Fullscreen Image

Get started with user security

This walkthrough will take you through the basics of configuring user security, and the best practices for doing so.

These concepts underpin user security in Lucernex:

  • User Class: Determines a user's security permissions. The only out of the box user class is the Default Security user class.

  • Job Function: A broad category created for your organization that specifies the Portfolios and Programs that its members can access. For example, this can be a department in your organization. Out of the box, the only job function with a function in Lucernex is System Administrator.

  • Member: Any Lucernex user with a unique login ID and password. Before a member can access to any part of a portfolio, you must first create that member in your firm. This must only be done once for each Member.

Caveats

When configuring user security in Lucernex, consider the following:

  • If a setting has no parent, the security setting is inherited from the Default Security user class. For example, if the setting is at the root level of the tree.

  • Only grant users View permissions to the Page Access > Entity > Details > Documents setting. If you grant Edit or Delete access, end users can modify your security settings.

  • Do not grant access to Actions > Delete Entity and All Associated Data (no recovery option) unless the user understands and acknowledges the implications.

    Important!

    This setting grants permission to erase data that might be important to your company without a recovery option.

  • A member must be a member at the entity-level to be assigned a work flow step or schedule task. They must also be a member at the entity-level if they need to receive any type of entity-level notification.

  • Many of the functions necessary for Lease Administrators and Lease Accountants are contained in the Page Access > Administration > Dashboard > Manage Contracts folder. Review these settings and determine the appropriate permissions for your Lease Administrators and Lease Accountants.

Best Practice

Use these principles when you configure user classes:

  • Default Security: Set No Access for the Default Security user class. This is the user class that all others inherit from when no setting has been selected. This means that no user class has access unless you specify a setting that overrides the default of no access.

    All user classes inherit their security settings from the Default Security user class unless they have a setting which overrides the corresponding security setting. If you do not apply the No Access setting to the security permissions of your Default Security user class, you may accidentally grant inappropriate permissions to another user class. For example:

    • Samantha's Default Security user class has View permissions applied for all settings.

    • Samantha creates a new Project Manager user class, which should not have access to contracts.

    • Samantha forgets to change the Page Access setting for the Contract folder to No Access.

    • Since Samantha forgot to change the security setting, any user with the Project Manager class can see contracts.

  • Simplicity: Keep your security configuration as simple as possible. Complex security settings are difficult to maintain.

  • Disable unused features: When you create a new user class, start by disabling access to features and functions you are not using.

    For example, if your company will not be using Use Based Rent, you could set the Page Access > Contract > Payment Info > Use Based Rent folder to No Access.

  • Start at top and work down: For example, you can grant lease administrators edit permissions on the Contract folder, and delete permission on specific pages within the Contract folder. The parent folder defines default permissions.

  • List layouts and sub pages: Grant access to all list layouts and sub pages on the Page Access page unless you have a specific reason not to. Users can only access list layouts and sub pages that belong to the entity types they have access to. For example, with these settings granted to lease administrators:

    • Contract: Edit

    • List Layouts: Edit

    • Sub Pages: Edit

    They can only access list layouts and sub pages in the Contract module. If you later decide to give lease administrators access to the Site module, lease administrators can then only access list layouts and sub pages in the Contract and Site modules.

  • Manage membership: You can add membership at Portfolio and Program level and use Default Access to user class security settings in most cases. This requires less time to administer security permissions and is easier to maintain. Example:

    • Flor’s user class has the View setting for the Default access to Contracts for Portfolio Members security setting.

    • Flor is a member of the Orchid portfolio and is not a member of any individual entities.

    • The Orchid portfolio has 4 projects, 10 facilities, and 10 contracts.

    • Flor can view 10 contracts in Lucernex.

    • A Lease Administrator adds a contract to the Orchid portfolio. There are now 11 contracts in the portfolio.

    • Flor can now view 11 contracts in Lucernex.

      Note:

      A member must be a member at the entity-level in order to be assigned to a work flow step or schedule task. They also need to be a member at the entity-level if they need to receive any type of entity-level notification.

    If you have questions about when membership should be managed on individual entities, please contact your Professional Services team or Support.

Minimum User Security Settings

Minimum for a Lucernex user to view, create, edit, or delete data:

  • User account: The system administrator must create a member for each user. A member is any Lucernex user with a unique login ID and password. You can then grant members permissions on a portfolio.

  • Permissions: Grant view, create, edit, or delete permissions for data the member needs access to on the Manage Security section of the System Administrator Dashboard. Permissions are controlled by the user class of the member. This determines the folders, documents, pages, fields, and actions within the portfolio that the member can access.

  • Membership: Manage and assign each member on the Manage Membership Tab page by either:

    • Entity: Assigning a member to entities gives them to access those entities. That member’s user class security settings determine what the member can see and do on those entities.

      Members must be assigned at the entity level to be assigned to work flow steps or scheduled tasks or receive any type of entity level notification.

    • Portfolio or Program: The a member must also have appropriate user class security settings.

      We recommend managing membership on portfolios and programs and using Default Access to user class security settings in most cases. This takes less time and is easier to maintain. For example:

      • Flor’s user class has the View setting for the Default access to Contracts for Portfolio Members security setting.

      • Flor is a member of the Orchid portfolio and is not a member of any individual entities.

      • The Orchid portfolio has 4 projects, 10 facilities, and 10 contracts.

      • This means that Flor can view 10 contracts in Lucernex.

      • A Lease Admin adds a contract to the Orchid portfolio, meaning there are now 11 contracts in the portfolio.

      • Flor can now view 11 contracts in Lucernex.

    If you have questions about when membership should be managed on individual entities, contact your Accruent representative.

Create and Configure a User Class

  1. Create a User Class Code.

  2. On the Page Access tab, select the pages you want this user class to access and the permissions you want for them.

    These are the Lucernex pages and unique items including setup wizards, list layouts, Dashboard, and reports.

    As a System Administrators, note that access for many of the features that Lease Administrators and Lease Accountants are set in the Page Access > Administration > Dashboard > Manage Contracts folder. Select permissions you want for your Lease Administrator and Lease Accountant user classes:

    • No Access: No access to this page, action, field, or budget column.

    • View: View only access to this page, action, field, or budget column.

    • Edit: Create or edit data on this page, field, or budget column. For actions, this security setting means that the user can perform the action.

    • Delete: View, create, edit, and delete data on this page, field, or budget column.

    • Default: Inherit the parent's security setting.

      If the setting has no parent because it is at the root level of the tree, the field inherits its security setting value from the Default Security user class.

  3. On the Actions tab, select the actions you want for this user class.

    Actions include creating entities, the Default Access to settings, and import data.

  4. On the Field Security tab, select field permissions you want for this user class.

    You can set field security for both global and user created fields.

  5. On the Budget Columns tab, select the budget column permissions you want for this user class.

    Budget columns are where users enter budget line item data.

Once your user class is created:

  1. Create users on the Manage Members / Contacts page.

  2. Add each user to the entities you want on the Manage Membership tab.

Administration users

If you grant a user the System Administrator job function, they have additional functionality that is not controlled by security. Be cautious when assigning a user this job function, because doing so may grant them more security permissions than you intend.

Functionality available to users with the System Administrator job function includes:

  • Access to all entities

  • Exemption to most folder security

  • The ability to sign in as another user

    This allows system administrators to test user-reported bugs. Lucernex's audit system tracks this feature.

  • Set dashboard reports across the company

  • Check a document back in after someone has checked it out

  • View all reports, including those saved to individual members

  • Reassign work flow steps to other users

  • Modify folder templates

There are exceptions to the system admin job function access, which includes approving lease items. This is restricted by security to keep our clients SOX compliant.

If you want to grant users some system admin permissions without granting full permissions, we recommend you create multiple "admin" user classes.

Some functions can only be performed by an Accruent representative. This is to protect the integrity of your data. Contact your Accruent Support representative if you are unable to do something as a System Administrator and the option is not available on the Manage Security page.

Additional Security Walkthroughs