Deltek Vantagepoint Security Series: Roles Record Access Tab - Learning Video

This is a screenshot of the Record Access tab in Security > Roles.

The fields on this screen are separated into sections, which are outlined in blue and listed on the right side of the screen.

The first section on this tab is the Application Record Access.

Each of the hub names are listed in the first column on the left, including any user defined hubs that you've created.

And there's three columns that can be configured in the section for those hubs, Access, Record Level View, and Record Level Update.

In the access column, the drop down menu provides different levels depending on the hub.

1. Read only gives the role read only rights to records in those hubs. They can't modify existing records, cannot add new records, and also cannot delete any records.
2. Modify only rights would give the role access to be able to view and modify records, but not the ability to delete those records or add any new records.
3. Add Modify would give the role rights to add new records and modify existing records, but still not the ability to delete any records.
4. And then Full Rights would give the role full permissions to be able to add, modify and delete records.
5. The other options in here are Can Add and Can't Add. That's used for employee assignments and generic assignments in the resource planning module.

It's recommended that you only check off the areas that the employee will need to perform their normal job functions. So for example, most users should not have access to the utilities or any part of the settings area.

Record Level View in this column you can specify the records that members of this role can view for the selected application. So this setting would also control the list of records that are displayed in searches and lookups. So for example, you could allow a role to only be able to see information for a subset of firms that are identified as clients and the firms have. Or only be able to see contacts that are listed as leads or qualified contacts.

The Record Level Update column, that fourth column in there, is used to determine the records that this role can update in the selected application. The default for this field is same as view, meaning that the Record Level Update setting is the same as the Record Level View setting. But if you wanted to you could allow the roll to view all records, but only be able to update a subset of those records.

For most employees, you'll need to create Record Access restrictions so that employees cannot see other employee’s records.

Vantagepoint has a couple of generic conditions to help create these restrictions. In this example, we have set the Employee Record Level View to Employee Number and the operator is set to his Is Me.

This will prevent the employees from seeing records other than their own.

Since every username is linked to an employee record, Vantagepoint knows which user or employee is logged in.

In this example, we have set the Project Record Level View to Project Manager and the operator Is Me.

This will prevent the project manager from seeing projects that belong to other project managers.

When a project manager assigned to this role logs into Vantagepoint and tries to search for projects in the Projects Hub, the only projects that will display in the lookup lists are projects where the signed in user is listed as the project manager of that project.

You could create similar searches using Project Supervisor Is Me. Principal Is Me, or even biller Is Me.

Under Settings > Security > Roles, we're going to be looking at the Record Access tab.

And let's start out with the Time and Expense roles, I'm going to use my search here and select the Time and Expense role.

So now let's say for the Time and Expense role, you want users assigned or members of this role to be able to read projects and read all projects. But you want them to be able to read them only you don't want anyone to be able to modify or add projects, you just want them to read those project records.

So under the hub name Projects, we have read only access here. And you can see from the dropdown, your choices are Read Only, Modify Only, Add/Modify or Full.

So let's give the Time and Expense users, access to be able to read projects.

We're not going to put any Record Level View, we'll do this in just a second.

And then, because it's read only, there's no update rights automatically.

So let's look at a different role here. Let's look at our CRM Admin role.

And for this role, let's give this role full access to all projects.

So we'll come down here to our hub name of Projects. And under Access column for the project's row, let's give full access.

Now you'll see that the update column is going to be open for me to be able to make changes in there.

Remember that Full access is the only access level that gives users rights to be able to use the Delete function. So if this was set to Add/Modify, members of this role would be able to add projects and modify projects, but not be able to delete them.

So Full is the only one that gives the members of this role permissions to delete a project. So keep that in mind when you're giving full access to records. So if they have full access, we can come over here and define, let's do this in another role, we're going to go into the Project Admin role and use our Record Level View and update.

So I'm going to select our Project Manager role here.

Under Project Manager, for Project Manager, let's give him or her any member assigned to the project manager role rights to employees here. So let's give them rights to be able to read employee records. So we have it set to read only, so they can't modify the employee’s records. But also, let's limit the view, record level view here, to employees where supervisor Is Me.

So if the person logged into Vantagepoint is the employee's supervisor, they can read that employee's record. If they're not, they can't.

So we're going to open up our magnifying glass here. And in the Search field, we want to search for the Supervisor field on the employee record. So we'll expand the employee file. And then we're going to come down and look for the Supervisor field. There's our Supervisors. So that's Employee Supervisor. And then in our operator, we can choose various operators here but we're looking for, Is Me, because we want to limit our view where the Supervisor Is Me. And then when we hit Apply, you'll notice that we don't have any access to Record Level Update. Because we're in a read only mode. We don't have any update rights on this record. So we can read only records where we are logged in as the employee supervisor.

Now if I change this, let's say that I give this role access to add modify, so they can add employee records. And they can also modify, it's going to open up the update column.

So our view column says that we can view records only where we are listed as their supervisor, you can give them different access rights here in the update column. So if you wanted allow to allow the role to be able to update different records or a subset of those records, you could use the record level update column.

Again, we talked about the assignments for employee assignments and generic assignments. If we come down here on this Project Manager role. And for the Project Manager role right now it's set to can add employee assignments and can add generic assignment. So the drop downs for those fields are either can add or can't add. So if we want the Project Manager members to be able to add Employee Assignments, or if you don't want them to add any let's say you want them to be able to add Employee Assignments but not add Generic Assignments.

We can leave can add Employee Assignments and change Generic Assignments to Can't Add. Or you might want it the other way around where you allow your Project Managers to assign generic assignments like a Project Manager, Role, Address Person, something like that, but not specific employees. You could set the generic assignments to can add. And leave the employee assignments to can't add.

You can also limit the Record Level View if you want it to be able to allow them to view Employee Assignments, you can set the view level here.

In section 2, the section at the bottom left of this tab. This is where you define project access and project creation rights, you will only see modules that you have activated. So if you don't have the Billing module you won't see Billing listed here.

Apply Project Access To, this will take any record access restrictions that you've set up for this role and apply it to Timesheets, Billing, Expense Reports, Projects in Billing Groups.

Meaning if your role is restricted to only viewing and updating projects where you are listed as the Project Manager, or maybe only projects in New York, those are the only projects that you'll have access to in Timesheets, Expense Reports, Billing, and Sub Projects in Billing Groups.

Or if you've set restrictions on clients to allow members of this role to only have access to clients on the west coast, and you check billing under the apply project access to members of this role would only be able to select clients located on the west coast during billing functions. And that's going to include Interactive Billing, Batch Billing, Billing Terms, Billing Groups, Billing Rate Tables, Refresh Billing Extensions, and also Invoice Template Editor.

Under Project Creation Rights, the allowed charge types for new projects field is where you can define which charge types that the role can apply to projects. And whether or not a role can create linked promotional projects.

In section 3, the Apply Record Access to All Transaction Centers checkbox will limit transaction entry for all transaction types. You may want to enable this if you don't want employees recording transactions to records that they don't have access to.

Limit User’s Access to Only Their Own Data in Self Service - This is a really handy setting which allows employees to be able to view a summary of their own payroll and their own expense check information on the employee review screen.

If your company uses Approval Workflows, you can also determine which approval records you want the role to see.

Only approval records that are assigned to them or all records. And you can also define the Absence Request Approval records and AP Invoice Approval records.

And I'll demonstrate the options in these last sections.

Looking at our Time and Expense role again, the Apply Project Access to, down below the record access grid, is where it'll apply the record access to these applications.

So in this example, the project access for the Time and Expense role members is read only, and there's no restrictions, they can view all projects.

But let's say for a Project Manager role, if the project manager role was limited to viewing only projects where they are listed as the Project Manager, and you click down here under Timesheets, or Expense Reports, members assigned to that role would only be able to see those projects on their Timesheets or Expense Reports. Also, Billing, Application or Sub Projects in your Billing Groups.

Let's look at the Project Creation Rights. So for our Time and Expense role, we may not want them to be able to create projects at all.

So let's go to our Project Manager role. If the Project Manager role has rights to create projects, we can choose which types of projects we want to let them create.

So if I click on Edit, we can allow them to create Regular, Overhead and Promotional projects. Now, if you don't want them to create Overhead projects, let's say that's more of a System Admin type project, we can remove that from our list by clicking on the X. And we can leave just Regular and Promotional.

If you check the box to apply record access to all transaction centers that will take any restrictions you've set up in the application record access grid and apply them to those same records in Transaction Center.

And the Limit User's Access to Only Their Own Data and Self Service. I'll show you where that is and what they can see in there. So I'll leave that checked for this role. And then we'll get to that in just one second.

And then under Approval Workflow Record Access. So for AP Invoice Approvals, your dropdown options here are assignments only. So you can see only the assignments that are assigned to you. You can view all records in the AP Approval Process. Or you can restrict it to a Vendor Record Level. So you can allow them to see approvals for specific vendors.

And then under Absence Requests Assignments Only, would allow this role to be able to see assignments that are assigned to them only. They can view all records in the Absence Request Approval process, or you can assign Employee Record Level View access so that members assigned to this role would be able to view Absence Requests based on a Record Level View. So if you wanted to allow them to see Absence Requests for maybe employees, and their own organization for planning purposes, you can allow that.

Let me show you real quick under where Self Services so if you allow the role access to see their own data in Self Service when they log into Vantagepoint. Under my stuff, there's an area called Self Service that will allow them to get into Self Service. And they can view their Expense Checks, any Expense Checks that they had out in the system, and they can also, if you're using the Payroll module, they will be able to see their paychecks here as well as their W2 wages, and their withholdings.

And that concludes the demonstration for that section.

Thank you for attending this course.

For feedback or comments, please contact us at DeltekUniversity@dlz.deltek.com. And please check the Deltek Learning Zone for additional courses.