Table of Contents
List of System Access Control Groups by Feature
Available Custom Control Groups List
How to create a Custom Control Group
Best practices and recommendations
Overview
Access control groups are a key component of Audience Based Access Control (ABAC).
These groups are comparable to previous 'roles'; existing roles will automatically convert to system control groups upon ABAC enablement. Alerts and newsletters, formerly managed under privileges, will also transition to control groups.
This article provides an overview of what access control groups are and how they work.
What is an Access Control Group?
An Access Control Group is an entity that determines who can manage and/or access specific features. It restricts feature use to designated audiences or groups of people rather than the entire organization.
Access Control Groups determine:
- Who can manage a specific feature (e.g., Newsletters).
- The target audience(s) they can manage it for (e.g., All US, All Sales).
Types of Control Groups
There are two types of control groups: system and custom.
- System Control Groups: Similar to 'roles', these groups are accessible to app managers. System Control Groups will always have an all-org audience. Editing options are limited primarily to assigning group managers and admins. A system-created access control group will always exist.
- Custom Control Groups: These are app manager-created and are available for fewer features than system control groups. Custom Control Groups can be assigned a target audience.
Roles within Control Groups
- Target Audience(s): Designated audiences who are considered end users of the feature.
- Manager(s): Utilize assigned features for designated audience(s) but cannot edit the group itself.
- Admin(s): Admins can configure and edit settings for assigned control groups, adding or removing managers and audiences.
- Feature Owner(s): A global owner of the feature and its control sets. Feature owners can create, delete and perform all actions available to an ACG Manager and also have universal access across all ACGs for that feature. Only feature owners can create or delete Access Control Groups.
List of System Access Control Groups by Feature
Features with an asterisk can also have custom control groups defined in addition to the system group.
| Feature | Definition |
| Add Sites* | This ACG gives the ability to create new sites. If someone is added as a feature manager for this system ACG, they will be able to create sites visible to the whole organization. They will also be able to create sites visible to subsets of the organization. |
| Add Topics |
This ACG gives the ability to create net- new topics. Visibility into existing topics is organization wide and cannot be limited or restricted by audience. If someone is a feature manager for this ACG, they will be able to create new topics when creating and/or editing content. Users who can’t create content won’t be able to add topics, even if they are assigned as a feature manager.
If all users are allowed to create topics prior to when ABAC is enabled, then all users will be assigned the Manager role for the control group when ABAC is enabled. If only app managers are allowed to create topics, no ACG Managers will be assigned when ABAC is enabled.
Users assigned Add Topics feature managers will not have access to the Manage Topics menu. Manage topics is a separate ACG. |
| Alerts* | This ACG allows the ability to send alerts to the entire organization. If someone is added as a feature manager for this system ACG, they will be able to create and send alerts to all users. They will also be able to send alerts to subsets of users in the organization. |
| Analytics | This ACG allows access to global analytics. If someone is added as a feature manager for this system ACG they will be able to access global analytics as well. |
| Application Settings | This ACG allows access to Application Settings and Apps & Links. If someone is added as a feature manager for this system ACG, they will be able to access Manage > application and Manage > Apps & links. |
| Audiences | This ACG allows a user to create, edit and delete audiences. |
| Branding | This ACG allows access to Manage Branding. If someone is added as a feature manager for this system ACG, they will be able to access Manage features > Branding. |
| Campaigns | This ACG allows access to create and manage campaigns. If someone is added as a feature manager for this system ACG, they will be able to access Analytics > Campaigns. |
| Content Moderation | This ACG allows access to the content moderation queue. If someone is added as a feature manager for this system ACG, they will be able to access Manage features > Content moderation. |
| Content Onboarding | This ACG allows access to mark content from public sites as org or site onboarding, as well as mark content for private sites they have access to as site onboarding. |
| Create Messaging Groups* | This ACG allows the user to create messaging groups. |
| Enterprise Search | This ACG allows access to Enterprise Search setups. If someone is added as a feature manager for this system ACG, they will be able to access Manage features > Enterprise Search, as well as be able to add and edit sources. |
| Forms* | This ACG provides the ability to create, duplicate, archive or delete forms. This group will also be able to view form responses. |
| Home Dashboard | This ACG provides the ability to manage home dashboards on behalf of all users. If someone is added as a feature manager for this system ACG, they will be able to change the default home dashboard layout, as well as add and edit tiles and carousel content. |
| Manage home feed* | This ACG allows users the access to view, create, edit, delete and manage all posts and questions on home feed. |
| Manage sites* | This ACG allows the ability to manage sires, but not create new ones. If someone is added as a feature manager for this system ACG, they will be able to manage all sites existing on the intranet, regardless of site visibility. They will also be able to create sites visible to subsets of the organization. |
| Manage Topics | This ACG allows the ability to manage topics. Users with this permission will be able to add new topics and edit existing topics. |
| Newsletters* | This ACG allows access to all newsletters across the entire organization, If someone is added as a feature manager for this system ACG, they will be able to create and send newsletters to all users, as well as view any existing drafted or sent newsletters. |
| Polls* | This ACG allows the ability to create, edit, delete and view poll results. |
| Post in home feed* | This ACG allows users to post in the home feed. |
| Promotions | This ACG allows access to create and manage QR codes for content or feature promotions. They can manage settings for generating, editing and disabling codes, setting validity periods and adding instructions. |
| Recognition | This ACG allows the ability to manage recognition. If someone is added as a feature manager for this system ACG, they will be able to manage recognition settings, enable or disable rewards, define rewards budgets and points allocations, and create and edit available badges. |
| Sentiment Check | This ACG allows the ability to create and view sentiment checks. If someone is added as a feature manager for this system ACG, they will be able to add sentiment checks to content, edit existing sentiment checks and view the results. |
| Social Campaigns | This ACG allows the ability to manage social campaigns. If someone is added as a feature manager for this system ACG, they will be able to add and edit social campaigns on behalf of the organization. |
| Surveys* | This ACG allows the ability to manage surveys. If someone is added as a feature manager for this system ACG, they will be able to add surveys, edit existing surveys, and view all survey results regardless of the survey’s target audience (recipients). |
| Users | This ACG allows the ability to manage users. If someone is added as a feature manager for this ACG, they will be able to add and remove users. |
Available Custom Control Groups List
- All custom ACGs are identical to their system ACG counterparts with one key exception: custom ACGs allow the ability to manage a feature but with the overall reach limited to just the assigned target audience, as opposed to all org.
- Features: Adds Sites, Alerts, Manage Sites, Newsletters, Surveys, Post in home feed, Forms, Create messaging groups, Manage home feed, Polls
Audience
An audience is a group of users that typically share a common attribute. Audiences can be created automatically or manually. With ABAC, app managers and audience managers can create up to 10 levels of sub-audiences with any number of audiences under each level. The top level audience will always be the Audience Folder.
Parent audience: A parent audience is an audience at any level that has sub audiences. Parent audiences are easily identified by a > symbol.
Sub-audience (child audience): A sub-audience is a more specific group that sits within a parent audience. These audiences inherit the context of the parent but are narrower and more targeted. Sub audiences can be created on the fly within a site when needed.
How to create a Custom Control Group
- Go to Application settings and select access control.
- You will see a list of control groups you have access to.
- To create a new group, click the black create button in the top right corner.
- You have the option to create a single control group or bulk create control groups. To bulk create, click the down carat next to the create button and select bulk create control groups.
- Next select a feature you would like to give team members access to.
- When the target audience window appears, define the target audiences for the control group.
- Optional: Create sub audiences to narrow down group members by clicking the + next to an audience name.
- Optional: Designate access control group manager(s) and admin(s).
- Managers and admins can be assigned individually or by a group of users when selected by audience.
- Give the group a name using a standard naming convention.
- Toggle on the active button if you are ready to use the control group.
- Double check the parameters of the group are correct.
- Click save and activate.
Best practices and recommendations
- Regularly review and audit control group assignments to ensure they align with current organizational structures and responsibilities.
- Implement a clear naming convention for custom control groups to enhance clarity and ease of management.
- Do not delete a control group; deletion is permanent. Deactivate it instead.
Comments
Please sign in to leave a comment.