Roles
The following topics are available:
Introduction
iManage Work uses role-based access control. Each user's ability to perform actions in iManage Work is based on the user's function within the organization. This is accomplished through two mechanisms: Privileges and roles.
Privileges
A privilege is a permission for the ability to perform one specific task. The iManage Work system defines a large number of privileges. For a complete list, see Library privilege descriptions or Global privilege descriptions. Privileges are defined by the system and cannot be created or deleted. They can be only granted or denied. The combination, or set, of granted and denied privileges defines the function. Sets of privileges allows for fine granularity of responsibilities, and can distribute access, such as for document management or user assistance, selectively across an organization. When defining sets of privileges for a function, follow the principle of most restrictive access. That means to grant only the minimum amount of access necessary to users of that function to perform their job tasks. Therefore, users may be granted any number of privileges, from the fewest and so the most restrictive task set, to as many as required by their tasks. For example, even NRTADMINs, the most unrestricted administrator in the iManage Work system, can be denied privileges so to increase system security.
Roles
A role is a named set of privileges. Each role contains all the privileges although individual privileges must each be granted or denied. Roles may be created or deleted as required. A user must have one role assigned to them. If no role is assigned to a user at the time they are created or imported, they will automatically be assigned the role of DEFAULT or DEFAULT EXTERNAL. Users can be reassigned roles at any time. The privilege's status within a role may be changed at any time. Three iManage system administrator roles come as predefined sets of privileges. A user may only have one library role per library, but may have more than one global roles.
Global roles and library roles
Based on your environment, iManage Control Center may display the following Roles menu, which contains the following options:
Figure:
Roles menu
Global Management: Use this option to view, create, and manage global roles. Global roles are created and managed independent of any iManage Work library, and changes made to the global role are updated at the global level, and not individually at within each library. This is useful to manage privileges for users such as administrators.
See Creating a global role for more information.
Global roles have unique privileges: See Global privilege descriptions.
Library Management: Use this option to view, create, and manage library roles. Library roles are created within, and are specific to, each iManage Work library. A library role is assigned to each user. A user must be assigned at least one library role. If a library role is not explicitly assigned to a user, the user is automatically assigned to either the DEFAULT or DEFAULT_EXTERNAL role, based on whether they have been defined as an internal or external user in their user profile.
Selecting this option displays a secondary menu where you must select an individual Work library.
Figure: Library menu
See Creating a library role for more information.
Library roles have unique privileges: See Library privilege descriptions.
Roles and iManage Control Center access
A user's level of access to iManage Control Center is automatically determined at sign in by the user's role. The controls applicable to the user are enabled. Controls not applicable to the user will not be visible. For example, while a user who is not an iManage system administrator user is able to sign into iManage Control Center, because of their restricted access, no controls will be visible; they would not be able to view or to change any item. In contrast, an NRTADMIN, the least restricted iManage system administrator, will have all controls visible.
iManage Control Center is intended for iManage system administrators. iManage system administrators with tier access (tier 1, tier 2, NRTADMIN ) will have their applicable controls visible.
Searching for roles
On the ribbon bar, you see the following Search option. Use this feature to search by role name.
Figure: Search field
Creating a library role
To create a role that applies to a specific library:
In Access > Roles:
Based on your iManage Work environment, select one of the following options.
At the top of the Role page, select Library Management, select the library in which the role should be created, then select Create Role.
orAt the top of the Role page, select the library in which the role should be created, then select Create Role.
The Create Role dialog box appears.
For each category, change the individual privileges to its required value. To see the description of each privilege, see Library privilege descriptions.
When done editing, select
.
Library privilege descriptions
The following table describes each library privilege.
|
Privilege |
Description |
|
Profile |
|
|
Role Name |
Name for the role. It must be unique among all roles names for that library. The value cannot be changed later. Minimum length: 1 |
|
Description |
This is additional information about this role. This is descriptive and does not need to be formatted and is not validated. Minimum length: 0 |
|
External Role |
Indicates if the role is for external users. If checked, the role is for external users. If unchecked, the role is not for external users. An external user has no default security access and must later be assigned explicit access for their tasks. For example, an external user may be a customer who requires temporary access, a part-time contractor, vendor or partner. |
|
User Privileges |
Allowed Actions |
|
System Access |
Indicates if the role has general access or read-only access to iManage Work documents and containers. If checked, provides read-only access to documents. If unchecked, provides full access to documents and containers, subject to other security settings. |
|
Content |
|
|
Import/Create |
Allow users to import documents and emails. Without this privilege, users cannot import or add content to iManage Work. |
|
Checkout Documents |
Allow users to check out documents to prevent other users from editing the document. Without this privilege, the Checkout context menu option is disabled.  |
|
Unlock Documents |
Allow users to unlock their own documents that they have checked out. Any changes to the checked out document will not be saved to iManage Work, though the changes will remain on the user's local system. Administrators (members of the NRTADMIN group) have the privilege to unlock any user's locked document. |
|
Delete |
Allow users to delete documents and emails. Without this privilege, users cannot delete any documents or emails within iManage Work, even those to which they have full access, and the Move to Trash context menu option is disabled.  See also the User Trash setting in Settings > Global to enable or disable the Trash feature. This feature allows users to recover items they have deleted (moved to trash). |
|
Workspace |
|
|
Create Workspaces |
Allow users to create new workspaces. |
|
Create Public Workspaces |
Allow users to create public workspaces. |
|
Delete Workspaces |
Allow users to delete workspaces. Upon deletion, the workspace and all containers within it are deleted and cannot be recovered. All documents and emails within the workspace are moved to Trash (if enabled; see Settings > Global). If Trash is not enabled, the contents of the workspace are also deleted and cannot be recovered, except from a system backup. If the workspace contains any documents or emails, the user must also have the Contents > Delete privilege listed above in order to delete the workspace. NOTE: If the workspace is empty (it contains only empty containers, with no documents or emails), the user is not required to have the the Contents > Delete privilege. |
|
Custom Metadata Management |
Allow users to add new values to the custom properties custom1-custom12 and custom29-custom30 while creating workspaces. |
|
Folder |
|
|
Create Public Folder |
Create a new public folder. The user can still create private folders or subfolders with security inherited from the parent folder. |
|
Create Public Searches |
Save public searches and mark them as public. |
|
Admin Privileges |
|
|
Control Center Access |
Allow or restrict access and privileges in iManage Control Center:
For a complete list of privileges for each tier, see Understanding tiers. |
|
View Documents |
Allow users to view the contents of documents and emails. Without this privilege, users cannot view any documents or emails within iManage Work, even those to which they have access. To enable an NRTADMIN user to view private documents, you need to add this user to a role that has the View Documents check box selected. |
|
Legacy application privileges |
|
|
Work client privileges |
|
|
Allow Full-Text Searches |
Allow users to perform full-text searches in iManage classic clients. |
|
Search Using Web |
Allow users to perform searches in legacy Work Web. |
|
Admin privileges |
|
|
Use iManage Import |
Allow access to use the bulk Document Import tool. The NRTADMIN group has this permission by default. |
|
Use iManage Work Monitor |
Allow access to use the iManage Monitor to track library transactions. The NRTADMIN group has this permission by default. |
|
Use iManage Work Administration |
Allow access to the users in INTERNAL_ADMIN, INTERNAL_USERADMIN, EXTERNAL_ADMIN, and EXTERNAL_USERADMIN groups in iManage Work Web client to manage users, groups and roles. NRTADMIN group has this permission by default. |
Creating a global role
The ability to create global roles is available based on your iManage Work environment.
Global roles are created and managed independent of any iManage Work library.
To create a global role:
In Access > Roles:
At the top of the Groups page, select Global Management, then select Create Role.
The Create Role dialog box appears.
For each category, change the individual privileges to its required value. To see the description of each privilege, see Global privilege descriptions.
When done editing, select
.
Global privilege descriptions
The following table describes each global privilege.
|
Field |
Description |
|
Role Name (Mandatory) |
Name for the role. It must be unique among all global-management level roles. The value cannot be changed later. Minimum length: 3 |
|
Description |
A friendly description or additional information about this role. Minimum length: 0 |
Privileges
Select each of the privileges to enable for the role.
|
App Management |
Access level for the role to manage applications. For example, add internal or external apps. |
|
Group Management |
Access level for the role to manage groups. For example, create groups, rename groups, add users, and so on. |
|
Role Management |
Access level for the role to manage roles. For example, create roles, delete roles, edit roles, and so on. |
|
Settings Management |
Access level for the role to manage iCC settings. For example, Templates, iOS, Global, Web, Office, Applications. |
|
User Management |
The user can use Global management operations. For example, they may create virtual users, create and manage global groups, or create and manage global roles. |
|
Key Management |
Access level for the role to manage encryption keys. Users must be in a role with Key Management enabled to select any option in the Encryption Key panel. |
Assigning a role to a user
To assign a role to a user.
In Access > Roles:
Based on your iManage Work environment, select either:
A global role:
Select Global Management from the Roles drop down list.
A library role:
Select Library Management from the Roles drop down list, then select a library from the library drop down list.
orSelect a library from the library drop down list.
Right-click the Select the Users tab.
Select Assign to Users. The Assign to Users dialog box displays.
Use the search field to find users by their user name, Id, or email address, then use the check boxes to select users.
Select Add. This adds the selected list of users to the role.
Viewing role details
Use this to see the status of each of the role's privileges.
Select the role to be viewed. This option is available on the:
Ribbon bar: Select a role to see this option on the ribbon bar.
Kebab menu: Select the
icon adjacent to each role to see this option.
Context menu: Right-click a role to see this option.
Clickable link: In the Role column, select a role.
Use one of the preceding options to select a role.
Select View. The details screen displays. Any of the privileges may be edited; see Editing roles.
Editing roles
Use this to change any privileges of a role.
In Access > Roles:
Based on your iManage Work environment, select either:
A global role:
Select Global Management from the Roles drop down list.
A library role:
Select Library Management from the Roles drop down list, then select a library from the library drop down list.
orSelect a library from the library drop down list.
Select the
icon adjacent to the role you wish to edit, then select Edit. The details screen displays.
For any category, change the individual privileges to its new value. You can edit any privileges except Role Name. To see the description of each privilege, see the following topics:
When done editing, select Save.
Duplicating a role
Use the following steps to create a copy of the existing role.
You can use an existing role as the basis for creating a new one. After duplicating a role, modify the privileges as needed; see Editing roles.
In Access > Roles, select the role to be duplicated. This option is available on the:
Ribbon bar: Select a role to see this option on the ribbon bar.
Kebab menu: Select the
icon adjacent to each role to see this option.
Context menu: Right-click a role to see this option.
Use one of the preceding options to select a role.
Select Duplicate.
Enter Role Name and Description. The role name is required and must be unique among the other role names. The description is optional, but recommended, and is a friendly description about the role.
Select Duplicate. A copy of the selected role gets created.
Deleting a role
Use the following steps to delete an existing role.
In Access > Roles, select the role to be deleted. This option is available on the:
Ribbon bar: Select a role to see this option on the ribbon bar.
Kebab menu: Select the
icon adjacent to each role to see this option.
Context menu: Right-click a role to see this option.
Use one of the preceding options to select a role.
Select Delete. A Delete confirmation box appears.
Confirm the action to continue.
Understanding tiers
Tiers are predefined sets of privileges for iManage Work system administrators. There are three tiers, each designed to provide specific assistance to users.
Tier 1: Basic product support or help desk features.
Tier 2: Advanced product support or help desk features.
NRTADMIN: NRTADMIN is considered an iManage Work system administrator and includes the most complete access to all features.
Individual privileges within a tier set cannot be modified. For example, the Trash Permanently delete privilege cannot be added to the tier 1 set, nor could a user be granted only the Trash Permanently delete privilege. In the same way, NRTADMIN cannot have the Trash Permanently delete privilege removed from its set.
The following table lists the privilege set for each tier.
Table: Tier privileges
|
Feature |
Tier 1 |
Tier 2 |
NRTADMIN |
|
Users |
|||
|
Create |
 |
|
 |
|
Lock/Unlock |
|
|
|
|
Reset Password |
|
|
|
|
Groups |
|||
|
Create |
|
|
|
|
Disable |
|
|
|
|
Copy |
|
|
|
|
Add members |
|
|
|
|
Roles |
|||
|
Create |
|
|
|
|
Add users |
|
|
|
|
Manage user privileges |
|
|
|
|
Documents |
|||
|
Search |
|
|
|
|
Check effective access |
|
|
|
|
History |
|
|
|
|
Workspaces |
|||
|
Search |
|
|
|
|
Check effective access |
|
|
|
|
Trash |
|||
|
Restore |
|
|
|
|
Permanently delete |
|
|
|
|
Custom Fields |
|||
|
Add/Edit |
|
|
|
|
Delete |
|
|
|
|
Disable |
|
|
|
|
Classes / Subclasses |
|||
|
Add |
|
|
|
|
Delete |
|
|
|
|
File Types |
|||
|
Add |
|
|
|
|
Edit |
|
|
|
|
Delete |
|
|
|
|
Captions |
|||
|
Edit |
|
|
|
|
Templates |
|||
|
Add |
|
|
|
|
Edit |
|
|
|
|
Delete |
|
|
|
|
Copy |
|
|
|
|
Forms |
|||
|
Edit |
|
|
|
|
Global |
|||
|
Edit |
|
|
|
|
Applications |
|||
|
Add |
|
|
|
|
Edit |
|
|
|
|
Delete |
|
|
|
|
Web Client |
|||
|
General |
|
|
|
|
Features |
|
|
|
|
Access |
|
|
|
|
Web Views |
|||
|
Edit |
|
|
|
|
Web Filters |
|||
|
Edit |
|
|
|
|
Web Context Menus |
|||
|
Edit |
|
|
|
|
iOS |
|||
|
Edit |
|
|
|
|
Add server |
|
|
|
|
Download |
|
|
|
|
Office |
|||
|
Create category |
|
|
|
|
Delete category |
|
|
|
|
Download category |
|
|
|
|
Refile |
|||
|
View |
|
|
|
|
Configure and Edit |
|
|
|
|
File Handlers |
|||
|
Upload New |
|
|
|
|
Edit |
|
|
|
|
Delete |
|
|
|
|
Enable/Disable |
|
|
|
