Roles

The following topics are available:

Introduction

iManage Work uses role-based access control. Access to documents, actions, and security is based on a user's function within the organization. This is accomplished through two mechanisms: Privileges and roles.

Privileges

Privileges are permissions for one specific task. The iManage Work system defines a large number of privileges. For a complete list, see Library-level privilege descriptions or Global privilege descriptions. Privileges are defined by the system and cannot be created or deleted. They can be only granted or denied. The combination, or set, of granted and denied privileges defines the function. Sets of privileges allows for fine granularity of responsibilities, and can distribute access, such as for document management or user assistance, selectively across an organization. When defining sets of privileges for a function, follow the principle of most restrictive access. That means to grant only the minimum amount of access necessary to users of that function to perform their job tasks. Therefore, users may be granted any number of privileges, from the fewest and so the most restrictive task set, to as many as required by their tasks. For example, even the NRTADMIN, the most unrestricted administrator in the iManage Work system, can be denied privileges so to increase system security.

Roles

A role is a named set of privileges. Each role contains all the privileges although individual privileges must each be granted or denied. Three iManage system administrator roles come as predefined sets of privileges. Roles may be created or deleted as required. A user must have one role assigned to them. If no role is assigned to a user at the time they are created or imported, they will automatically be assigned the role of DEFAULT or DEFAULT EXTERNAL. Users can be reassigned roles at any time. The privilege's status within a role may be changed at any time.

Library-level and Global Roles

The iManage Work system is centered around libraries. A library is the fundamental organizational unit. All documents and containers must exist in a library. A library may be assigned to a user that will store their preferences, such as language and search options. This is called the preferred library. The user is not limited to that one library and may have access to other libraries if those are available. However, when a user signs in, their preferences are retrieved from their preferred library, and those preferences will be used through their session.

Library-level roles are defined for a specific library, and control a user's privileges within that library. The same role name may be used in different libraries but each role has to be defined separately for each library. For more information, see:

CloudiManage.com also uses Global roles that apply across all libraries. This is useful to manage privileges for users such as administrators. For more information, see:

Figure: Library-level and Global-management Roles

images/download/attachments/61288778/image2019-11-25_13-5-36.png

Roles and iManage Control Center access

A user's level of access to iManage Control Center is automatically determined at sign in by the user's role. The controls applicable to the user are enabled. Controls not applicable to the user will not be visible. For example, while a user who is not an iManage system administrator user is able to sign into iManage Control Center, because of their restricted access, no controls will be visible; they would not be able to view or to change any item. In contrast, an NRTADMIN, the least restricted iManage system administrator, will have all controls visible.

iManage Control Center is intended for iManage system administrators. iManage system administrators with tier access (tier 1, tier 2, NRTADMIN ) will have their applicable controls visible.

Searching for roles

Use this to find specific role names from among all the available roles.

Some iManage Control Center screens or dialog boxes with a list present a search field. This allows you to search that list.

Enter the search term. This dynamically attempts to find a match anywhere in the role name or user name. The list automatically updates as you modify the search term.

Figure: Search field

images/download/attachments/61288778/Screen_Shot_2019-02-26_at_12.22.26_PM.png

Filtering search results

Use this to refine the search results from the current search.

The filter shows or hide items among the current search results that meet additional requirements.

  1. After any search, select Filter. The following options are available:

    Option

    Condition

    Description

    External

    Yes

    Lists only those roles marked as External role.

    No

    Lists only those roles not marked as External role.

    Clear

    Clears the option list, and displays all the items in the found list. This option is available only when an option has been selected.

  2. Selecting an additional option and condition.

Viewing role details

Use this to see the status of each of the role's privileges.

Select the role to be viewed. This option is available on the:

  • Ribbon bar: Select a role to see this option on the ribbon bar.

  • Kebab menu: Select the

    images/download/thumbnails/61288778/elipse.png

    icon adjacent to each role to see this option.

  • Context menu: Right-click a role to see this option.

  • Clickable link: In the Role column, select a role.

  1. Use one of the preceding options to select a role.

  2. Select View. The details screen displays. Any of the privileges may be edited; see Editing roles.

Editing roles

Use this to change any privileges of a role.

Select the role to be edited. This option is available on the:

  • Kebab menu: Select the

    images/download/thumbnails/61288778/elipse.png

    icon adjacent to each role to see this option.

  • Context menu: Right-click a role to see this option.

  1. Use one of the preceding options to select a role.

  2. Select Edit. The details screen displays.

  3. Select Edit for the appropriate category of privileges.

  4. For any category, change the individual privileges to its new value. You can edit any privileges except Role Name. To see the description of each privilege, see Library-management level privilege descriptions.

  5. When done editing, select Save.

Duplicating a role

Use this to create a copy of the existing role.

You can use an existing role as the basis for creating a new one. After duplicating a role, modify the privileges as needed; see Editing roles.

Select the role to be duplicated. This option is available on the:

  • Ribbon bar: Select a role to see this option on the ribbon bar.

  • Kebab menu: Select the

    images/download/thumbnails/61288778/elipse.png

    icon adjacent to each role to see this option.

  • Context menu: Right-click a role to see this option.

  1. Use one of the preceding options to select a role.

  2. Select Duplicate.

  3. Enter Role Name and Description. The role name is required and must be unique among the other role names. The description is optional, but recommended, and is a friendly description about the role.

  4. Select Duplicate. A copy of the selected role gets created.

Deleting a role

To delete an existing role, select the role to be deleted. This option is available on the:

  • Ribbon bar: Select a role to see this option on the ribbon bar.

  • Kebab menu: Select the

    images/download/thumbnails/61288778/elipse.png

    icon adjacent to each role to see this option.

  • Context menu: Right-click a role to see this option.

  1. Use one of the preceding options to select a role.

  2. Select Delete. A Delete confirmation box appears.

  3. Confirm the action to continue.

NOTE:

The following roles cannot be deleted: DEFAULT and DEFAULT EXTERNAL. These are permanent roles used as the default if a user is not otherwise assigned a role.

Assigning a role to a user

To assign a role to a user.

In Access > Roles:

  1. Select a role, from one the following locations:

    1. A library-management level by

      1. Select Library-level Management from the Roles drop down list.

      2. Select a library from the library drop down list.

    2. A global-management level by

      1. Select Global Management from the Roles drop down list.

  2. Select a role. The roles details page displays.

  3. Select the Users tab.

  4. Select Assign to Users. The Assign to Users dialog box displays.

  5. Use the check boxes to select users.

  6. Select Add. This adds the checked list of users to the role.

Creating a library-level role

To create a library-level role. This is a role that applies to a specific library.

  1. Select the iManage Work domain:

    1. For iManage.work domains: This is the only selection available.

    2. For CloudiManage.com domains: Select the target library from the Roles Library-level Management drop down list.

  2. Select Create Role. The Create Role dialog box displays.

  3. For each category, change the individual privileges to its required value. To see the description of each privilege, see Library-level privilege descriptions.

  4. When done editing, select Save.

Library-level privilege descriptions

The following table describes each library-level privilege.

Privilege

Description

Profile

Role Name
(Mandatory)

Name for the role. It must be unique among all roles names for that library. The value cannot be changed later.

Minimum length: 1
Maximum length: 254
Spaces allowed: No
Unicode allowed: Yes
Special Characters allowed: No, except _ -.

Description

A friendly description or additional information about this role.

Minimum length: 0
Maximum length: 254
Spaces allowed: Yes
Unicode allowed: Yes
Special Characters allowed: Yes

External Role

Indicates if the role is for external users. If selected, the role is for external users. If unchecked, the role is not for external users.

An external user has no default security access and must later be assigned explicit access for their tasks. For example, an external user may be a customer who requires temporary access, a part-time contractor, vendor or partner.

User Privileges

Allowed Actions

System Access

Indicates if the role has general access or read-only access to iManage Work documents and containers.

If checked, provides read-only access to documents. If unchecked, provides full access to documents and containers, subject to other security settings.

Content

Import/Create

Import documents into the library, and add events, tasks, or discussion topics (iManage Work Web client).

If allowed, the user can perform those actions. If disallowed, the user cannot perform those actions.

Checkout Documents

Checkin and checkout documents in the library to which the user has access.

Unlock Documents

Unlock documents that are checked out by or are being used by a user.

Delete

Indicates that the role allows to permanently remove documents and containers from libraries to which the user has access.

With journaling enabled and the user assigned to this role, iManage Work maintains the deleted copies of documents.

Workspace

Create Workspaces

Indicates that the role allows the user to create new workspaces.

Create Public Workspaces

Indicates that the role allows the user to create public workspaces.

Delete Workspaces

Indicates that the role allows the user to delete workspaces.

Custom Metadata Management

Indicates that the role allows the user to add new values to the custom properties custom1-custom12 and custom29-custom30 while creating workspaces.

Folder

Create Public Folder

Create a new public project folder. The user can still create private folders or subfolders with security inherited from the parent folder.

Create Public Searches

Save public searches and mark them as public.

Admin Privileges

Control Center Access

The following access levels are available:

  • Tier 1:

    • Content Assistance: Documents: Check access, review history, unlock document, search documents, restore document

    • WorkSpace: Check access, search workspaces

    • Trustee Assistance: Unlock users, reset password

  • Tier 2:

    • Manage Trustees: Manage Users & Groups (internal and external)

    • Manage Custom Metadata: Manage custom tables Custom1-12 and 29-30 Manage System

    • Metadata/Configurations: Manage Applications, Types & Class or Subclass, Captions, User preferences and so on

    • Report Management: Access to basic reports

    • Template Management: Manage template definitions

  • None

    • No administrative privileges are assigned.

For a complete list of privileges for each tier, see Understanding tiers.

NRTADMIN access is granted by adding the user to the group NRTADMIN. For a selected library, use Access > Users > Add to Group, and select NRTADMIN. Only an NRTADMIN can create other NRTADMINs.

An NRTADMIN automatically has full NRTADMIN privileges and supersedes any current-assigned privileges or roles. NRTADMIN privileges apply only for library-management level operations, and only for a selected library. Users can be an NRTADMIN for multiple libraries, but they must be added individually to each library.

An NRTADMIN cannot be applied to users at the global-management level.

View Documents

View documents.

To enable an NRTADMIN user to view private documents, you need to add this user to a role that has the View Documents check box selected.
To prevent an NRTADMIN user assigned to a specific role from viewing documents, you can clear the View Documents check box for this role.

Legacy application privileges

Work client privileges

Allow Full-Text Searches

Perform full-text searches.

Search Using Web

Perform searches.

Admin privileges

Use iManage Import

Access to use the bulk Document Import tool.

The NRTADMIN group has this permission by default.

Use iManage Work Monitor

Access to use the iManage Monitor to track library transactions.

The NRTADMIN group has this permission by default.

Use iManage Work Administration

Access to the users in INTERNAL_ADMIN, INTERNAL_USERADMIN, EXTERNAL_ADMIN, and EXTERNAL_USERADMIN groups in iManage Work Web client to manage users, groups and roles.

NRTADMIN group has this permission by default.

Creating a global role

Global roles only apply CloudiManage.com.

Use this to create a global role. This is a role that applies across all libraries.

In Access > Roles:

  1. Select Global Management from the Roles drop down list.

  2. Select Create Global Role. The Create Role dialog box displays.

  3. For each category, change the individual privileges to its required value. You can edit any privileges except Role Name. To see the description of each privilege, see Global privilege descriptions.

  4. When done editing, select Save.

Global privilege descriptions

The following table describes each global privilege. These apply to CloudiManage.com only.

Field

Description

Role Name

(Mandatory)

Name for the role. It must be unique among all global-management level roles. The value cannot be changed later.

Minimum length: 3
Maximum length: 254
Spaces allowed: No
Unicode allowed: Yes
Special Characters allowed: Yes

Description

A friendly description or additional information about this role.

Minimum length: 0
Maximum length: 254
Spaces allowed: Yes
Unicode allowed: Yes
Special Characters allowed: Yes

Privileges

App Management

Access level for the role to manage applications. For example, add internal or external apps.

Group Management

Access level for the role to mange groups. For example, create groups, rename groups, add users, and so on.

Role Management

Access level for the role to manage roles. For example, create roles, delete roles, edit roles, and so on.

Settings Management

Access level for the role to manage iCC settings. For example, Templates, iOS, Global, Web, Office, Applications.

User Management

The user can use Global-level management operations. For example, they may create virtual users, create and manage global groups, or create and manage global roles.

Understanding tiers

Tiers are predefined sets of privileges. There are three tiers, each designed to provide specific assistance to users.

  • Tier 1: Basic product support or help desk features.

  • Tier 2: Advanced product support or help desk features.

  • NRTADMIN: NRTADMIN is considered an iManage Work system administrator and includes the most complete access to all features.

Individual privileges within a tier set cannot be modified. For example, the Trash Permanently delete cannot be added to the tier 1 set, nor could a user be granted only the Trash Permanently delete privilege. In the same way, NRTADMIN cannot have the Trash Permanently delete privilege removed from its set.

The following table lists the privilege set for each tier.

Table: Tier privileges

Feature

Tier 1

Tier 2

NRTADMIN

Trash

Restore

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Permanently delete

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

User

Create

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Lock/Unlock

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Reset Password

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Groups

Create

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Disable

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Copy

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Add members

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Roles

Create

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Add users

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Manage user privileges

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Documents

Search

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Check effective access

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

History

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Workspaces

Search

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Check effective access

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Metadata

Add/Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Delete

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Disable

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Captions

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Classes / Subclasses

Add

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Delete

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

File Types

Add

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Delete

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Applications

Add

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Delete

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Templates

Add

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Delete

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Copy

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Global

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Web Client

General

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Features

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Access

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Web Views

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Web Filters

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

Web Context Menus

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png

iOS

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Add server

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Download

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Office

Create category

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Delete category

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Download category

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Extensions

Upload New

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Edit

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Delete

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Enable/Disable

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

Reports

Download

images/download/thumbnails/61288778/error.png

images/download/thumbnails/61288778/check.png

images/download/thumbnails/61288778/check.png