Knowledgebase: Access Rights and Security
Account Access Control
Posted by Linda, Last modified by on 03 February 2007 06:35 AM
ACCOUNT ACCESS CONTROL|
Do you have some accounts that you want only specific operators to access?
The absolutely correct approach to account isolation is having separate networks, physical offices, LANs, etc. Anything else has complications. For example, how would data segregation affect your compliance to laws limiting the calls your company can make to the debtor in a day, or do you need to worry about a sharp operator that sets up a sniffer on your network?
Ours is a simple solution not applicable to serious segregation contracts that have to do with signed contracts and lawyers. For those types of account isolations please consult your local technical security experts to set up a secure environment for you with separate servers, networks, offices and the like.
The Comtech account access control solution does not offer complete assurance that an unauthorized user cannot gain access to confidential account information (only the correct approach described above can offer that) but does offer the significant functionality outlined below.
Our solution features the following:
1. You can mark accounts confidential, and access to a confidential account can be restricted to a specific group of operators.
2. You can designate which operators have limited access to files, and which operators have full access for administrative purposes and you can organize your operators into security groups of arbitrary size.
3. You can select from two levels of isolation, the most strict where the confidential accounts do not show up at all when the restricted operator searches, and a second level intended to allow your staff to answer and route incoming phone calls while severely limiting the information displayed to the restricted operator answering the call.
Our solution involves the following:
1. The Debtor Detail form now has a field named Access. You can pick from the list of IDs to pick an operator or team that has access to this debtor record.
2. The account access control security capability allows, for account security only, very flexible user groupings. An operator can belong to a team that belongs to a team that belongs to a team nesting levels up to an arbitrary number of levels.
3. The operator form has two new switches for turning on security and controlling whether accounts the user does not have access to are shown with limited data or not at all.
How To Set Up Account Access Control
1. For each debtor that you want to restrict access to, place an operator ID or a security team ID into the 'Access' field in the Debtor Detail form.
2. For each restricted operator turn on the 'Security' check box and optionally the 'Strict' check box.
3. If you want groups of people to access accounts create an operator team for each security group and use that team ID in the Debtor Detail Access field.
How To Use Account Access Control
Sign on as an operator who does not have access to a specific account. You should see the following.
If you have Strict turned on:
You cannot find the debtor when you browse all debtors, use the find by, or print a report. If you have been assigned accounts in your WIP that you do not have access to (an account assignment error) the account is displayed as described when Strict is turned off below.
If you have Strict turned off:
The idea is that in a small office all people will answer the phone, and basic information is needed to be able to route incoming calls to appropriately authorized people while keeping as much information as possible private.
You will see a mostly empty debtor as an account placeholder for each confidential account. The name shows N/A. Only the information shown below is displayed on the confidential account.
- File number
- Last worked date
- Operator assigned to the account
- Current amount owing on the account
- Group number
- Group member number
When you use the Browse, Find By functions you will be able to locate the account, but it will mostly be blank as described above. No demographic information is displayed to ensure the privacy of the individual and you cannot access any related information. To route an incoming call you have a file number and an operator ID to help you find an appropriate authority with access to that account. To answer questions about an account in a group the owing is showing. To help avoid making more than one call per day to an account the Worked date field is also displayed. Beyond that the operator has no further information about the account to help ensure account privacy yet enable your office to seamlessly operate as a team.
How does the system decide if an operator has access to an account?
A restricted operator has access to an account if:
1. The account does not have an Access ID entered in the Debtor Detail form.
2. The Operator, Sales, Clerk or Access fields contain the ID of the operator.
3. The account Access ID is a team ID that the operator is a member of.
What happens when a user arrives on a confidential account?
There may be some instances in the system where, due to account assignment error or some other error, the operator sees an account that is confidential to them. In that case only the fields listed above are displayed to the operator. They also have no control over the account and only the OK, Next and Prior command buttons are active. All other access to the confidential account information is prohibited.
How does account access control work with Web Host?
When a user that has security enabled logs on to the Web Host their team membership is enumerated and the associated team IDs stored in the web user's team List. Each user has connection information and the team List is associated with the user ID.
When a Web Host user signs on Collect! creates a new connection information record and attaches the user's team list to the user's connection information structure. When the user logs out the team List associated with the user is deleted.
As each request is received from the web Collect! switches the user context and replaces the system team List pointer with the team List of the operator. This allows the web based data access to transparently use the operator's access control settings.