General Discussion

Tech Talks: Success – User Management

  • 1.  Tech Talks: Success – User Management

    Staff
    Posted 10-10-2024 15:07

    In recent months I've been fielding a lot of questions from different clients about User Management. In most cases these questions have been related to challenges they're facing when deploying new use cases and needing to reorganize how they've set up their user controls and accesses within the TrueContext platform. It is for that reason that this Tech Talk post will focus on User Management.

    TrueContext has a robust set of controls and many of these important controls can get overlooked during the early stages of deployment and implementation. Building off the July Tech Talk post by our amazing Ian Chamberlain about proper FormSpace development (Check it out here!), we're going to dive into some proven practices to help support both new and existing clients set up their User Management controls in a way to avoid headaches down the road.

    How were TrueContext's User Management controls designed?

    The first thing to understand are the three different User Roles that are built into our platform and who they are intended for.

    "Admin" Roles
    "Admin" roles are intended to be kept to a small, select group of power users. This role has full control over the platform. They are the only role that can create additional users, create FormSpaces, and create connections. They can set permissions for other user types and they can see all submission data through the web portal. With this type of access, it's best to reserve this role for a minimum of users and think carefully about what that level of access means within your organization.
     Recommended users: IT Personnel, Product Champions

    "User" Roles
    "User" roles are intended to provide a one step down access in comparison to the "Admin" role. Admins can limit what Users can see and do within the web portal, providing them control over who can build new workflows, what FormSpaces they have access to, and what submission data they can see.
    Recommended users: Workflow Owners, Workflow Designers, Supervisors, UAT Testers

    Mobile-Only Roles
    Mobile-Only roles are best for your field service technicians. Their access is limited to the mobile app and to manage their own account profile information in the web portal at https://live.prontoforms.com/security/login.
    Recommended users: Field Service Technicians

    Why limiting Admin user roles is important!

    When assigning access, not all Workflow Designers(previous know as Form Builders) need or should have Admin Role accounts. In larger organizations with multiple business units using the platform for their unique workflows, you'll often want to maintain access controls in a manner that ensures they're only able to access workflows specific to their business units or teams. For these instances, we recommend assigning them with the "User" Role combined with "Can Create" Formspace permissions. This ensures they only have access to and can see what they need to.

    To accomplish this, manage your users with Groups that can be assigned to specific FormSpaces with specific permissions (Managing Groups). We recommend that you maintain four(4) separate groups of users per FormSpace (Designers, Testers, Supervisors/Managers and Technicians). This makes the best use of our FormSpace Permissions settings and ensures access is provided correctly.

    Understanding FormSpace Permissions.

    Here are four permissions I want to discuss in this article that are built into our platform and some important nuances to understand with each:

    Can Create
    This permission should be uniquely reserved for Workflow Designers. They are individuals who are authorized to build or edit workflows within a specific FormSpace. This permission is also required for individuals who manually manage the dispatching of forms out to field service technicians through the web portal. This dispatching permission is included mainly for Workflow Designers to test when developing dispatching workflows. We recommend that dispatching be set up in in conjunction with your production FormSpaces to run automatically using our API endpoints.  (Note: Our API is only accessible with our Advanced and Enterprise Tiers) 

    Can Test
    This is a lesser used permission as it's specific to giving end-users access to submit data records against forms that are currently saved in a draft state in the web portal. If you're following our proven practices defined in Ian's July Tech-Talk post you'll likely not use this permission often. 

    Can View
    This permission's primary use is targeted at Managers and Supervisors who need to see the work that has been dispatched to and/or completed by the field service technicians within the FormSpace. Individuals with this permission can also Unassign/Assign incomplete TeamWork-enabled forms (Enterprise Tier only) and send a submitted form for edit if the Send for Edit feature is enabled at the form level.

    Can Submit
    This is the basic permission for field service technicians. It limits the account's access to Open, Submit, Edit (if enabled), and View their own Dispatched or Completed forms only. For Enterprise Tier clients, this permission also allows field service technicians to Transfer or Claim partially completed forms within their FormSpace.

    Configuring your group FormSpace permissions properly ensures that no end-user will ever see something they shouldn't.

    Using our REST API and our SSO configuration to manage your users.

    A powerful way to manage your users is through our REST API and our Single Sign On (SSO) functionality. Since most corporations are already using SSOs to support their employees' access to a variety of programs they use on a daily basis, including TrueContext in your SSO configuration is a logical security step.

    For various contractual and security reasons, we do not allow clients to create a TrueContext user account by signing in using their SSO credential. An account needs to be created ahead of time and its username must match the associated user profile's username in your IdP. TrueContext recommends leveraging our TrueContext API's User Management endpoints to support user creation. Leveraging our API will allow you to use your Identity and Access Management system (if applicable) to create your employee's TrueContext account when their position requires one.

    Managing Access and Password Resets

    Approximately 10% of all support tickets that our Support team receive every year are related to Password Resets. For security purposes, the TrueContext support team cannot reset an account holder's password even if the account holder is requesting us to do so. This process must be managed by your IT team or the end-user themselves.

    We recommend that all clients update the Support Information section of our Mobile App for their specific instance of TrueContext so that it points end-users to your own IT support first. This will allow for a much quicker resolution of many common user-related access issues that can only be solved by Admins. With a properly configured API connection your support team can easily reset or expire passwords and create or delete user accounts.

    This support article explains how all three types of user roles can change their passwords themselves or, in the case of Admins, can change the password of another end-user for them. End-users can also reset their password using the "Forgot Password?" link in the mobile app.

    Let us know below in the comments if you have any questions about our User Management controls. Our Customer Success Team is here to help consult with you on how to implement any of the topics covered in this post!



    ------------------------------
    Chris Fraser
    Customer Success Manager
    TrueContext
    ------------------------------


Reminder: Content posted to our Community is public content.  Please be careful not to post Intellectual Property that you do not have permission to share.  For more information please refer to our Terms Of Use