# 16 Hierarchical roles and user profiling # 16 Hierarchical roles and user profiling You can access the **Check User Login** section using the Settings item, present in the menu of the avatar in the top right corner. Here you can define and customise vtenext users in order to guarantee data confidentiality, managing access and data use privileges. Through the **Users, Roles, Profiles, Sharing Access, Advanced Sharing Access** and **Groups** items, you can define the users able to use only specific areas of vtenext. In our opinion it is useful to start defining the users (this is as the prerogative of the administrator user) only when you have decided which of the business processes you want to manage with vtenext and not before familiarising yourself with the system. User and access management is a powerful tool that provides a wide degree of versatility in the construction of the structure, also with CRM in Multi-company mode. In addition, vtenext allows you to monitor use by tracking actions (**Audit Trails** tool), with the guarantee of always knowing "who did what" and set privileges accordingly. The management of security and access to information is based on the **Roles** system, which makes configuration simple, as it is not necessary to create a profile for each user, but simply to associate to one already present. The management of roles is fundamental in medium-large businesses in which we find dozens of users with different hierarchical roles. **In particular it is useful for:** - having a large number of people working with CRM simultaneously; - checking the rights of modification, cancellation and reading; - respecting the corporate organisational chart. Through profiles and access levels, Roles allow you to profile vtenext users so that everyone can see only the information that is of interest to them, thus ensuring the confidentiality of data between users and the levels of the company organisation chart. **TYPES OF USERS in vtenext** 1\. Standard user: has limited access and cannot access the Settings menu 2\. Administrator user: is able to administrate all the entities of vtenext Users, groups and their privileged access: - Customise the user interface; - Create communication archives; - Change password, deactivate users and view login history; - Manage profiles by assigning privileges to read, create/edit, delete vtenext data. The correct order to proceed with the configuration of the company structure is as follows: - Creation of Profiles; - Creation of Roles, to which the Profiles are associated; - Creation of Users, to whom the Roles are associated; - Modification of user-role associations based on organisational needs; - Creation of any groups. # 16.1 Profiles The profile defines the privileges of a user in regard to access to, and use of, vtenext modules and fields. The administrator, as instructed by company managers, must determine the operations that can be performed by the different users who will work on the CRM. The following are established for each user by Profiles: - which modules appear in their general menu; - which modules they have full access to; - which modules they have limited access to; - which fields within a module the user will be able to see and/or modify and/or delete their content. And more, on a scale of increasing detail. Below are the types of privileges shown on the screen: [![16.1 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/MCx16-1-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/MCx16-1-1.png) Global Privileges: - See all: the profile will be able to read all CRM information; - Edit all: the profile will be able to edit all CRM information. - Field Privileges: allows you to decide whether the user can create/view/modify/delete within the single module. - Tools: allows you to decide on functions such as Export/Import Data, Convert Lead, Management of duplicates with merging. [![16.1 [2].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/WTH16-1-2.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/WTH16-1-2.png) When creating a new profile, you can start from the basic structure of an existing one by duplicating it, so as to not start from scratch. We suggest creating more limited profiles first and then proceed to the more open ones (adding new permissions each time). **Note.** The access privileges managed by Profiles refer to the vtenext layout, not to the "ownership" of the content. If, for example, I have to set that Agent 1 does not see Agent 2's contacts, this type of management is performed by Roles and Sharing Access (see next paragraphs). Since both agents work with the Contacts module, their profile (which will most likely be shared) will have the Contacts module enabled to read and at least create/edit. # 16.1.1 Create new profile **STEP 1:** Once on Settings > Profiles, press New Profile: [![16.1.1 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/Wgz16-1-1-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/Wgz16-1-1-1.png) **STEP 2:** in the configuration window for the new profile, enter the name, description if any, and the basic profile to start from. [![16.1.1 [2].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/fYu16-1-1-2.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/fYu16-1-1-2.png) **STEP 3:** Enter the access privileges in detail for each module: [![16.1.1 [3].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/LPt16-1-1-3.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/LPt16-1-1-3.png) [![16.1.1 [4].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/C7w16-1-1-4.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/C7w16-1-1-4.png) **Mobile App Profile:** it allows to create a profile for the mobile app. For each profiles created, as it happens with the web profiles, is possible to choose the modules and their utilization methods. Below important advices to set correctly a new profile: - activate "touch" module for a correct use of the mobile app; - after every single modification/creation of a new profile press "Recalculate" in the Shares Access area; - after eventual modification/creation of a new profile please logout and login from the application. **Warning!** The limitations imposed by the profile on the single module are secondary to those defined by the Module Manager (see relevant paragraph). That is: if the administrator user deactivates a module from the Module Manager, it will be "turned off" to all users/profiles/roles of the CRM, even if their profile is enabled. Vice versa, if the module is left active in the Module Manager, it is the user profile that determines the presence of limitations. In the same way, the Layout Editor "prevails" over the Profile when deactivating fields: if the Source field is deactivated by the administrator in the Layout Editor of the Leads module, no profile will be able to display it regardless of the relative tick in the box. **Versioning:** All settings for modules, processes, roles and profiles can be saved, generating a version (e.g. v.1.0). Versions can be exported or imported to ensure a higher level of security during setup. [![16.1.1 [5].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/hJ816-1-1-5.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/hJ816-1-1-5.png) # 16.2 Roles Roles underpin the entire security system, each of which is based on a profile. The administrator, following the profiles, must create roles that reflect the company's organisational levels. If we establish, in fact, that the visibility of CRM data is controlled by a hierarchy (in Sharing Access), as is logical, higher roles will access the data assigned to lower roles, but not vice-versa. Two roles of equal standing will have no visibility between them. The definition of the role hierarchy affects the visibility of records by one or more users in accordance with the rules described in the Sharing Access chapter. N.B.: All settings for modules, processes, roles and profiles can be saved, generating a version (e.g. v.1.0). Versions can be exported or imported to ensure a higher level of security during setup. **Example:** - The CEO can view the data assigned to himself, to the Manager and to Sales; - The Manager can view the data assigned to himself and to Sales; - Sales can only view their own data. If the Sales role applies to 3 users, each of the 3 users within the role can view the data of the others. ![](https://usermanual.vtenext.com/uploads/images/gallery/2019-08-Aug/scaled-840-0/image-1564997534551.png) Next to the role name, you will find icons to manage the hierarchical tree:
![](https://usermanual.vtenext.com/uploads/images/gallery/2019-04-Apr/scaled-840-0/image-1555426030198.png) edit properties of the role
![](https://usermanual.vtenext.com/uploads/images/gallery/2019-04-Apr/scaled-840-0/image-1555426036877.png) add a subordinate role
![](https://usermanual.vtenext.com/uploads/images/gallery/2019-04-Apr/scaled-840-0/image-1555426041608.png) delete role
![](https://usermanual.vtenext.com/uploads/images/gallery/2019-04-Apr/scaled-840-0/image-1555426046489.png) shift the role above or below
The creation of the new role looks like this: [![16.2 [2].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/tvU16-2-2.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/tvU16-2-2.png) 1. Insert a name for the role 2. Link the desired profile to the role; 3. Link the profile for mobile access (app). **Versioning:** All settings for the roles can be saved, generating a version (e.g. v.1.0). Versions can be exported or imported to ensure a higher level of security during setup. [![16.2 [3].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/OKv16-2-3.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/OKv16-2-3.png) # 16.3 Users From Settings > Users you can create and manage users, which are displayed in a list on the main screen. The user in vtenext corresponds to a person, provided with an email address and password, which they access to work on CRM. [![16.3 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/BW716-3-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/BW716-3-1.png) Although simultaneous access by the same user from different locations is allowed, it is absolutely not recommended to use shared users, especially when working at the same time. This is because, in addition to being unable to trace the real owner of the data or the author of any changes (which is at odds with the philosophy of CRM itself), there is a risk of conflict and loss of information saving. The user sheet is divided into sections and coincides with the User Preferences (to be referred to for the details of each section), except for the parts reserved for the administrator user, and are namely the following:
**User Name** Each user has only one user name. Once created, it cannot be changed. N.B. Each user has the option to change their password.
**Login via LDAP** Tick if the active directory is enabled on your server. Reference should be made to the LDAP Configuration chapter.
**Administrator** Tick this box to provide the user with administrator privileges, regardless of their role.
**Status** On / Off. The disabled user can no longer log in to vtenext.
**Role** You can change the role of the user (the role must have already been created).
**Warning!** In the cloud version the user name corresponds to the full email address. Important tips for user creation and management: - The use of characters such as - and / is not allowed for Login and Password; - User Name and Password must be a combination of upper- or lower-case letters and numbers. The use of special characters (such as ä, ö, ü, ß, % etc.) is not permitted. Your password must not contain any terms related to your personal information. A good password is for example "Dhe4K39bz"; - The chosen password must comply with the following rules in accordance with the Data Protection Act (Law 196/2003): - Must consist of at least 8 characters; - Must be changed every 3 months (the system will automatically propose a password change every 3 months). - The user can freely request a password reset, a process which will last a maximum of 24 hours, after which he/she will have to repeat the procedure by clicking on the "Forgot your password?" link again on the Login page; - Beware of granting administrative privileges! The user will be able to see and change the CRM settings and all data; - A user who no longer needs to work in CRM, but must remain present for historical reasons, can be deactivated via the appropriate entry in the customer screen (see above). - The entities associated with them will still be available to other users, according to the hierarchy of roles. You can also permanently delete a user: before deleting a user, the system will ask you which other user the data assignments should be transferred to. More information is available after saving the user data sheet: [![16.3 [2].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/MS616-3-2.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/MS616-3-2.png) Owner-based sharing rules: Allows for permission to be granted to the user to access records assigned to another specific user. Expand the selection and select Add Privileges on the Module, then configure the rule. Example: [![16.3 [3].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/4wY16-3-3.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/4wY16-3-3.png) - Filter-based sharing rules: includes the list of Sharing Access Rules - Advanced activities for the user (please refer to the relevant chapter); - My Groups: list of groups that include the user; - Login History: View the history of user logins. When a new user is created in the CRM, all the data compiled in the creation screen are copied to the Employees Module. The module gives us the freedom to enter as many additional fields as we want and follows the standard rules already set out for all other CRM entities. No less important, if the CRM is furnished with the GDPR module, it also interacts with this module. In essence, the Employees module allows you to treat the users of the CMR as if they formed a normal registry, separating it from the rest (Accounts, Contacts and Leads). [![16.3 [4].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/o7216-3-4.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/o7216-3-4.png) # 16.4 Groups Groups are effective tools for bringing together users who belong to the same team. They are used for data assignment. For example, if a Ticket arrives from a customer, you assign it to a dedicated Ticket management group so that all those users can see it. The first free user will be the one to take charge of it by assigning it to him/herself. To view the list of groups and create new ones, go to Settings> Groups [![16.4 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/1Kl16-4-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/1Kl16-4-1.png) **IMPORTANT:** Groups can be composed of sets of: Users, Roles, Roles and Subordinates, other Groups. [![16.4 [2].PNG](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/buF16-4-2.PNG)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/buF16-4-2.PNG) # 16.5 Sharing Access vtenext allows you to set the access privileges of the Roles, defining whether the content of the CRM is generally accessible (public) or with limitations. There are various degrees of limitation. The rules are divided into two blocks: general global access rules and custom rules. The general rules of access are valid as standard for all Roles, but at the same time it is possible to attribute exceptional rules to certain Roles only, in order to cover the most diverse needs of the different company structures. In general, what you will do through Sharing Access is to tell the system which users (based on their hierarchical role) will be able to see and/or modify the data contained in the CRM, module by module. **Warning!** After any changes to the shared rules, **press the Recalculate button** to verify the configuration as a whole, avoid conflicts and make the changes operational. [![16.5 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/8H316-5-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/8H316-5-1.png) The first thing to define is the Sharing Access rule for each of the modules. With what degree of freedom do you want the content of the modules to be accessible to users? The most restrictive approach is private. When this sharing acess rule is applied to a module the visibility, creation, modification and deletion of records will follow the hierarchy that was defined inside the roles. In details the possible cases are shown below: - users with the same roles will be able to see, modify and delete the records that were assigned to them, but they will not be able to make the same actions, mentioned previously, to the users with the same roles; - users that have subordinates in hierarchy will be able to see, modify and delete their own records and the records of their subordinates. The Public approach has 3 levels of decreasing restrictions, therefore some privileges (visibility and/or creation and/or modification and/or deletion) will no longer be based on hierarchical roles, but will be open.
**Public: read only** All users can access and view the module data. Only the assignee and users with a higher hierarchical role can publish, modify or delete data.
**Public: read, create/edit** All users can view, create and edit the module data. Only the assignee and users with a higher hierarchical role can delete data.
**Pubblic: read, create/edit, delete** All users can view, edit and delete data. With this setting the CRM is completely public.
Keep in mind that the behaviour of some modules implies the same induced behaviour of connected modules. For example, if the Accounts module is set to Private, Quotes, Tickets, Sales Orders, Purchase Orders and Invoices will also be in Private mode. Messages and Notes allow you to set access privileges in a more systematic way. The sharing of the Calendar module differs in behaviour from the procedure of the other modules, and is analysed in detail in the relevant chapter. The sharing access settings cannot, therefore, be changed. At the bottom of the Sharing Access panel, you can create exceptions to the permissions that you have defined so far, thus creating exceptions to the hierarchy of roles. [![16.5 [2].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/IOI16-5-2.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/IOI16-5-2.png) - Press Add privileges on the module for which you want to create an exception; - Then select the entity owner role in Step 1; - Select the role for which you want to extend visibility in Step 2; - Then define the permission between Read Only or Read and Write; - Enter the desired user tab and add the newly created rule in the "Owner-based sharing rules" menu item. # 16.5.1 Global Access Rules The first thing to define is the Sharing Access rule for each of the modules. With what degree of freedom do you want the content of the modules to be accessible to users? The most restrictive approach is Private, which will strictly follow the hierarchical roles (for visibility, creation, modification and deletion). The Public approach has 3 levels of decreasing restrictions, therefore some privileges (visibility and/or creation and/or modification and/or deletion) will no longer be based on hierarchical roles, but will be open.
**Public: read only** All users can access and view the module data. Only the assignee and users with a higher hierarchical role can publish, modify or delete data.
**Public: read, create/edit** All users can view, create and edit the module data. Only the assignee and users with a higher hierarchical role can delete data.
**Pubblic: read, create/edit, delete** All users can view, edit and delete data. With this setting the CRM is completely public.
Keep in mind that the behaviour of some modules implies the same induced behaviour of connected modules. For example, if the Accounts module is set to Private, Quotes, Tickets, Sales Orders, Purchase Orders and Invoices will also be in Private mode. Messages and Notes allow you to set access privileges in a more systematic way. The sharing of the Calendar module differs in behaviour from the procedure of the other modules, and is analysed in detail in the relevant chapter. The sharing access settings cannot, therefore, be changed. # 16.5.2 Custom Rules At the bottom of the Sharing Access panel, you can create exceptions to the permissions that you have defined so far, thus creating exceptions to the hierarchy of roles. [![16.5.2 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/HIp16-5-2-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/HIp16-5-2-1.png) - Press Add privileges on the module for which you want to create an exception; - Then select the entity owner role in Step 1; - Select the role for which you want to extend visibility in Step 2; - Then define the permission between Read Only or Read and Write; - Enter the desired user tab and add the newly created rule in the "Owner-based sharing rules" menu item. # 16.6 Access Field The available function is used to control the visibility of the fields in the various modules on the part of the entire organisation. You can use this function both to show and to hide selected fields. By default, all fields are considered visible. It is not possible to disable the mandatory fields of the modules. [![16.6 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/eYI16-6-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/eYI16-6-1.png) **Warning!** The Access Fields rules prevail over the rules set by the Profiles except for the ADMIN user who will see them all, even if they are disabled. # 16.7 Advanced Sharing Access This allows you to extend data access permissions for a user on a specific module, based on rules defined according to the same logic as filters. Let's look at an example: the Milan Agent user must be able to access the Account registries (all of them, even those assigned to others) for the province of Milan. **STEP 1:** Add a rule in the Accounts module, then configure the rule. In our example, on Accounts&Contacts the rule will be a Province equal to Milan. [![16.7 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/tZK16-7-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/tZK16-7-1.png) **STEP 2:** from the user tab (Settings > Users), link the rule with the Accounts and Contacts module and define the type of permission under "filter-based sharing rules" [![16.7 [2].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/Gr316-7-2.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/Gr316-7-2.png) **STEP 3:** Ater every single modification please **press the button "Recalculate"** to apply the changes made. [![16.7 [3] correct.png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/16-7-3-correct.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/16-7-3-correct.png) **Note!** vtenext Community: it is allowed to create only one rule of advanced sharing access for module. [![16.7 [2].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/Gr316-7-2.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/Gr316-7-2.png) # 16.8 Audit Trails The Audit Trails function allows the system administrator to know what a user has done in vtenext. You can enable/disable this control via the flag in the box, relative to the selected user. This function has been improved from version 21.01, making it centralized, with the facility for granular extraction of all activities with complete details. [![16.8 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/cEo16-8-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/cEo16-8-1.png) *User selection example* [![16.8 [2].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/T0O16-8-2.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/T0O16-8-2.png) *User activity detail view* # 16.9 User Login History As a vtenext administrator, you can monitor access to the system and view the history of each user. [![16.9 [1] correct.png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/16-9-1-correct.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/16-9-1-correct.png) # 16.10 Check User Login Again, as an administrator user, you can view failed login attempts for each user and if they have been blocked (for example, if they have entered their password incorrectly more than 5 times), you can reactivate them by clicking on **"Add to whitelist"**. [![16.10 [1].png](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/scaled-1680-/16-10-1.png)](https://usermanual.vtenext.com/uploads/images/gallery/2022-06/16-10-1.png)