November Grab Bag: Access Restrictions
As the end of the year approaches, Administrators begin updating their digital workplaces access rules to reflect the changes in their organizations, cleaning up old rules and build new ones as they see the shape of things to come. This month we received a number of questions on restricting Access.
How do I restrict access for a member?
This is a common question, and it's worth examining the core principle of Access. In your digital workplace, you always add rules to grant people access. By default, only Workplace Administrators have access to anything, but Access rules can be added for specific members or Groups. Knowing that, to restrict access for a specific person you'll need to ensure they aren't part of any of the Groups that do have access.
This may be a challenge for access models that rely on the All Members group. Using a separate Member Group to govern basic Read access in your digital workplace offers more fine-tuned control over specific members, and their access can be restricted by excluding them from that Group. This can be especially useful for digital workplaces that have multiple sets of stakeholders, like partners, customers, and employees.
How do I restrict access for a Group?
Access for Groups works the same as it does for individual members. We add rules to give people access. However, if you find yourself in a spot where it's necessary to restrict access to an area from a specific Group, it might be worth taking a step back to reconsider the access model as a whole. This is usually a sign that there's an issue with the Group structure of the digital workplace, and can be addressed there. A sound Group structure lets you add various Groups to items to grant them access.
If members of a larger Group shouldn't have access to something, then there's a relevant difference between that subset of members and the rest of the Group. Splitting that out into two separate Groups will let you set up access accordingly, and also ensures that access is easier to maintain in the future. If members transition in your organization, you can move them between the Groups, without ever needing to change the Access rules.
How to I give members to access a Page, but nothing beneath it?
Sometimes you want people to access a specific Page, but not the things beneath it. This can be really common for everything from customer rooms to social Spaces, and is easily accomplished through non-cascading rules. When adding an Access rule, you can use the interface to decide whether that rule should cascade down into all of the objects beneath it or not.
By default, all rules cascade, but setting up a non-cascading rule means it will apply to that object, but no further. That opens the door to collecting all of your customer rooms under a single Page for instance, without everyone who has access to that Page having access to all of the customer rooms. Typically, Pages like that will hold a Navigation or Spaces widget to dynamically display items underneath that members do have access to, based on their access. So your sales reps would be presented with a list of all of their deal rooms, but only for prospects they're working with, for example.
If you have any other questions about the Igloo platform, workflows, or best practices, you can leave a comment here, or ask a question in the Community area.
Good article Jim. Access control requires some planning and it's good to see different functional options presented here. Thanks for those.