Kavi® Members Help

Chapter 18. How to Manage Access
Prev  Part I. Kavi Members Concepts and General Instructions  Next

Chapter 18. How to Manage Access

Table of Contents

Managing user access
How to decipher your organization's access control system
How to determine a user's access privileges
Are this user's access privileges correct?
How to add access
How to revoke access
Tips for administrators: how to maintain proper access levels for all users on a site-wide basis

Managing user access

User access to your organization's Web site is managed primarily through Kavi Members. Access settings are configured by Super Administrators, who define controls over the processes by which individuals and companies are added to the database, the kinds of types and roles that will be available to grant access, whether these types will be assigned automatically through membership or be available to be assigned manually by Organization Admins, and when and under what conditions these types will be revoked automatically. But much of the day-to-day management of access is handled by Organization Admins, who need to understand the general concept of Roles and Types, and how they are implemented in their organization's Web site. Administrators also need to understand Kavi Members interlocking Access mechanisms.

Back to top

How to decipher your organization's access control system

Each organization has its own unique set of roles and types, but they all have certain things in common (particularly the default roles and types). Here is one way you can get a fast overview of how access is granted through your site.

View Access Configuration

Super Administrators can view a site's access configuration through the View Access Configuration tool.

Take quick stock of roles

Roles are the basic unit of Web site access. Super Admins can use the Manage Roles tool to view their organization's roles. Depending on the organization there may be many, even dozens, of roles—but don't despair, roles are easily categorized. Look in the 'Origin' column. Custom roles will display the word 'custom' here. Default roles display the Kavi application that installed them.

  1. Look default roles up in Kavi Members Default Roles. If the role was installed by a different application, click the link that will take you to the list of roles and types for the other application. Default roles tend to provide access to large areas of the site, as shown in Schema of main access areas.

  2. Custom roles are usually created in tandem with a specific custom tool or area to provide access to it. The role name and description should tell you the corresponding area of the site.

Access conveyed through Company Types is applied to groups of users

Use the Manage Company Types tool to look up these types and see which ones confer roles. Since users inherit roles from Company Types assigned to their company, Company Types usually confer a lower level of privileges than the other classes of types. They tend to grant a basic level of access required by member company representatives, staff and administrators. Users whose duties require additional access can be given that access by layering on other kinds of types such as User Types or Contact Types, depending on whether the user is associated directly with the organization or associated through a member company.

  1. There is only one default Company Type installed by Kavi Members. This is the 'Members Area Access' type, and has the 'member' role to provide access to Member areas.

  2. For all other types, look in the 'Roles' column to see if the type confers roles, because these are the only ones that grant access. Most Company Types with associated roles are probably assigned through membership. These are identified in the 'Category' column as 'general (with membership only)'. There may be many types, each created to be assigned through a certain Membership Type or set of Membership Types. If you need to understand which Membership Type assigns this Company Type, see Manage Company Membership Types.

  3. The next most common custom Company Type with roles are types assigned to staff companies. Types created for Web design companies are sometimes associated with highly privileged roles such as 'Editor'. More commonly they are associated with default roles that provide more limited privileges or custom roles that provide access to areas created specifically for their use, such as 'legal'.

  4. Custom Company Types with roles may be created to group people who work directly for the organization. This kind of type is much more likely to convey highly privileged roles than other types.

Contact Types convey access to company data

Use the Manage Contact Types tool to look up these types and see which ones confer roles. Roles conferred through these types usually grant access only within a company-specific scope to give company representatives the access they need to manage company data and content.

  1. Identify the default types and look them up if you aren't sure what they do, since some of them (particularly Primary Contact) are deeply integrated into the Kavi Members access control system, and all of them represent important players with specialized responsibilities and access. Default Company Administration and Contact Types can also be installed by other applications. Most of these have the term 'Company' in their name (e.g., 'Showcase Company Admin'). For more information, see Kavi Members Default Types. Remember that these types can be edited, so you need to look up each type to see which roles are granted through these types on your Web site.

  2. Now find custom Contact Types with roles and study the name, description and associated roles to determine what access privileges are granted and what kinds of users need to be assigned this type.

User Types are assigned to individual members or organization staff and administrators

Use the Manage User Types tool to look up these types and see which ones confer roles. There are several kinds of privileged User Types, but all are designed to be assigned to individuals independently of any company association. There are custom types assigned through individual memberships, privileged default types that convey administrative and editor roles and other custom types created for types of users that are unique to this site. These may grant lower levels of administrative and editorial access or roles needed to access custom tools or areas of the site used specifically by this kind of user.

  1. Identify the default types and look them up if you aren't sure what they do. Most of these are highly privileged types that convey roles that grant access to Kavi Edit or administrative tools. Since they represent the most privileged users in the system, it's important to be familiar with them. You can look them up in Kavi Members Default Types.

  2. Then look for User Types granted through membership. These can be identified by the value 'general (with membership only)' in the 'Category' column. These are all custom types that correspond to Individual Membership Types and grant access to the Members area, including areas developed exclusively for use by certain types of members. If you need to understand which Membership Type assigns this User Type, see Manage Individual Membership Types.

  3. Now find other custom User Types that have roles, and study the names and descriptions of the associated roles to determine what access privileges are granted and what kinds of users are assigned this type.

Back to top

How to determine a user's access privileges

A user's access level is determined entirely by which roles are present in their role cache. Note that a user may have multiple instances of the same role in their role cache. This indicates they have been assigned more than one type that confers the same role.

  1. Use the Manage a User tool to view the user's role cache. Assuming you have familiarized yourself with the default roles, you should be able to recognize those installed by Kavi Members immediately. These are listed in Kavi Members Default Roles.

  2. If there are default roles installed by other applications, they are documented in the help for that application. For more information roles, Super Admins can click the View Access Configuration link or to the Manage Roles tool. In Manage Roles, The 'Origin' column shows whether the role is custom or was installed by an application. If installed by an application, this column contains the name of the application in the form 'name_app' (e.g., 'members_app', 'showcase_app'). If the name is 'korg_base', the role was installed by the base software that underlies all Kavi applications. If the role has the term 'Editor' or 'edit' as part of the name, it provides Kavi Edit access.

  3. Your site may also include custom roles created specifically to grant access to custom areas or tools. Descriptions are available through either the View Access Configuration or Manage Roles tools.

Back to top

Are this user's access privileges correct?

This question can only be answered by an administrator who knows the user's Purpose and whether the user holds any special positions in relation to the organization. The administrator needs to understand the organization's classification and access system (as encoded in its types and roles) to determine whether the user has been assigned the right types. The answer is specific to the organization and to the user, but here are some pointers.

  • If you are troubleshooting this question, be sure you focus on the available data and be leery of other's interpretations as to the possible source of the access "problem." However well-intentioned, interpretations tend to obscure the facts and throw the troubleshooter off-track. Make sure you start off on the right track by collecting the facts and examining them objectively. If you don't have enough information to troubleshoot the problem, ask the reporter for more specifics.

  • If a user isn't able to log into the site and thinks they should be able to, eliminate the most common and easily identifiable cause: the user is 'inactive'. Look up the user in the Manage a User tool. If this individual's Status is 'inactive', you have found the reason they can't access the site.

    If you need to know why the user has been flagged as 'inactive', check to see if their Purpose is Individual Member and they have an expired membership (or their Purpose is Company Representative and they belong to a company with an expired membership). Lapsed membership is the most common reason for deactivation. If the user is inactive but has a different purpose, click 'View Activity History' and look for 'Deactivated' in the 'Activity Type' column.

  • If the user expects to have access to areas, lists or tools that aren't available to all users, look to see whether the user has permissions for the area or tools they were trying to access.

  • What is this user's Purpose: an individual member, a representative of a member company, an organization staffer or administrator?

  • Is this person an individual member?

    • If so, do they need any permissions beyond those usually granted through membership? For instance, is this individual an officer in the organization? Assign the User Type that adds just the level of extra access they need. Ideally, this is a custom User Type designed specifically for individuals who hold this position.

    • Does this person need permissions ordinarily granted through membership but there is some question about whether these types have been assigned? Look up their membership and be sure it is current. If it is, look up the membership type and see which types it confers. Now look up the user and be sure these types are assigned. If any are missing, Super Admins may assign the missing types by editing this user through the Upload Data tool.

    • Conversely, this person's permissions may be too high if they have downgraded their membership (although types assigned through the previous membership should have been automatically revoked, so this is rare) or if they recently resigned from a special position in the organization. In these cases, they may have been manually assigned administrative or editorial types that should now be revoked.

  • Is this person a representative of a member company?

    • If this person is a regular member company representative, they should have inherited roles granting access to the Members area through the Company Type assigned to their company.

    • If this individual is primary contact for their company, they should be assigned the 'Primary Contact' default Contact Type.

    • If this person holds other special positions as company representative, they should be assigned whichever Contact Type confer the roles they need to perform their duties. If this is a standard position in the organization, there should be a Contact Type created specifically for this type of representative.

    • Conversely, this person's permissions may be too high if their company has downgraded their membership (although types assigned through the previous membership should have been automatically revoked, so this is rare), they have left the company with which they were associated, or they recently resigned from a special position in the organization. In these cases, they may have been manually assigned administrative or editorial types that should now be revoked.

  • Is this person organization staff or administration?

    • This person may have inherited roles granting access to the Members area through the Company Type assigned to their company.

    • Other roles this person requires need to be granted through User Types. Depending on the position this person holds, they may be assigned one or more of the privileged default User Types, especially if the individual performs multiple functions for the organization. Ideally, these types should be correlated to standard positions in the organization and provide only as much access as this position needs.

    • Conversely, this person's permissions may be too high if they have assumed a different set of duties. If they have left the organization, their Status should be set to 'inactive'. Be sure to add an activity note explaining the reason you deactivated this user for future reference.

Back to top

How to add access

Before adding access, determine what additional access is appropriate for this type, user or company. See Are this user's access privileges correct? for pointers. The section addressed to Super Admins includes suggestions for adding roles to existing types and when it might be better to create new types. The section for Organization Admins discusses how to add access by assigning types that already exist.

Remember that the primary control over user access is the Status switch. If this is set to 'inactive', the user will not be able to access any protected parts of the Web site, no matter which roles are in their role cache.

Super Admins:

  • Super Admins can edit the list of associated roles for all types, even default types. The most common reason to add new roles to default types is to add custom roles that grant access to custom tools or areas of the Web site. With the exception of adding custom roles, default types should rarely require editing.

  • New types should be created anytime there is a position in the organization that doesn't have a corresponding type. This especially includes User Types that correspond to the organization's leadership structure, administration and staff. Each type should grant exactly the privileges required by a specific position and no more. Additional privileges can always be granted to just those users who need them by layering on other types that reflect these additional responsibilities.

Organization Admins:

  • Individual members should have acquired basic Members Area access through types assigned through membership. Types in the 'General (with membership only)' category cannot be assigned independently of membership. If for some reason these types haven't been assigned correctly, a Super Admin will have to correct the situation. If this member has a special position in the organization, assign whatever additional User Types reflect this position and confer the access necessary to perform the responsibilities of this position.

  • Member company representatives should have acquired basic Members Area access through types assigned to their company through membership. Representatives who hold special positions such as Primary Contact acquire additional access by being assigned whichever Contact Type corresponds to this position. Representatives who hold multiple positions can (and should) be assigned multiple types.

    Whenever a new person takes over responsibilities from an administrator, staff person or company representative, be sure to revoke any unneeded permissions from the user who formerly held this position. See the instructions for Organization Admins on how to revoke user access.

  • Staff and Administrators may acquire basic site access through Company Types assigned to their company, but this isn't always the case. These users acquire the additional access they need by being assigned User Types that correspond to their job descriptions. Newer, smaller organizations may rely almost exclusively on highly privileged default user types to grant permissions to these users. Organizations with a larger administrative staff will evolve towards more specialization of responsibilities, and add finer-grained custom types with a more discrete level of access privileges. As always, assign the custom User Type created just for that position or whichever default User Type grants the necessary privileges but no more.

    Whenever a new person takes over responsibilities from an administrator, staff person or company representative, be sure to revoke any unneeded permissions from the user who formerly held this position. See the instructions for Organization Admins on how to revoke user access.

Back to top

How to revoke access

The primary control over user access is the Status switch. If you need to disable a user's or company's access to the site instantly, use the Change User Status tool or Change Company Status tool and set the status to 'inactive'. The user will not be able to access any protected parts of the Web site, no matter which roles are in their role cache. Setting a company's status to 'inactive' will set the Status of every user who belongs to that company to 'inactive'. Deactivation doesn't revoke any types that have been assigned, so all that has to be done to restore access later is to reset the company or user Status to 'active'. For future reference, be sure to add an activity note explaining the reason you deactivated this user or company.

The section addressed to Super Admins includes suggestions for removing roles from existing types and when it might be better to create new types with a lower level of privileges. The section for Organization Admins discusses how to revoke access by removing types that already exist.

Super Admins:

  • Super Admins can edit the list of associated roles for all types, even default types. The most common reason to remove roles from default types is to remove custom roles that grant access to custom tools or areas that are no longer used. With the exception of removing custom roles, roles associated with default types should rarely require editing.

  • Custom types should be created anytime there is a position in the organization that doesn't have a corresponding type that conveys the correct level of access. This especially includes User Types that correspond to the organization's leadership structure, administration and staff. Each type should grant exactly the privileges required by a specific position and no more, since additional privileges can always be granted to just those users who need them by layering on other types that reflect these additional responsibilities. If you have a custom type that grants a higher level of access than the corresponding position requires, you can edit the roles associated with that type to adjust the access. If you find that most (but not all) users who have been assigned a custom type require less access than the type confers, you have two options. You can downgrade the access associated with the type by removing roles and assign additional types associated with those roles to users who require extra access, or you can create a new type with less access and reassign users who don't need the higher level of privileges conferred through the current type.

  • Removing roles from a Company Type will affect the access of every user who belongs to a company that has been assigned that type.

Organization Admins:

  • Unlike other types, User Types and Company Types categorized as 'General (with membership only)' cannot be assigned or revoked manually. Although you can remove these types by deleting the membership, it is usually easier to revoke access by switching company or user status to 'inactive'. Deactivating a company or deleting a company membership will affect the access of everyone who belongs to that company. Always add an activity note when deactivating a member in case the member questions the deactivation or wants to be reactivated at some future date.

  • Removing a Company Type with roles from a company will revoke these roles from every user associated with this company.

  • If you need to replace a more privileged Company Type with one that has lower privileges, be sure to add the new type as you remove the old to minimize disruption to these companies' users. Use the Edit a Company tool and on the Admin Info step, be sure to check the new type and uncheck the old type before clicking 'Save' to commit both changes at once.

  • To remove access from an individual member, member company representative, organization staff or administrator, use the Edit a User tool. On the Admin Info step, uncheck any types you want to remove.

Back to top

Tips for administrators: how to maintain proper access levels for all users on a site-wide basis

Super Admins:

  • Keep a streamlined set of types and roles by deleting types or roles when they are no longer required.

  • As your organization grows and changes, you will probably need to add types for new positions. Not only are these types a useful, searchable classification mechanism—it is also easier to determine, add and revoke user privileges when these privileges are conveyed through just a few types.

  • It's a good idea to generate a report whenever significant changes are made to the organization's membership or user classification system. If a new membership type is created or an existing type is altered, check to make sure members have the right types assigned. If the list of roles associated with an existing type is altered or a new type is created, see whether this type is assigned to users who should have it and absent from the records of users who should not have it.

Organization Admins:

  • Whenever a person changes positions in relation to the organization, check the types they have been assigned against their new responsibilities. For example, a company representative designated as Primary Contact may have performed additional tasks such as Company Editor or Showcase Company Editor. Revoking the Primary Contact type won't affect these other types. If the new Primary Contact will be assuming these additional duties, you may manually remove the appropriate types from the former Primary Contact and assign them to the new Primary Contact.

  • It's a good idea to generate reports whenever a major change occurs or just periodically to keep tabs on which users have been assigned privileged types and remove any types from users who should no longer have these types.

Back to top
Prev  Up  Next
Chapter 17. User Types  Home  Chapter 19. Membership