be visible to the record owner and their manager(s). The Privacy Scope can then be changed to "Team" or "Global" if wider visibility is required.

Satuit already supports field-level access control, i.e. the ability to manage individual users' rights to edit certain fields. Therefore, if it is necessary to limit the users who can edit the Privacy Scope field, standard field-level access control should be used.

Branch Security Replacement

The customer requires that records belonging to one group of users be invisible to another and vice-versa. The Privacy Scope of a record is determined by the Privacy Scope of the business associated with it. For example, if John is unable to see ABC Corp then activities, documents, etc. associated with ABC Corp will also be inaccessible to John.

Team Privacy

All users can see all Businesses and Contacts. However, Sales Opportunities, Activities, Documents, and Accounts can only be seen by members of the team they belong to. Users cannot change the Privacy Scope of these records, for example, a user is unable to make an Activity visible to all users ("Global").

Private Deals

As for Team Privacy, all Businesses are visible to all users. Sales Opportunities are only visible by members of the team they are assigned to. In the same way, any Activity related to a Sales Opportunity is only visible to team members as well as any Document related to this Activity.

Configuration: Default Privacy Scope

The Default Privacy Scope determines the Privacy Scope of all newly created records. For example, if the Default Privacy Scope of Contact records is set to "Global", then all new Contact records will have an initial Privacy Scope of "Global". This can, of course, be changed afterward, so long as the user has the necessary rights to change the Privacy Scope field.

The Default Privacy Scope control panel is part of the System Administrator module (Tools/System Administrator). To access this screen, go to System Configuration | Security | Team Privacy | Default Privacy Scope.

Team Membership

The Team Membership control panel allows administrators to create and edit teams and to manage Team Membership (i.e. which Satuit users (reps) are part of which team). To add a new team, simply click Add and add the Reps and type the name of the new team in the Team Name textbox and then click Save.

The Team Membership control panel is part of the System Administrator module (Tools/System Administrator). To access this screen, go to System Configuration | Security | Team Privacy.

User Editor

The Rep Editor screen of the System Administrator has been modified to include the list of teams the selected rep is a member of ("Teams for this user"). Additionally, it is possible to specify the Default Team for the selected rep by marking the Team "IsDefault".

Detail Forms

The forms for each of the main record types will need to be updated to show the Privacy Scope field if users wish to be able to modify the Privacy Scope manually.

For clients that have reps belonging to multiple teams, the Team Name dropdown list will also have to be added to the form. When a record's Privacy Scope is set to "Team", the user can select the specific Team from the Team Name dropdown list. Note: only teams of which the user is a member will be visible in the dropdown list.

It is expected that most clients will not require that the Privacy Scope or the Team Name fields be visible as default values will always be used (as specified in the Default Privacy Scope settings).

Many clients will also require that the Privacy Scope field be visible. This allows the user to manually select the Privacy Scope of a record. When "Team" is selected, the default Team name will be used, therefore eliminating the need to show the Team Name field.

A smaller number of clients will also require that the Team Name field be visible. In that case, when the Privacy Scope is set to "Team", the Team Name dropdown list will become active.

If the Team Name dropdown list is visible and the Privacy Scope is set to "Private", the Team Name will also be set to "Private". When the user is not a member of any Team, the option "Team" is automatically removed from the "Privacy Scope" dropdown list. 

Data Security ⏯