Access to cases
Case Manager has a number of features that contribute to its system security. See Security overview for details.
This page explains how a user's access to cases is managed. This determines the cases that the user is allowed to see in the Case List and to possibly also modify.
You may like to start with the second security video, which introduces case access:
There are three levels governing a user's case access. These levels are combined to deliver a sophisticated system.
These case access values can be set at multiple levels and not only:
- provide access to cases not otherwise accessible to the user, but also
- deny access to cases the user might otherwise be able to access.
The case access system is secure, flexible and customisable in order to meet your specific requirements.
Levels of access
For the combination of a particular user and a particular case, settings at three levels are evaluated in order to determine the user's access to this case.
The evaluation follows a sequence of questions. It exits the sequence after the answer to any question is yes.
The three levels are:
- Settings at the case level in its Details tab:
- the Assign to user
- the Other Staff users
- the checkbox: Limit access to this case to the employees specified below
- The user's employee membership in offices, teams and categories
- The user's security setting (usually via the Security Group List) for the permission: Can view all cases
The value for case access can be:
No access is defined so the user cannot see the case.
The user can view the case in the Case List and examine case-related data, but they cannot add, change or delete anything.
The user has full access privileges to view and change case information.
This value is the same as None, however the difference is that when multiple access values are specified at the same level, Deny overrides all the other values.
Evaluation of user access to a case
The diagram summarises the decision-making that evaluates a user's access to a case. A series of questions are posed in order to conduct the evaluation. It is important to understand that as soon as an answer is Yes, the evaluation is over because a value has been found for the case access. The value is indicated by the blue boxes at the right.
Thus, settings consulted closer to the start of this series of questions override those closer to the end.
Full details of each evaluation step are below.
The questions at this level use information found in the See Case Details tab.
Is this user the Assign to user?
- When a user is set as the Assigned to user, they have full case access. Their access value is Modify and no further evaluation needs to be done.
If the user is not the case's Assign to user, the evaluation continues.
Is this user included in Other Staff?
- Multiple users can be included in the Other Staff list and each user has a View, Edit or Deny checkbox set. See Case access via the Details tab.
If a user is present in the list, then their View, Edit or Deny setting determines their case access value. Edit gives a case access of Modify and Deny gives a case access of None.
If the user was present in this list then no further evaluation needs to be done. If not, the evaluation continues.
Is 'Limit access to this case to the employees specified below' ticked?
- If the user is not named at the case level, the next issue is whether the Limit access ... setting has been ticked for the case.
If it is set, no access is possible for any un-named users and no further evaluation needs to be done. Case access is None.
If this is not set, the evaluation continues to the next level, which is the user's memberships in the case's category, office and/or team.
Is the user a member of the case's team, office and/or category and 'Access all cases' is View, Edit or Deny?
- Each case has a category, an office and possibly a team (see Case details).
- If the user is a member of the case's category and the Access all cases setting is View, Edit or Deny, the value is collected.
- If the user is a member of the case's office and Access all cases is View, Edit or Deny, the value is collected.
- If the user is a member of the case's team and Access all cases is View, Edit or Deny, the value is collected.
The user can be a member of multiple offices, categories and/or teams. See Office, team and category membership for details.
Employee memberships can create access to cases. In the example below the user's membership in the Blue team potentially enables them to modify cases that are linked to this team:
This access is subject to the case's setting for Limit access ... (as described in step C above) and to the settings for the user's other memberships.
If the access setting is No, the membership does not provide any access to these cases.
Evaluation of the user's access to a case through their memberships follows a process:
Thus, up to three access settings can be collected in this way (category, office and/or team). The highest value found in this collection determines the overall case access value.
Deny > Edit > View
Deny is higher than Edit, which is higher than View.
A Deny access for any membership overrides View or Edit set in any other membership and hence the user would have no case access at all. Such deny permissions can be used to ensure employees do not have any access to cases in specific teams, offices and/or categories.
In summary, if the user has any category, team or office membership that has a value other than No, the process above is followed to derive an overall case access value and the evaluation stops.
If the user has no such memberships the evaluation progresses to level 3, where the user's security permission is examined.
Does this user have the permission: Can view all cases?
- The user is a member of one or more security groups at the Security Groups List which determines what they can do and see in the database. If they have the permission: Can view all cases, then their case access is Modify.
- If they do not have this permission, then they have failed all the evaluation questions and their access for this case in None.
Additional notes for steps
- The option to limit case access to the employees specified is powerful and so has the potential to work in an undesirable manner. For example, if ticked by a user with Modify access to the case they would prevent other users' access via other levels. In this way a person with limited security access (e.g. a consultant) could very easily lock people out at even the highest level within the organisation (the system administrator).
To prevent this the permission Can limit case access to allocated staff only enables control of who can tick the option. Initially, only the system administrator group has this permission.
Note that if a user with this permission does tick the option at a case, they should first add themselves appropriately to the Other Staff list so that they can access the case subsequently.
- Users may expect that someone with the permission Can view all cases can do just that in all circumstances. Prior to Case Manager V5.2, the only way to limit the access of someone with this permission was to add them to the Other Staff list with either View or Deny set. From 5.2 onwards this permission is now overridden via membership in the office, team and/or category (step D).