Permissions

Seraphim Office:

Before getting into the details of setting up Permissions in Seraphim Office, please note some prerequisites.
**Note: Access Control / Group Permissions is used only in Seraphim Office, not www.startseraphim.com.**

What is Access Control / Group Permissions?

"Group Permissions" is the new way of controlling who can do what in Seraphim Office. Previously, in Seraphim Silverlight, permissions were controlled on a user by user basis. Now, you can control who can do what at the group level. Instead of assigning 6 roles, and 15 tiles to someone, now you can just assign them to the right permission group, and voila, they have their permissions!

How do I set up Access Control?

The general group permission process looks like this:

  • Create a static group and indicate the group is to be used for permission sets
  • Assign permissions to the group
  • Assign people to the group (You can do this in the group creation if you like. It doesn't have to be done after the permissions are assigned). 

That's it! Once the group is set up, it's self-sustaining. All you have to do to adjust someone's permissions is add them to the right group, or simply remove them from it! The permissions will be added or subtracted accordingly. Set up as many permission groups as you like.

Can users be in more than one permission group?

You bet they can! Seraphim looks at the groups as "cumulative". What does that mean? Let's say there are two two permission groups. One group has access to Attendance and not Facilities. Another group has access to Facilities and not Attendance. If a user is in both groups, they will have access to both Attendance and Facilities. The system will add permission sets together cumulatively for each user upon login.

1. Create a static group / Set the Group for Permissions

  • First, create a static group in the Directory Tile (For more directions on creating a static group, click here.) We recommend using a naming convention for the group, to indicate that it's for permissions. For example, "Permissions - Back Office Admin".
  • If you want to add people to the group now, you can do so! Or you can wait to add folks to the group after you've assigned permissions to the group. 
  • While in Edit Mode of the group, click on the PROPERTIES tab on the left, and turn on the switch for "USE THIS GROUP FOR ACCESS CONTROL"
  • Make sure to hit SAVE!

2. Assign Permissions to the Group

  • Click on the PERMISSIONS tile
  • In the "Access Control Groups", you should see the name of the permission group you just created. Click the group to select it. 
  • Now, select all the roles that this group should have by checking off the necessary boxes.
  • Click on the FEATURES tab, and double-click the tiles that this group should have access to. 

3. Assign users to the Group

  • Now you can add people to the group like you would normally! Any time the user logs in to the system, the system will assess what permission groups they're in and will apply the appropriate permissions.
 

Now that you understand Access Control / Group Permissions, let's get into the details of assigning Permissions!

Permissions in Seraphim are broken into two types:
  1. Roles
  2. Features (Tiles)
Roles vs. Features (Tiles)
"Roles" determine specific actions that someone can take, such as saving or deleting. Features (or Tiles) determine what features someone can access, like the Reports tile or Settings tile.
 
Roles always work in conjunction with "Tile Access". Let's you want someone to view profile information, but you don't want them to be able to delete a profile from your directory.  In this case, you would give them "Tile Access" to see the Directory tile so they can view profile information. But you wouldn't give them the "Delete Profile" role to ensure that they can't delete anyone's record.

Note: there is one role that ALL your administrators must have in Seraphim, and that is the ADMINISTRATOR role. If someone needs to log into Seraphim, they must have the Administrator role.

Assigning Roles
 
To assign a user to a role, go to the PERMISSIONS tile.  
  • Select the role from the drop-down menu. 
  • Click on "Assign someone to this role". 
  • Search the name of the individual. 
  • Check the box to the left of their name. Their profile will appear in the selection list toward the top. (You can select as many people from this screen as you like!)
  • Hit the SAVE button.
  • You should now see this individual's name in the "Assigned to this role" list. 
Assigning Tiles
 
After assigning the appropriate role, you'll want to then assign the correct tiles to that individual.
  • From the PERMISSIONS tile, click on the FEATURES tab. 
  • Select the name of the individual in question from the drop-down list. 
  • Check the box on each tile that you'd like to grant access to.

Note: In order for someone to be able to see the Finance Tile, they must also have the "financial role" assigned to them.  This is for added security to minimize risk. 

Note: Role and Tile updates take effect immediately.  However, to see the effect of the change, the user receiving new permissions will need to log out of Seraphim, then log back in.  The new permissions will be applied to their account upon login. 

Role Dictionary
 
When assigning roles to your users, you may find that there's a good number of roles that we've added to this list. Check the list below for what each role controls so that you know you're assigning the roles you need to the right users. Additionally, it's important to note that there is some "additional assembly required" for some of the items below to fully function. (The roles below are listed in order of "most commonly used" to "least commonly used" roles. 
  1. Administrator
  2. Event Manager
  3. Save / Delete / Merge
  4. Financial
  5. Medical / Allergy Notes
  6. Background Checks
  7. Delete Webform Repository

1. Administrator
 
The Administrator role is one of the most important roles that you can assign to someone.  This is the "Gate Keeper" role.  In order for anyone to have access to any tiles, they must have the administrator role. The administrator role makes the administrator tab visible, thus giving access to the tiles that you've selected for this user. 

2. Event Manager
 
This Role gives a user the ability to create new events and edit existing ones. With the Event Manager role, a user can go to a specific event on the calendar, click on that event, and see the "EDIT" button.  They can then edit all items in that event. Additionally, if someone has the event manager role, they will also be able to approve event requests from other users, if you're using Event Approval.

3. Save, Delete, and Merge Member Profile Roles
 
These three roles grant access to three specific buttons associated with making changes to congregant or member profiles in the Directory.  The "Save" role allows you to make changes to the profile and save your updates. The "Delete" role allows a user to delete a member's profile from the directory.  (The record will still be accessible through the "Data Quality" section of the directory). The "Merge" role allows an administrator to combine two duplicate records into one. 

4. Financial
 
Finances are arguably some of the most sensitive data in a church.  As such it is important that only the correct individuals have access to Financial Data.  As such, a user must have 3 separate security characteristics in order to view financial information.  
  • ​They must have the Administrator Role
  • They must have the Finance Tile
  • They must have the Financial Role
This was a deliberate configuration to ensure that no one accidentally receives financial access by a single misclick. Once someone has all three of these permissions, they will be able to access the Finance Tile, as well as conduct all financial actions contained therein. 

5. Medical/Allergy Notes
 
Giving someone the Medical/Allergy Notes role will allow that user to view any medical/allergy notes that are associated with member profiles.  The ability to view other note types are determined by "Note Permissions" tab on the left menu under the PERMISSIONS tile. 

6. Background Checks
 
The Background Checks role gives you access to the "Background Checks" tab located on member profiles. Without this role, it is impossible to see background check information on an individual. To actually make changes to any fields located on the "Background Checks" tab, a user would need to have both the "Save Member Profile" Role, and the "Background Checks" role assigned to them. 

7. Delete WebForm Repository 
 
Through SmartForms, your church can collect data about your congregants and visitors for various purposes. Once a smartform has been constructed, we collect the data with the smart form through a collection. Collections hold each individual entry of data for that smart form.  Over time, this data can build up and this collection info may become outdated or no longer needed.  The "Delete WebForm Repository" role gives someone the ability to go into a collection of Smartforms and delete the collection of entry information.  Keep in mind, when entry data is deleted, it is a full deletion.  There is no way to retrieve this collection information once it's been deleted.