Apr 5, 2022

A Security Role identifies the rights and permissions granted to a learning management system (LMS) user. It defines exactly what a user can do in your LMS. The organization or level where the user is assigned the security level determines where they have those rights and permissions.

The Security Roles in the UL ComplianceWire system, for example, provide your company with access limits to protect your system. They are like keys to your home. You have the ability to “put a lock” on some abilities and provide only the entry that your administrators require to perform their tasks.

Key types of security roles in an LMS

There are three types of Security Roles in ComplianceWire: default, inherited and custom.

Default: “Organization Administrator” and ”Learner” are the two default security roles and are available out of the box within ComplianceWire. Every company has these roles within their system. The Learner role is automatically assigned to every user account that is created and gives a user access to the basic features available: To-Do List, Training History, Catalog, etc. A Learner can also change their own password and manage other system settings that apply only to their view.

A user who is assigned the Organization Administrator role has complete access to all information in your system. This role can be assigned at any level in your organizational structure. When a user is assigned the Organization Administrator role in an organization, they will inherit that access down the organization tree. (If access is granted at the top level, an Organization Administrator has access to all sub-organizations.) No other security roles can be assigned to that user in any organization down the tree.

You will not find the Organization Administrator listed under the Security Roles area because it has access to all security settings within ComplianceWire. The Security Settings for this role are not configurable. This role should be assigned to users who require “advanced” access to your ComplianceWire system. Who in your organization should be able to create new custom fields, create new security roles or change system configuration settings?

Inherited: Roles are inherited when an individual user is identified within an entity--as a primary manager for a user, as a course owner or course SME to a training item or as a curriculum owner to a curriculum.

The purpose of the inherited, configurable role is to extend administrative access to users for those specific “entities” only. If any of the inherited roles are configured (checkmarks added for specific rights), then anyone in these roles will have those checked abilities for those entities (users, training items or curricula) where they are added.

These roles are enabled by or turned on by UL, at your company’s request. The assignment of an inherited security role is automatic. No administrative action is required.   

Custom: Custom Security Roles can be defined and created to fit the needs of your company. An unlimited number of custom security roles can be added. By defining and then assigning custom security roles, individuals can be given the ability to perform specific administrative tasks.

A custom security role is assigned at each organizational level and it is possible to have a different custom role at different levels. For example, a user may have a “Report Runner” role at the top organization, giving them the ability to view all users and training items in your system. The same user may also have a System Administrator role at a lower organizational level, giving them the ability to add, edit and manage users, training items, etc., at a specific level.

Think about the different types of employees at your company who have access to ComplianceWire. Should everyone have full access as an Organization Administrator? A Custom Role allows you to grant only the abilities that a role needs at a specific organizational level.

Developing secure ComplianceWire LMS access protocols

Here is a list of recommendations as you think about security of your ComplianceWire system:

  • Make sure your administrators are fully trained on how to use ComplianceWire before they have access to your production environment. Assign an administrator role to your new admins in your training environment and allow then to learn through practice. (The monthly training environment refresh will remove anything they created.)
  • Outline what your administrators’ responsibilities are so they have a full understanding of their roles in your ComplianceWire system. Are they responsible only for a specific site or department? While they may be able to see a lot of information in your system, what should they be focusing on?
  • Make sure your administrators are fully trained on all processes and procedures relating to your ComplianceWire system. Does your company have global and local procedures? Are there Job Aids that will help them perform some tasks?
  • Set up an internal check at least twice a year to review the users that have Security Roles in your system. Run a User Report to find disabled users who are assigned any role above Learner. (A ‘role’ is not removed from a user when their account is disabled.) Keep in mind - if an employee returns to work in a different capacity and their user account is re-enabled, they will maintain the Security Role.

Information is one of the most important assets within your company. Developing secure system access helps to protect that information within your ComplianceWire system. The Security Roles that you create and assign will be central to safeguarding and managing that information.

Jeanne Macarro is Business Advisor at UL ComplianceWire.

Learn more about LMS technologies for life science companies:

Author

  • Jeanne Macarro

Related