Understanding Permissions and Location-Based Access
Understanding Permissions and Location-Based Access
| Note: This article explains data visibility and location-based permissions. For information about user roles and module access, see Roles. |
Overview
Ideagen Procedure Management uses a user-centric permission structure, not a location-based one. This means permissions are built around users and their relationships, rather than restricting access by location alone. Understanding how this works is essential for configuring appropriate data visibility and security.
How Permissions Work
Permission Scope Options
When configuring permissions (e.g., for contracts, forms, or other modules), you'll see several options:
- No - User has no access to this feature
- Across All Locations - User can view data from all locations in the system
- Users location(s) - User can view data based on shared location relationships (explained below)
- Users Managed Region(s) - User can view data from locations within their managed regions
Understanding "Users location(s)" Permissions
The "Users location(s)" option is the most nuanced and requires careful consideration. Here's how it works in Ideagen Procedure Management:
Key Principle: If two users share any location in common, they can view each other's data across all their assigned locations.
Practical ExampleLet's look at a real-world scenario: User A is assigned to:
User B is assigned to:
What happens with "Users location(s)" permissions: Because User A and User B both have Location 2 (Melbourne) in common, they can view each other's data across all their assigned locations. This means:
Important: User A gains visibility to Location 3 (Brisbane) data even though they're not assigned to Brisbane, simply because they share Location 2 (Melbourne) with User B. |
Best Practices
1. Assign One Location Per User
To maintain the clearest and most predictable data visibility:
- Assign only one location per user whenever possible
- This prevents unexpected cross-location data sharing
- Makes it easier to understand who can see what
2. Test Multi-Location Assignments
If you must assign multiple locations to a user:
- Carefully test the permission outcomes
- Log in as that user to verify what data they can access
- Document any non-standard location assignments
- Review these assignments regularly
3. Use "Across All Locations" Deliberately
For users who genuinely need system-wide visibility (e.g., executives, auditors, system administrators):
- Use "Across All Locations" permission rather than assigning multiple individual locations
- This makes their broad access explicit and easier to audit
4. Consider Regions or User Groups for Multi-Location Access
If a user needs to see data from multiple locations:
- Regions: Set up regions that group multiple locations together, then use "Users Managed Region(s)" permissions. Note: Regions can be enabled in Location Management settings if not currently visible in your system.
- User Groups: For more complex permission requirements, consider using Smart Groups (automated based on criteria) or Basic Groups (manually managed) to control access patterns
- These approaches provide clearer structure and better management than assigning multiple individual locations to users
| Note: User Groups are particularly useful for granular permissions within modules. While roles control access to entire modules, User Groups can control access to specific forms, learning programs, news articles, policies, and other individual pieces of content. This makes User Groups ideal for audience segmentation and targeted content delivery. Learn more about [User Groups]. |
5. Regular Permission Audits
- Review user location assignments quarterly
- Remove unnecessary location assignments
- Verify that data visibility aligns with business requirements
Common Scenarios and Solutions
Scenario 1: Regional ManagerNeed: Manager oversees Sydney and Melbourne locations Recommended Solutions:
|
Scenario 2: Temporary CoverageNeed: User temporarily covers for colleague at another location Recommended approach:
|
Scenario 3: Multi-Site WorkerNeed: Staff member works across multiple locations regularly Recommended approach:
|
Troubleshooting Common Questions
"Why can User X see data from Location Y when they're not assigned to it?"
Check if User X shares any location with a user who IS assigned to Location Y. The shared location creates visibility across all locations for both users.
Example: If User A has Location 1, and User B has both Location 1 and Location 2, then User A can see User B's data from Location 2.
"I want location-based permissions, not user-based"
Ideagen Procedure Management is fundamentally designed around user-centric permissions. To achieve the most location-restricted access possible:
- Assign only one location per user
- Use "Users location(s)" permission scope
- Avoid having users share locations unless data sharing is intended
- Use Regions or User Groups for users who genuinely need multi-location access
"How do I audit who can see what?"
Follow these steps:
- Review each user's location assignments
- Identify which users share locations
- Remember: any shared location = shared data visibility across all their locations
- Use the preview function in User Groups to see who has access to specific content
- Test by logging in as different users to verify their data visibility
Need Help?
If you have questions about your specific permission configuration, please contact support with:
- The users involved
- The locations assigned to each user
- What data visibility you're trying to achieve
- Screenshots of your current permission settings
Our support team can help you configure permissions that match your business requirements.
Related Articles
- [Roles] - Understanding user roles and module access
- [User Groups] - Creating and managing User Groups for content permissions
- [Location Management] - Setting up and managing locations in your system