How to: Configure RBAC for Internal/External Projects

Overview

Creators can customize RBAC for each of your users using Express Groups, Roles, and User Administration. While you might have a strict internal hierarchy, certain projects call for exceptions. Let's explore an example using the hypothetical company called Unqork Insurance.

For demonstration purposes, this how-to guide uses false identities and contact information.

Here’s a look at the hierarchy for Unqork Insurance:

A static image displaying the hierarchy for Unqork insurance.

In the above structure, you'll see a top, middle, and lower-level hierarchy. The Director (top-level) can view work from anyone in the middle and lower-levels, including the Underwriting Supervisor and Underwriters. The Underwriting Supervisor (middle-level) can also view the work of the lower-level, but only the Underwriters. Lastly, the Underwriter role (lower-level) can only view the work they complete. They cannot view each other's work.

For internal work, the above structure is sufficient. But Unqork Insurance works with an External Brokerage, with the Unqork Insurance Director role being at the same level. That brokerage has the following hierarchy:

A static image displaying the hierarchy of external brokerage.

The above structure is the same as the Unqork Insurance Underwriting team. The Director of Unqork Insurance (top-level) can still see everyone's work. The Supervisor (middle-level) can only view the work of each Broker (lower-level), but Brokers can only view their own work.

If the teams do not to work together, these separate structures are sufficient. But, specific Unqork Underwriters might work closely on projects with individual Brokers. These instances call for different permissions outside of the standard hierarchies. Instead of two hierarchies, let's organize the necessary permissions into projects. Here’s a sample project breakdown:

A static image displaying the project breakdown.

The Underwriting Supervisor and the External Supervisor work on each project. They'll also work alongside one Underwriter and one Broker. For these projects, you want everyone to have access to each other's work. You can adjust Role Permissions, but that requires creating new roles for everyone. Instead, you can minimize the number of roles by creating groups. Groups represent each project where you can set the permissions.

Group Configuration

Groups work at the highest level in an RBAC configuration where you can organize roles. You can think of groups as teams in your company, or even the company itself.

To learn more about configuring groups, view our Express Group Administration article.

For this example, you’ll create the following groups:

Group Description

Unqork Insurance

Lets users view all descending roles, including internal and external parties.

Internal Underwriting

Lets users view all descending roles.

External Brokerage

Lets users view all descending roles.

Project A

Lets users view all roles in the Project A group, regardless of hierarchy.

Project B

Lets users view all roles in the Project B group, regardless of hierarchy.

Project C

Lets users view all roles in the Project C group, regardless of hierarchy.

Configure the Unqork Insurance Group

First, you’ll set up a group that includes everyone at Unqork Insurance, including internal employees and external brokerage employees. You’ll create this group so users can access data from users in descending roles. Later, you’ll assign this group as the default group to every role you add to your environment.

1. At the top right of the Unqork Designer Platform, click Administration.
2. Under Express Permissions, click Express Group Administration.
3. In the Enter Group Name field, enter unqork-insurance .
4. In the Enter Group Description field, enter Unqork Insurance.
5. From the Choose Group Type drop-down, select Data Access to Role Descendants Only.

Selecting Data Access to Role Descendants Only gives users access to their own data and data from their descendants. To learn more about each available setting, view our Express Group Administration article.

A static image showing group administration config page.

6. Click Add Group.

Configure the Internal Underwriting Group

Next, you'll set up a group to include the internal underwriting team. You’ll also ensure it lets users access data from users in descending roles. Later, you’ll assign this group as a default group to the underwriting roles you add to your environment.

1. Return to the Express Group Administration page.
2. In the Enter Group Name field, enter underwriting-internal.
3. In the Enter Group Description field, enter Underwriting Internal.
4. From the Choose Group Type drop-down, select Data Access to Role Descendants Only.
5. Click Add Group.

Configure the External Brokerage Group

Next, you'll set up a group to include the external brokerage team. You’ll also ensure it lets users access to data from users in descending roles. Later, you’ll assign this group as a default group to the external roles you add to your environment.

1. Return to the Express Group Administration page.
2. In the Enter Group Name field, enter external-brokerage.
3. In the Enter Group Description field, enter External Brokerage.
4. From the Choose Group Type drop-down, select Data Access to Role Descendants Only.
5. Click Add Group.

Configure the Project Groups

Next, you'll set up groups for your projects so teams can collaborate. You’ll set each group to ensure everyone can view each other’s data regardless of hierarchy. Later, you’ll assign this group to specific users.

1. Return to the Express Group Administration page.
2. Enter the following Group Names and Group Descriptions:
Group Name Group Description

project-a

Project A

project-b

Project B

project-c

Project C
3. From the Choose Group Type drop-down, select Data Access to All Roles in Hierarchy for each group.

Selecting Data Access to All Roles in Hierarchy gives users access to data from everyone in this group. For example, the underwriter in Project A can now view the Underwriting Supervisor’s work. If you instead configured roles, you'd have to grant access to everyone’s data, including the other underwriters.

4. Click Add Group as you create each group.

Role Configuration

For this example, you’ll create the following roles:

  • Unqork Director

  • Underwriting Supervisor

  • Underwriter

  • External Supervisor

  • External Broker

The Read/Write permissions for each role varies based on the company’s needs. For this example, you’ll assume that every user needs Write access to the environment.

To learn more about configuring roles, view our Express Role Administration article.

Configure the Director Role

The first role you'll establish is the Director role. Because this role oversees all others, you'll add it to the main Unqork Insurance group.

A static image displaying adding roles to Unqork insurance group.

1. At the top right of the Unqork Designer Platform, click Administration.
2. Under Express Permissions, click Express Role Administration.
3. At the top right of the page, click + Add Role.
4. In the Role Name * field, enter unqork-director.
5. In the Role Description field, enter Unqork Director.
6. From the Select Default Permission * drop-down, select Write.
7. From the Add to Group(s) drop-down, select unqork-insurance.

A static image showing add role page.

8. Click Add Role.

Configure the Underwriting Supervisor Role

Next, you'll create the Underwriting Supervisor role. This role sits below the Director in the hierarchy, so you'll set the Director as the Role Parent. This role is also a part of the Underwriting team, so you'll add that as a default group.

A static image displaying underwriting team.

1. Return to the Express Role Administration page.
2. At the top right, click + Add Role.
3. In the Role Name * field, enter underwriter-supervisor.
4. In the Role Description field, enter Underwriting Supervisor.
5. From the Select Parent drop-down, select director.
6. From the Select Default Permission * drop-down, select Write.
7. From the Add to Group(s) drop-down, select unqork-insurance.
8. From the Add to Group(s) drop-down, select underwriting-internal.
9. Click Add Role.

Configure the Underwriter Role

Now, you'll create the Underwriter role. This role sits below the Underwriting Supervisor, so you'll set the Underwriting Supervisor as the Role Parent. This role is also a part of the Underwriting team, so you'll add that as a default group.

A static image displaying underwriting roles for Unqork insurance.

1. Return to the Express Role Administration page.
2. At the top right, click + Add Role.
3. In the Role Name * field, enter underwriter.
4. In the Role Description field, enter Underwriter.
5. From the Select Parent drop-down, select underwriting-supervisor.
6. From the Select Default Permission * drop-down, select Write.
7. From the Add to Group(s) drop-down, select unqork-insurance.
8. From the Add to Group(s) drop-down, select underwriting-internal.
9. Click Add Role.

Configure the External Supervisor Role

Next, you'll create the External Supervisor role. This role sits below the Director in the hierarchy, so you'll set the Director as the Role Parent.

A static image displaying an External Supervisor roles for Unqork insurance.

1. Return to the Express Role Administration page.
2. At the top right, click + Add Role.
3. In the Role Name * field, enter external-supervisor.
4. In the Role Description field, enter External Supervisor.
5. From the Select Default Permission * drop-down, select Write.
6. From the Add to Group(s) drop-down, select unqork-insurance.
7. From the Add to Group(s) drop-down, select external-brokerage.
8. Click Add Role.

Configure the External Broker Role

Now, you'll create the External Broker role. This role sits below the External Supervisor, so you'll set the External Supervisor as the Role Parent.

A static image displaying external supervisor role.

1. Return to the Express Role Administration page.
2. At the top right, click + Add Role.
3. In the Role Name * field, enter external-broker.
4. In the Role Description field, enter External Broker.
5. From the Select Parent drop-down, select external-supervisor.
6. From the Select Default Permission * drop-down, select Write.
7. From the Add to Group(s) drop-down, select unqork-insurance.
8. From the Add to Group(s) drop-down, select external-brokerage.
9. Click Add Role.

User Configuration

With your groups and roles set, you're ready to set up your individual users. As you create the accounts, you'll assign the appropriate project groups to each user.

To learn more about configuring roles, view our Express User Administration article.

Configure the Director User

Let’s create a user to serve as Director of Unqork Insurance. You'll use the name Lenna Paprocki.

1. At the top right of the Unqork Designer Platform, click Administration.
2. Under Express Permissions, click Express User Administration.
3. At the bottom of the page, click Add User.
4. In the Name field, enter Lenna Paprocki.
5. In the E-mail field, enter lpaprocki@hotmail.com.
6. From the Role(s) drop-down, select director.

A static image showing add user screen under express user administration menu.

7. Click Add User (and Notify).

You’ll notice that we did not select a group for Lenna. That’s because the only group Lenna needs to be a part of by default is Unqork Insurance. And the Unqork Insurance group is automatically assigned to the Director role.

Configure the Underwriting Supervisor User

Next, let’s create a user to serve as the Underwriting Supervisor. Let's use the name Abel Maclead. Because Abel is working on all the projects, you'll assign the user to those groups.

A static image displaying Underwriting Supervisor role configuration.

1. Return to the Express User Administration page.
2. At the bottom of the page, click Add User.
3. In the Name field, enter Abel Maclead.
4. In the E-mail field, enter amaclead@gmail.com.
5. From the Role(s) drop-down, select underwriter-supervisor.
6. From the Groups drop-down, select project-a, project-b, and project-c.
7. Click Add User (and Notify).

Configure the Underwriter Users

Now, let’s create three users who serve as the Underwriters.

Configure the Project A Underwriter

A static image displaying Underwriter project configuration.

1. Return to the Express User Administration page.
2. At the bottom of the page, click Add User.
3. In the Name field, enter Sage Wieser.
4. In the E-mail field, enter sage_wieser@cox.net.
5. From the Role(s) drop-down, select underwriter .
6. From the Groups drop-down, select project-a.
7. Click Add User (and Notify).

Configure the Project B Underwriter

A static image displaying the underwriter project B configuration.

1. Return to the Express User Administration page.
2. At the bottom of the page, click Add User.
3. In the Name field, enter Erick Ferencz.
4. In the E-mail field, enter erick.ferencz@aol.com.
5. From the Role(s) drop-down, select underwriter.
6. From the Groups drop-down, select project-b.
7. Click Add User (and Notify).

Configure the Project C Underwriter

A static image displaying a Underwriter Project C configuration.

1. Return to the Express User Administration page.
2. At the bottom of the page, click Add User.
3. In the Name field, enter Brock Bolognia.
4. In the E-mail field, enter bbolognia@yahoo.com.
5. From the Role(s) drop-down, select underwriter.
6. From the Groups list, select project-c.
7. Click Add User (and Notify).

Configure the External Supervisor User

A static image displaying a external supervisor user.

Next, you'll create a user to serve as the External Supervisor. Let's use the name Timothy Mulqueen. Because Timothy is working on all projects, you'll assign this user to those groups.

1. Return to the Express User Administration page.
2. At the bottom of the page, click Add User.
3. In the Name field, enter Timothy Mulqueen.
4. In the E-mail field, enter timothy_mulqueen@mulqueen.org.
5. From the Role(s) drop-down, select external-supervisor.
6. From the Groups drop-down, select project-a, project-b, and project-c .
7. Click Add User (and Notify).

Configure the External Broker Users

Now, let’s create three users to serve as the external brokerage employees.

Configure the Project A Broker

A static image displaying a Broker Project A configuration.

1. Return to the Express User Administration page.
2. At the bottom of the page, click Add User.
3. In the Name field, enter Ty Smith.
4. In the E-mail field, enter tsmith@aol.com.
5. From the Role(s) drop-down, select external-broker.
6. from the Groups drop-down, select project-a.
7. Click Add User (and Notify).

Configure the Project B Broker

A static image displaying Broker Project B configuration.

1. Return to the Express User Administration page.
2. At the bottom of the page, click Add User.
3. In the Name field, enter Kerry Theodorov.
4. In the E-mail field, enter kerry.theodorov@gmail.com.
5. From the Role(s) drop-down, select external-broker .
6. From the Groups drop-down, select project-b.
7. Click Add User (and Notify).

Configure the Project C Broker

A static image displaying Broker Project C configuration.

1. Return to the Express User Administration page.
2. At the bottom of the page, click Add User.
3. In the Name field, enter Jennifer Fallick.
4. In the E-mail field, enter jfallick@yahoo.com.
5. From the Role(s) drop-down, select external-broker.
6. from the Groups drop-down, select project-c.
7. Click Add User (and Notify).

With these steps completed, you’ll have roles for each user in your environment. By assigning roles and groups, each user is part of their respective projects.