Related Information Examples & Tutorials

Account Access Control

Do you have some accounts that you want only specific operators to access?

The absolutely correct approach to account isolation involves separate networks, physical offices, and LANs. Anything else has complications. For example, how would data segregation affect your compliance to laws limiting the calls your company can make to the debtor in a day, or do you need to worry about a sharp operator that sets up a sniffer on your network?

Ours is a simple and comprehensive solution, but it may not apply if you require legally contracted segregation procedures. For those types of account isolation, please consult your local technical security experts to set up a secure environment for you, with separate servers, networks, and offices, as needed to fulfill your contract.

Collect!'s Account Access Control cannot promise complete assurance that an unauthorized user will not gain access to confidential account information, (only the correct approach described above can offer that) but it does offer you very flexible and comprehensive options that are easy to implement. These are outlined below.

Our solutions provide these features:

1. You can mark accounts confidential, and access to a confidential account can be restricted to a specific operator or group of operators.

2. You can designate which operators have limited access to files, and which operators have full access for administrative purposes and you can organize your operators into security groups of arbitrary size.

3. You can select from two levels of isolation, the most strict where the confidential accounts do not show up at all when the restricted operator searches, and a second level intended to allow your staff to answer and route incoming phone calls while severely limiting the information displayed to the restricted operator answering the call.

Our solutions involve the following:

1. An Operator is granted access to any account that has their ID in the Operator or Sales field on the Debtor form.

2. The Debtor Detail form has two fields that may be used to fine-tune account access further. These fields are named Clerk and Access. You can select from the list of IDs to pick an operator or team for either of these fields.

a) An Operator is granted access to any account that has their ID in one of these fields or the Team ID of a team to which they belong.

b) An Operator is granted access to any account which has nothing set in these fields, unless the operator is "locked out" as described below.

3. The account access control security capability allows very flexible user groupings. An Operator can belong to a team that belongs to a team that belongs to a team, nesting levels up to an arbitrary number of levels.

4. The Operator Security form has several switches pertaining to security.

a) A switch to enable Security (with a check mark).

b) A switch Strict to control whether accounts the user does not have access to are shown with limited data or not at all.

c) A switch Locked out by default to lock the Operator out of all accounts that do not have their ID in the areas noted above, including accounts that have no other access control settings set in the Debtor Detail. (By default, if there are no settings set in the Debtor Detail, the account is accessible to all operators.)

d) A field Client # to specify a particular Client whose accounts the Operator can access. This includes any Clients "Owned by" the Client # you specify.

e) A switch Apply to Client Accounts to restrict browsing Clients to the particular Client or Client hierarchy you have specified in the "Client #" field.

How To Set Up Account Access Control

Account access control may be set up from the Debtor form or the Operator Security form, depending on how you intend to restrict your accounts.

There are four main ways to set up account access control:

  • Restrict by Account
  • Restrict by Lock Out
  • Restrict by Client
  • Restrict with Client Type Operator

Each of these is described below.

Top of page.

Restrict By Account

This method restricts access on an account by account basis.

1. For each Debtor that you want to restrict access to, place an operator ID or a security team ID into the Access or Clerk field in the Debtor Detail form. This will enable the Operator or Team to see this account.

2. For each restricted operator, switch ON Security with a check mark, and optionally, switch ON 'Strict. This must be done for every operator for whom security applies. An Operator with these switches off can see everything, regardless of any other settings.

3. If you want groups of people to access accounts, create an Operator Team for each security group and use that team ID in the Debtor Detail Access or Clerk field.

Top of page.

Restrict By Lock Out

This method restricts all accounts based on Operator settings.

1. For each Operator that you want to restrict from accessing accounts, in the Operator Security section of the Operator form, switch ON Security with a check mark, and optionally, switch ON Strict.

2. Switch ON Locked out by default.

These settings will prevent the Operator from viewing any account that does not have their ID in one or several of the following fields, or the Team ID of a team that they belong to.

  • Debtor Operator field
  • Debtor Sales field
  • Debtor Detail Clerk field
  • Debtor Detail Access field

tip.gif Operators are also UNABLE TO VIEW accounts with no settings at all in the Debtor Detail.

Top of page.

Restrict By Client

This method restricts access based on Operator settings and Client #.

1. Put the a Client # in the Operator Security section of the Operator form. This will restrict the Operator to viewing only the accounts belonging to that Client #.

2. Switch ON Security with a check mark, and optionally, switch ON Strict. These switches must be set to enable access control by client. An Operator with these switches off can see everything, regardless other settings.

tip.gif Client ownership is a hierarchical system that allows you to use the Owned by client in the Client form. If the Client # you enter for the Operator owns other clients, they will also be visible to the particular operator through the Browse Debtors or Find By menus.

3. Optionally, switch ON Apply to client accounts if you want this Operator to be able to browse and edit Clients or add a new Client. This will restrict viewing to only the Client # specified in the "Client #" field or any Clients "owned by" that Client #.

tip.gif If an Operator creates a new Client when Apply to client accounts is switched ON, the new Client will automatically be "owned by" the Operator Security Client # setting. Collect! will write the Client # to the "Owned by" field on the new Client.

Top of page.

Restrict With Client Type Operator

This method simply sets up a Client Operator with access to their own accounts.

1. In the Operator form, select Client in the Type field and put in a Client # in the Client # field that becomes visible beneath the field labeled Actual. This will restrict the Operator to only view accounts for the Client you specify.

Leaving the Client # empty for a Client type Operator will produce wrong results.

2. We recommend that you try out User Level 98, Guest, for your Client operators. Then you can enable other fields or menu items as needed.

tip.gif Client ownership is a hierarchical system that allows you to use the Owned by client in the Client form. You can enable your Clients to search for debtors using the Browse Find By menu. They will not be able to view records that they do not own. Clients who own other clients are able to see all records in their hierarchical tree, but no others.

Please refer to Help topic, Enabling Your Clients to Browse for Records, for details.

Top of page.

How To Use Account Access Control

Sign on as an operator who does not have access to a specific account. You should see the following.

If you have Strict turned ON:

You cannot find the Debtor when you Browse All Debtors, use Browse Find By, or print a report. If you have been assigned accounts in your WIP that you do not have access to, (an account assignment error) the account is displayed as described when Strict is turned OFF below.

If you have Strict turned OFF:

The idea is that in a small office all people will answer the phone, and basic information is needed to be able to route incoming calls to appropriately authorized people, while keeping as much information as possible private.

You will see a mostly empty Debtor as an account placeholder for each confidential account. The name shows N/A. Only the information shown below is displayed on the confidential account.

- File number
- Last worked date
- Operator assigned to the account
- Current amount owing on the account
- Group number
- Group member number

When you use Browse Find By functions, you will be able to locate the account, but it will mostly be blank as described above. No demographic information is displayed. This ensures the privacy of the individual and you cannot access any related information.

  • To route an incoming call, you have a File number and an Operator ID to help you find an appropriate authority with access to that account.

  • To answer questions about an account in a group, the Owing is shown.

  • To help avoid making more than one call per day to an account, the Worked date field is also displayed.

Beyond that, the Operator has no further information about the account. This ensures account privacy, yet enables your office to seamlessly operate as a team.

If you are a CLIENT OPERATOR:

If you sign in as a Client Operator, you should only be able to see your own accounts. When using Browse Find By functions, you can only find accounts for your Client #. Client ownership is a hierarchical system that allows you to use the Owned by client in the Client form. Clients who own other clients are able to browse for all records in their hierarchical tree, but no others.

Top of page.

How The System Determines Access

How does the system decide if an operator has access to an account?

A restricted operator has access to an account if:

1. The account does not have an Access ID entered in the Debtor Detail form, UNLESS the operator is "Locked out by default," as described above.

2. The Operator, Sales, Clerk or Access fields contain the ID of the operator or the Team ID of a team the operator belongs to.

3. The account belongs to a client whose Client # matches the entry in the Operator Security Client #, also includes Client #'s that client owns.

4. For Client type Operators, the Client # matches the client the account belongs to, also includes Client #'s that client owns.

tip.gif Collect! determines whether or not an Operator is granted access to an account in the following order.

1. Client Access
2. Locked Out By Default
3. Operator ID
4. Sales ID
5. Debtor Detail - Clerk ID
6. Debtor Detail - Access ID
7. Team List

What happens when a user arrives on a confidential account?

There may be some instances in the system where, due to account assignment error or some other error, the operator sees an account that is confidential to them. In that case, only the fields listed above are displayed to the operator. They also have no control over the account and only the OK, Next and Prior command buttons are active. All other access to the confidential account information is prohibited.

How does account access control work with Web Host?

When a user that has security enabled logs on to the Web Host, their team membership is enumerated and the associated team IDs stored in the web user's team List. Each user has connection information and the team List is associated with the user ID.

When a Web Host user signs on, Collect! creates a new connection information record and attaches the user's team list to the user's connection information structure. When the user logs out, the team List associated with the user is deleted.

As each request is received from the web, Collect! switches the user context and replaces the system team List pointer with the team List of the operator. This allows the web based data access to transparently use the operator's access control settings.

Top of page.

Limitations To Account Security

The following important conditions and limitations apply when using account access control.

Speed

The user rights are not indexed and are transparent to your searches except that debtors the user hasn't got access to are discarded at a low level in the system. If a user has rights to only 1 record in 10,000 then the system will likely have to search all 10,00 records before it finds the one the user has rights to.

Limited Use

Do not use a security enabled operator incorrectly. If you want to do a batch operation or anything complex, such as statistical calculations, then you should sign on as an unrestricted operator.

The Account Security function is not intended to work with batch operations, or anything complex unless the complex task is specifically planned for and is designed to support Security in both Strict and Non-strict forms, depending on your requirements.

If you use complex plans or control files that look at debtor groups please be aware that account security will restrict the data available to unauthorized users.

Top of page.

See Also

- Enabling Your Clients to Browse for Records
- Operator Security

Top of page.

Was this page helpful? Do you have any comments on this document? Can we make it better? If so how may we improve this page.

Please click this link to send us your comments: helpinfo@collect.org