RBAC: Internal/External Projects

Overview

Using Express Groups, Roles, and User Administration, you can customize RBAC (role-based access control) for each of your users. While you may have a strict internal hierarchy, certain projects call for exceptions. Let's look at an example using the hypothetical company called Unqork Insurance.

NOTE  For demonstration purposes, this use case will use false identities and contact information.

Here’s a look at the hierarchy for Unqork Insurance:

In the above structure, you'll see a top, middle, lower-level hierarchy. The Director (top-level) can view work from anyone in the middle and lower-levels. That includes the Underwriting Supervisor and the 3 Underwriters. The Underwriting Supervisor (middle-level) can also view the work of the lower-level. But that only includes the 3 Underwriters. Finally, anyone in an Underwriter role (lower-level) can only view the work they complete—they can't view each other's work.

For internal work, the above structure is fine. But Unqork Insurance works with an External Brokerage, with the Unqork Insurance Director role being at the same level. That brokerage has the following hierarchy:

The above structure is like that of the Unqork Insurance Underwriting team. The Director of Unqork Insurance (top-level) can still see everyone's work. From there, the Supervisor (middle-level) can only view the work of each Broker (lower-level). But the Brokers can only view their own work.

If the two teams don't need to work together, these separate structures are fine. But certain Unqork Underwriters may work closely on projects with individual Brokers. These instances call for different permissions outside of the standard hierarchies. Instead of two hierarchies, let's organize the necessary permissions into projects. Here’s a sample project breakdown:

Here, the Underwriting Supervisor and the External Supervisor work on each project. They'll also work alongside one Underwriter and one Broker. For these projects, you want everyone to have access to each other's work. You could do this by adjusting Role Permissions, but you would have to create new Roles for everyone. Instead, you can minimize the number of Roles by creating Groups. Groups will represent each project and you'll set the permissions there.

Group Configuration

Groups work at the highest level in an RBAC configuration. You’ll organize roles into larger groups. Think of these as teams in your company, or even the company itself.

For this example, you’ll create 6 groups:

Group Description

Unqork Insurance

Lets users see all descending roles. This includes both internal and external parties.

Internal Underwriting

Lets users see all descending roles.

External Brokerage

Lets users see all descending roles.

Project A

Lets users see all roles in the Project A group, regardless of hierarchy.

Project B

Lets users see all roles in the Project B group, regardless of hierarchy.

Project C

Lets users see all roles in the Project C group, regardless of hierarchy.

Configure the Unqork Insurance Group

First, you’ll set up a group that includes everyone at Unqork Insurance. This includes both internal employees and external brokerage employees. You’ll set this group to allow users access to data from users in descending roles. Later, you’ll assign this as a default group to every role you add to your environment.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express Group Administration.
3. Enter unqork-insurance in the Enter Group Name field.
4. Enter Unqork Insurance in the Enter Group Description field.
5. Select Data Access to Role Descendants Only from the Choose Group Type drop-down.

NOTE  Selecting Data Access to Role Descendants Only gives users access to their own data and data from their descendants. To learn more about each available setting, head to our Group Administration article.

6. Click Add Group.

Configure the Internal Underwriting Group

Next, you'll set up a group to include the internal underwriting team. You’ll also set this group to allow users access to data from users in descending roles. Later, you’ll assign this as a default group to the underwriting roles you add to your environment.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express Group Administration.
3. Enter underwriting-internal in the Enter Group Name field.
4. Enter Underwriting Internal in the Enter Group Description field.
5. Select Data Access to Role Descendants Only from the Choose Group Type drop-down.
6. Click Add Group.

Configure the External Brokerage Group

Next, you'll set up a group to include the external brokerage team. You’ll also set this group to allow users access to data from users in descending roles. Later, you’ll assign this as a default group to the external roles you add to your environment.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express Group Administration.
3. Enter external-brokerage in the Enter Group Name field.
4. Enter External Brokerage in the Enter Group Description field.
5. Select Data Access to Role Descendants Only from the Choose Group Type drop-down.
6. Click Add Group.

Configure the Project Groups

Next, you'll set up groups for your 3 projects. Remember that these groups need collaboration. You’ll set each group so everyone in it can see each other’s data regardless of hierarchy. Later, you’ll assign this group to the specific users you create, as laid out in the chart earlier.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express Group Administration.
3. Enter the following Group Names and Group Descriptions.
Group Name Group Description

project-a

Project A

project-b

Project B

project-c

Project C
4. For each group, select Data Access to All Roles in Hierarchy from the Choose Group Type drop-down.

NOTE  Selecting Data Access to All Roles in Hierarchy gives users access to data from everyone in this group. For example, the underwriter in Project A will now see the Underwriting Supervisor’s work. To do this with Roles, you'd have to grant access to everyone’s data, including the other underwriters. To learn more about each available setting, head to our Group Administration article.

5. Click Add Group as you create each group.

Role Configuration

For this example, you’ll create 5 roles:

  • Unqork Director
  • Underwriting Supervisor
  • Underwriter
  • External Supervisor
  • External Broker

The Read/Write permissions for each role will vary based on the company’s needs. For this example, you’ll assume that every user needs Write access to the environment.

Configure the Director Role

The first role you'll establish is the Director role. Since this role oversees all others, you'll add it to the main Unqork Insurance group.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express Role Administration.
3. Enter unqork-director in the Enter role name field.
4. Enter Unqork Director in the Enter role description field.
5. Select Write from the Choose Role Default Permission drop-down.

6. Select unqork-insurance from the Groups list.
7. Click Add Role.

Configure the Underwriting Supervisor Role

Next, you'll create the Underwriting Supervisor role. This role sits below the Director in the hierarchy, so you'll set the Director as the Role Parent. This role is also a part of the Underwriting team, so you'll add that as a default Group.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express Role Administration.
3. Enter underwriter-supervisor in the Enter Role Name field.
4. Enter Underwriting Supervisor in the Enter Role Description field.
5. Select director from the Choose Role Parent drop-down.
6. Select Write from the Choose Role Default Permission drop-down.
7. Select unqork-insurance from the Groups list.
8. Select underwriting-internal from the Groups list.
9. Click Add Role.

Configure the Underwriter Role

Next, you'll create the Underwriter role. This role sits below the Underwriting Supervisor, so you'll set the Underwriting Supervisor as the Role Parent. This role is also a part of the Underwriting team, so you'll add that as a default Group.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express Role Administration.
3. Enter underwriter in the Enter Role Name field.
4. Enter Underwriter in the Enter Role Description field.
5. Select underwriting-supervisor from the Role Parent drop-down.
6. Select Write from the Choose Role Default Permission drop-down.
7. Select unqork-insurance from the Groups list.
8. Select underwriting-internal from the Groups list.
9. Click Add Role.

Configure the External Supervisor Role

Next, you'll create the External Supervisor role. This role sits below the Director in the hierarchy, so you'll set the Director as the Role Parent.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express Role Administration.
3. Enter external-supervisor in the Enter Role Name field.
4. Enter External Supervisor in the Enter Role Description field.
5. Select Write from the Choose Role Default Permission drop-down.
6. Select unqork-insurance from the Groups list.
7. Select external-brokerage front the Groups list.
8. Click Add Role.

Configure the External Broker Role

Next, you'll create the External Broker role. This role sits below the External Supervisor, so you'll set the External Supervisor as the Role Parent.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express Role Administration.
3. Enter external-broker in the Enter Role Name field.
4. Enter External Broker in the Enter Role Description field.
5. Select external-supervisor from the Role Parent drop-down.
6. Select Write from the Choose Role Default Permission drop-down.
7. Select unqork-insurance from the Groups list.
8. Select external-brokerage front the Groups list.
9. Click Add Role.

User Configuration

With your Groups and Roles established, you're ready to set up your individual users. As you create the accounts, you'll assign the appropriate project groups to each user.

Configure the Director User

Let’s create a user to serve as Director of Unqork Insurance. You'll use the name Lenna Paprocki.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express User Administration.
3. Click Add User at the bottom of the page.
4. Enter Lenna Paprocki in the Name field.
5. Enter lpaprocki@hotmail.com in the E-mail field.
6. Select director from the Default Role drop-down.

7. Click Add User (and Notify).

You’ll notice that we did not select a group for Lenna. That’s because the only group Lenna needs to be in by default is Unqork Insurance. And the Unqork Insurance group is automatically assigned to the Director role.

Configure the Underwriting Supervisor User

Next, let’s create a user to serve as the Underwriting Supervisor. Let's use the name Abel Maclead. Because Abel is working on all 3 projects, you'll assign those groups.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express User Administration.
3. Click Add User at the bottom of the page.
4. Enter Abel Maclead in the Name field.
5. Enter amaclead@gmail.com in the E-mail.
6. Select underwriter-supervisor from the Default Role drop-down.
7. Select project-a, project-b, and project-c from the Groups list.
8. Click Add User (and Notify).

Configure the Underwriter Users

Next, let’s create 3 users who will serve as the Underwriters. You'll use 3 sample names for these users.

Configure the Project A Underwriter

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express User Administration.
3. Click Add User at the bottom of the page.
4. Enter Sage Wieser in the Name field.
5. Enter sage_wieser@cox.net in the E-mail field.
6. Select underwriter from the Default Role drop-down.
7. Select project-a from the Groups list.
8. Click Add User (and Notify).

Configure the Project B Underwriter

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express User Administration
3. Click Add User at the bottom of the page.
4. Enter Erick Ferencz in the Name field.
5. Enter erick.ferencz@aol.com in the E-mail field.
6. Select underwriter from the Default Role drop-down.
7. Select project-b from the Groups list.
8. Click Add User (and Notify).

Configure the Project C Underwriter

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express User Administration.
3. Click Add User at the bottom of the page.
4. Enter Brock Bolognia in the Name field.
5. Enter bbolognia@yahoo.com in the E-mail field.
6. Select underwriter from the Default Role drop-down.
7. Select project-c from the Groups list.
8. Click Add User (and Notify).

Configure the External Supervisor User

Next, you'll create a user to serve as the External Supervisor. Let's use the name Timothy Mulqueen. Because Timothy is working on all 3 projects, you'll assign those groups.

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express User Administration.
3. Click Add User at the bottom of the page.
4. Enter Timothy Mulqueen in the Name field.
5. Enter timothy_mulqueen@mulqueen.org in the E-mail field.
6. Select external-supervisor from the Default Role drop-down.
7. Select project-a, project-b, and project-c from the Groups list.
8. Click Add User (and Notify).

Configure the External Broker Users

Next, let’s create 3 users to serve as the external brokerage employees. You'll use 3 sample names for these users.

Configure the Project A Broker

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express User Administration.
3. Click Add User at the bottom of the page.
4. Enter Ty Smith in the Name field.
5. Enter tsmith@aol.com in the E-mail field.
6. Select external-broker from the Default Role drop-down.
7. Select project-a from the Groups list.
8. Click Add User (and Notify).

Configure the Project B Broker

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express User Administration.
3. Click Add User at the bottom of the page.
4. Enter Kerry Theodorov in the Name field.
5. Enter kerry.theodorov@gmail.com in the E-mail field.
6. Select external-broker from the Default Role drop-down.
7. Select project-b from the Groups list.
8. Click Add User (and Notify).

Configure the Project C Broker

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. From the supplied Express Permissions menu, click Express User Administration.
3. Click Add User at the bottom of the page.
4. Enter Jennifer Fallick in the Name field.
5. Enter jfallick@yahoo.com in the E-mail field.
6. Select external-broker from the Default Role drop-down.
7. Select project-c from the Groups list.
8. Click Add User (and Notify).

Summary

With these steps completed, you’ll have roles for each user in your environment. By assigning Roles and Groups, each user will be a part of their respective projects. Within those projects, they’ll be able to see their teammates' work. This use case is just one example of how you can leverage RBAC in Unqork.