Security is extremely useful on your intranet, because it allows you to automatically control who can see or alter content on your site or parts of your intranet.
In This Article
Content security allows you specify what rights you'd like to grant globally (i.e. to all users whether logged in or not), as well as giving individual user and group rights to particular areas. In essence, this lets you set up different menus and site content for users based on their site login and the user/group rights granted to them, allowing you to tailor the experience for all your different users’ needs.
Why would you want to use security on your intranet site? Reasons may include:
Content Management - By assigning permissions, you can delegate content creation and management to applicable areas, so they can directly update their content. You can get as specific as granting access to an Application, Site, or folder.
Confidentiality - You may want to keep some information private (i.e. sensitive information).
Engagement - A specific group of employees may feel more comfortable and connected by having an area of the intranet which is accessible only to that group's members.
Convenience - As you build up the intranet, you'll start to have lots of content. You may want to hide content that isn't relevant to a user/group, keeping the site clean and easy to navigate.
There are various ways to manage your intranet security, as explained below.
Security Tab Functions
Hover over the Admin icon, top right, and click the Security tab. On this tab there are a multitude of functions which affect how users can access your intranet and what they can view, edit, etc.
The sections for Login Settings and Advanced Settings control more of the backend functionality of your intranet, as well as some of the content under Logins; these are described in detail in the Login Security article under Technical Admin. Though you may not be the person who alters the settings, it's worth keeping in mind in your planning that the setting for Active Directory Synchronization will allow you to sync email accounts and manage intranet access, and Site Level Login will allow for anonymous access to the intranet (e.g. if users are at a shared kiosk and don't have email accounts).
Impersonate a Login
If you're a Super Admin, a key piece of functionality will be to act as another user, so you can view the intranet from a non-Admin perspective. This allows you to double-check permissions and access, or investigate reported issues. It can also be of use if, for example, you're asked to post content for a non-technical executive who wants it to appear as if they posted the content.
There are several ways to get to impersonation, but regardless of the method, a box with the impersonated user's name immediately shows at the top of your screen (below image). You can now navigate throughout the intranet as this user (note that any forms you submit, comments, etc. would look as if it was actually done by this user, so be extremely cautious).
When you're finished impersonating the user, click the big X to stop impersonation. You'll remain on the same page in the intranet, but will once again be using your own account.
You can impersonate a Login using several different methods, as follows:
From the Toolbar
The fastest and easiest way to impersonate a user is to hover over the Admin icon in the Toolbar and click Impersonate Login.
From Search Results
1. Search for the person you want to impersonate.
2. If the person isn't already showing in detail in the right pane, click the double arrows which appear when you mouseover the person's name.
3. In the right pane, click the Impersonate link, top right, as circled below.
From the Admin section > Security Tab
- Within the intranet's Admin section under the Logins section, click Impersonate a Login.
- In the drop down menu, choose an individual's login to impersonate (note: choose an individual with the appropriate permissions; you can't impersonate another Super Admin).
User Rights
User rights are permissions for intranet content or actions, and they can be assigned in several ways via the Security tab.
Best practice is to use Group rights rather than User rights - even if you have to create a new group of one. This allows you to more efficiently manage various permissions throughout the intranet as staff roles change and staff members move on. Read more about Group Rights later in this article.
Note that when a user has both individual rights as well as group rights, the individual user rights will always take priority.
Assign Elevated User Rights
Elevated Rights are assigned to specific logins or individuals. Some elevated rights affect actions across the entire intranet, and some are more specific to various areas of the intranet.
The various intranet roles for a user each have associated permissions and access, as follows:
- Super Admin - Super Admins have unrestricted access and administrative rights and can impersonate other users.
- Administrator - Administrators have the same rights as Super Admins except they can’t assign/edit Super Admins, impersonate users, plus a few other restrictions.
- Site Designer - Site Designers have access to the Design tab in the Admin section, where they can create and choose themes for the site, create and design the menu navigation system, and organize home page widgets.
- Storyboard Editor - Storyboard Editors can manage story content for a site and can choose to show or hide the site's Storyboard.
- Profile Manager - Profile Managers have limited access to the Admin section to create and manage logins and employees.
- Employee Manager - Employee Managers have full access to employee profiles, allowing them to inline edit any employee; they can’t add/delete employees or access the Admin section.
- Site Owner - Site Owners have management rights over their sites, including the option to create navigation, manage Storyboard and Stories, plug in applications, theme their site, and add widgets to the site’s home page (note that this is different than the main intranet home page). Learn more about Site Security.
- Page Owner - Page Owners have limited access to the Admin section to manage their assigned page(s). They have full ownership of their pages and the content within them. However, they cannot edit the left Site Navigation column; site owners can do it. Learn more about Page Security.
- Application Owner - Application Owners have limited access to the Admin section to manage their assigned Application(s). They have full ownership of their Apps and the published content. Learn more about Application Security.
- Approval Manager - Content Approval Managers are assigned at the category level and are able to monitor and approve/decline pending content.
- Supervisor - Supervisors are assigned per user and can potentially have approval rights over specific content that their users publish. The supervisor will display for user records within the Employee Directory application.
- Stats Viewer - this role provides access to the Stats site, where the users can view statistics for the entire intranet without having any Admin rights.
To assign Elevated Rights:
- Click the Admin icon, top right.
- Click the Security tab.
- On the right side under Logins, click Assign Elevated Rights.
- In the drop-down, select the user login whose permissions you want to change, then click Next.
- You'll now see a list of login roles, with a checkmark beside any current roles assigned to the user. Click on the name of the elevated right you want to assign to that user.
- A new box will appear below the list of roles, asking for confirmation of the elevated rights. If the elevated right has additional options (e.g. Page Owner, Site Owner) these will also appear. Click the box for the role and for any additional options, then click Save to finalize the change.
- After assigning Elevated Rights, in order for the change to take effect, have the user logout and log back into the software, or close out their browser if you use AD Sync.
To remove roles, repeat the above process but uncheck boxes for unwanted roles before saving.
Assign Content Permissions
On the Security tab under Logins, you can Assign Content Permissions, which gives individual permissions for Apps (except Blogs, Buy and Sell, and Recipe Share). Assigning these Content Permissions can also be done from within the App itself. This is explained in the Security for Apps article in the Applications section.
Related Articles
Group Rights
Group permissions are a very effective and recommended way of managing permissions, allowing administrators to ensure permissions-based functions will continue to be performed regardless of vacations or staff turnover.
For example, imagine if several employees from different departments were collectively responsible for updating content in 10 places on your intranet. If you assigned permissions by person, you would have to go to 10 different intranet places to update, and would have to repeat this process each time an employee left or was added. To save time, create a well-named group which contains all the necessary users, then assign the required security permissions to this group once (in all required locations). If a new user joins the group, simply add them to the group and all permissions will be automatically granted to them. Note that user permissions will always override group permissions.
If you don't have any existing groups, you can start them in the Admin section, on the Security tab, in the Groups section. Click Create a Group, give it a name, add users by clicking (or Ctrl-click for multiple users), and click Save. Groups are listed alphabetically, so if you're going to have multiple groups with similar functions, we suggest giving a descriptive name which will automatically list together (e.g. Editors - HR, Editors - Marketing site).
Assign Group Rights
Just like User rights, Group rights can be assigned in several ways. On the Security tab under Groups, you can assign Content Permissions, which is about assigning permissions for Apps. This is explained in the Security for Apps article in the Applications section.
Group rights can also be assigned by clicking Assign Elevated Rights on the Security tab under Groups. This allows you to select from various intranet roles for a user, each of which has associated permissions and access, as described below:
Types of Group Rights
- Site Owner - Site Owners have management rights over their sites, including the option to create navigation, manage Storyboard and Stories, plug in applications, theme their site, and add widgets to the site’s home page (note that this is different than the main intranet home page). Learn more about Site Security.
- Page Owner - Page Owners have limited access to the Admin section to manage their assigned page(s). They have full ownership of their pages and the content within them. Learn more about Page Security.
- Application Owner - Application Owners have limited access to the Admin section to manage their assigned Application(s). They have full ownership of their Apps and the published content. Learn more about Application Security.
- Approval Manager - Content Approval Managers are assigned at the category level and are able to monitor and approve/decline pending content.
Manage Group Rights & Users
Once you have a Group or Groups in place, you can manage them in the Admin section, on the Security tab, in the Groups section - click Find Groups. You can now see all Groups (some of which have been pulled in automatically if your site uses AD sync).
Groups created for the intranet are listed first - click on the name of one to view its members and associated permissions. Once you're in this screen you can also:
- Delete the group or save any changes you make (1)
- Change the group name (2)
- Delete any user by clicking the red icon to the right of their name (3)
- Assign more users to the group by clicking their name (4)
- Change elevated rights (5)
Be sure to click the Save button after making any changes for your Group.
Reporting on User or Group Rights
It's possible to report on all of the access permissions for a specific user or group. In the Admin section on the Security tab, scroll down to Reporting. In this section there are several different reporting options to see the rights that are currently assigned for the site:
User Permissions - shows you all elevated permissions and content rights associated with a specific user. (Note that you can perform a similar function in the Logins section of the Security tab, by clicking Find Logins and searching for the user; you'll be able to view current permissions and assign additional permissions.)
Group Permissions - shows you all elevated permissions and content rights associated with a specific group.
Application Permissions - allows you to view the permissions assigned for a specific Application. You can also look up user and/or group permissions for that Application; hold the Ctrl key and click to select multiple users.
Category/Folder Rights within Applications
WIthin Applications, or Apps, you can easily set very specific permissions for users/groups by category or folder. Learn more in the article Security for Apps.
From the IC Blog
Related Articles