Account Types
In Records Management, there are five account types that users can be assigned to: Master, System Admin, Record Manager,Service, and User. An account type may have a set of permissions that can be granted to users assigned to the account type. Each account type is described below.
Master Account
The Master Account has full control over all of Records Management and can be used to provision new Users and Service Accounts, as well as administer any aspect of the system. This account information should be kept secure!
If you are the system administrator, you should have created the Master Account the first time you logged in.
System Admin
The System Admin account grants a user full access to Records Management. System Admins can manage all aspects of Records Management, including the management of security.
As a best practice, after logging in for the first time as the Master Account, we recommend provisioning the first user account as a System Admin. You should then login with this newly provisioned account to administer the system going forward. The Master Account should only be used if needed, such as when setting up the first System Admin account or configuring custom branding.
Record Manager
The Record Manager account grants a user the ability to manage the File Plan. Record Managers can manage all aspects of the system pertaining to the management of records and information. A Record Manager can actively manage the File Plan as well as Legal Cases. They also have the ability to see record-level monitoring information to better understand what is happening to information in the system in real-time.
Service Account
Service Accounts are created and managed locally within Records Management. They differ from the other account types because these accounts are created locally and not associated with the registered Identity Provider, such as Windows Accounts if using the out-of-the-box Identity Provider.
The purpose of a Service Account is to have an account that can be used from the various Connectors or any Third-Party Services that will be communicating with Records Management.
As a best practice, you should create a separate Service Account for each Connector that will be used. This will make it easier to identify a specific Connector’s related activity within the system. Service Accounts possess a high level of rights within the system and should be kept secure.
When you enter your Service Account credentials, the Service Account username format depends on whether or not you are connecting the Gimmal Cloud for Records Management. If the Giimmal Cloud is being used, the username format is: {service account name}@{tenant domain} (e.g. spocservice@gimmal.com, or fscservice@companyname.com), otherwise, the format is just: {service account name}. For more information, see Directing the Connector to Records Management.
Users
The User account type grants a user access to the system, but does not actually assign them any permissions. Permissions are assigned for a specific user to individual Record Classes in order to give a user a certain level of access to the records and information assigned to that Record Class. A User account must be added to the system in order to grant permission to a user.
There are two levels of User permissions that can be assigned at the Record Class level:
View permissions grant a user view access for individual Record Classes in Records Management. When users who are assigned View permission sign into Records Management, they will have the ability to view existing records and details, as well as create physical record requests as needed.
Declare permissions grant a user Declare access for individual Record Classes in Records Management. When users who are assigned Declare permission sign into Records Management, they will have the ability to view existing records and also Declare official records pertaining to the Record Classes in which they have been given access.
In addition, a User account may be assigned Approver permissions. Approve permissions grant a user the ability to approve action items for individual Record Classes. Users with Approve permission have the ability to approve action items pertaining only to the Record Classes in which they have been given access. The ability to assign Approve permissions is discussed in Approval Groups topic.
When Physical Records Management is enabled, there will be two new roles available, and unless a user is assigned to one of these roles, they will not have the ability to see any of the Physical Records Management features. This includes System Admins and Record Managers. Essentially they use different security models to enable maximum flexibility on the usage of the software.
Physical Administrator
A Physical Administrator has complete access to all components of Physical Records Management. However, a Physical Administrator does not have System Admin or Record Manager roles in the core Record Management system unless they are given one of those roles as well. Because of the integration of Physical Records Management into the core system, a Physical Administrator will not have access to the following components unless assigned the proper role in the core software:
- Assigning a record class to a container
- Placing a container on hold
- Placing an asset on hold
- Reporting
Physical User
A Physical User will only be able to use features if they are given specific permission on the different components of Physical Records Management, which includes Containers, Assets, Locations, Charge In/Out, and using a Barcode Schema.