Security inside of UCM has traditionally been handled through a combination of Folder and Contract Type permissions that either grant or deny access to the Contracts located in them. As of late 2019 however, you now have the ability to override these permissions on a per contract basis using Additional Access. This new feature will allow you to assign Users to have either Read-Write or Read-Only permissions from right within the Contract Container itself.
If you already have an existing Security Structure set up with Folders and/or Contract Types, this new feature changes nothing about how security has always worked. This is simply an easier way to handle those "one-off" cases where someone needs access to a Contract that their normal permissions would not allow.
What a User is able to do inside the Contract when granted Additional Access is able to be determined by you as well, both as a system Default and on a per User basis. The options available to you will be the same set of checkboxes that are used for Folder Permissions. We will cover those options in more detail below.
To see how this feature works inside a Contract Container, click HERE.
For a full Video Guide, click HERE
By default, Additional Access will be enabled for your Organization, however ONLY Administrators will have the ability to grant Additional Access at first. Full-Access User can be given the ability to grant Additional Access as well, but an Administrator must manually do so from the User's Profile page.
If you do NOT want this feature to be seen or used at all by anyone in your organization, you can disable Additional Access by going to: Company Admin --> Object Administration --> Object Setting/Maintenance --> Select the Object to configure (Contract Management System).
*If you do not see Object Administration, please contact UCM Support so we can enable that for you.
Simply uncheck the Grant Additional Access (A) checkbox towards the bottom to disable it across the entire object.
*Repeat these steps for any additional Objects if you have them.
Located in the same area under a tab at the top is where you can set the Default Additional Access Security Settings (B).
This is where you can set what a User will be able to do when they are granted Additional Access to a Contract. The defaults will be set like the image below, but can be changed by you at any time.
To avoid any potential confusion, View Contract will always be selected and locked for your Default Settings.
*Repeat these steps for any additional Objects if you have them and need to adjust your Default Security
Custom User Permissions
While we hope that most of your Users will be fine to follow the Default Additional Access Security Settings, we understand that not all Users should be able to do the same thing inside a container. Maybe you have a Power User who needs to be able to do more, like edit those Contract Attributes. Or maybe you have a User who should have less permissions, like not being allowed to Download any Documents. Whatever the case may be, each User has the ability to have their own custom set of Additional Access Permissions.
Inside of a Users Profile, which is access by going to Company Admin --> Manage Users --> Select the User, there will be a link to the right side in the Security/Visibility box (A).
Your first step will be to select which Object you are setting the permissions for (Contract Management System for most) (1), and then you'll check the Follow Custom Security checkbox (2).
Now you'll have all the same permission checkboxes available to you as before. If you want to use your Default Additional Access Settings as a starting point, you can click the Copy (A) icon to the right, and those permissions will be applied for further editing. Unlike your Default Settings, you CAN remove the ability to View a Contract here, so please be careful in your selections. When you are finished setting the Users Custom Permissions, make sure to Update Security Settings (B) to lock in your settings.
Tips & Tricks for Custom Permissions
Even if your User is a Read-Only User, make sure to set the Read-Write permissions to match your Read-Only permissions. A Read-Only User can be placed in the Read-Write column of additional Access, however, a User will NEVER be able to do more than their base User Type allows. This means that if you have a Read-Only user who happens to granted Read-Write access to a Contract, they will still have only the ability of a Read-Only user.
There is currently not a way to remove a User from the Additional Access selection screen, however, IF there is a User who you under no circumstances want to granted Additional Access, you can set that User to use Custom Permissions, and then deselect all options. This will make it so that even if they seem to have Additional Access granted, they won't actually be able to access the Contract.
Custom Permissions using Copy Permissions or Role Models
When you Copy Permissions (A) from one User to others, in addition to Folder and Contract Type permissions, Custom Additional Access will also be copied.
If you are using Role Models, you now have an Additional Access icon (B) which will allow you to assign Custom Permissions like you would per user. If you want your Role Models to follow the Default Additional Access Settings, then you can just leave this section alone.
Enabling the Ability to Grant Additional Access
As mentioned above, Administrators will be able to grant Additional Access by default. Full-Access Users do have the ability to Grant Additional Access inside a Container, but they must have the featured enabled for them by an Admin.
Inside of a User's profile, with the other Allow To checkboxes, is Grant Additional Access (A). When this is checked, a User has the ability to give other Users Access to a Contract.
This checkbox here is a global On/Off switch for each User, which means that any Contract they have access to, regardless of other permission setting, they will be able to Grant Additional Access. If your Full-Access User has their permissions stripped down to a Read-Only status for Contracts located in a particular folder, maybe you don't want them to be able Grant Access to those contracts. We've given you the granular tools here as well to further limit which Folders a User can Grant Permissions in if necessary.
Very much like how Contract Actions work, as long as the Grant Additional Access permission is checked on the Users profile page, then each Folder under Permissions (A) will have a checkbox under the Actions section where you can remove that Users ability to Grant Additional Access (B) for the Contracts specifically in that Folder.