Security Groups are used to define access for Administrative and Business Users.  The User can only access attributes that are included in Security Groups for which they have been set up.

What is a Security Group?

A Security Group is a list of specific HR attribute values that can be accessed by a User.  

Who can access the Manage Security Groups?

The System Administrator is the only user who can access Manage Security Groups.

How do you access the Manage Security Groups?

Click the Menu Icon. Under Security, Click Manage Security Groups.

How do you select the attribute values that are available to Users in a Security Group?

Select an attribute for which you would like to create a Security Group.

Click Add to add an entry for a new Security Group.

Enter a Description for the Security Group.  Click the lookup icon for Attribute ID.

Select an Attribute value to be included in the Security Group.

Click the Add icon to add another Attribute value for the Security Group.

Repeat the lookup process, selecting a different Attribute value. 

After all values have been added, click Save.

The new Security Group now shows for the Attribute.  

You can add the same Security Group to other Attributes, if desired.  You can add as many Security Groups as you would like to any attribute(s).

How can you assign access to a Security Group to a User?

The Security Group access for a User is set up in Manage Users/Contacts. As an example, let us create a security group for Location attribute.

Enter the security group description, select the Attribute ID and save.

The new security group shows for Location as given below.

Let us assign this newly created security group to a user. Navigate to Manage Users/Contacts and access the user page.

Create a new user/contact or edit an existing user.

In Row Level security, select the newly created security group for Location attribute and save. This will restrict the user to access the candidates' data specific to that location in consoles.

The console data for the above user displays only the rows belonging to that Location security group. Let us check this in the Invitation Console. 

With the user login, navigate to invitation console and click on "Search" button. This displays the invitation data that the user has access to.

Now let us check the location information for any invitation. Select an invitation and click "Info and Actions" link.

Check the Information tab for Location. The new Location security group shows in the information.

The above restriction on user access is also applicable to Elasticsearch as well as dashboards.

If the user tries to access the candidate data that does not belong to the Location the user has access to, then the system displays an unauthorized error message.

Dashboards example:

Click on the number or segment of the graph in the I-9 Insight chart.

The user can see the list of all I-9 IDs of the segment as shown below, but the drill down data can be seen only for the candidates that belong to the locations the user has access to.

The user cannot access the candidate data that belong to locations not configured for him. When clicked on those I-9 IDs, the user will be redirected to the following unauthorized access page.

Elasticsearch:

In Elasticsearch, all the category related search results and their actions oblige row level security.

However, in I-9 Status, I-9 Compliance and I-9 Life Cycle categories, the search results show all the rows but the drill down redirects the user to the unauthorized access page if the candidate does not belong to the locations the user has access to. 

Examples:

Select any candidate and click on the invitation ID link. The page redirects to error message if the user has no access to the candidate data. 

When clicked on related action for the above invitation, the page displays error message.