đź“Ł Permissions: Fine-grained controls (July 2023)

Overview

This announcement describes upcoming changes to how you configure permissions on Persona. The changes will be released beginning July 2023. If your organization has not been notified of access to this new version, please refer to the guides available in the permissions v1.0 article.

Summary

We’re updating the way permissions work in Persona, to give you finer-grained access control and a cleaner user interface. g8n0BjVSmFAkmvXjbuOGB-admin-tab

This update features:

  • Standardized format for permissions: We’ve consolidated most permissions to have two standard choices, View and Edit.
  • Environment-level access control: You will be able to specify that a role has certain permissions only in specific environment(s), like Sandbox or Production.
  • Template-level access control: You will be able to constrain product permissions to specific product templates. For example, you can constrain Inquiries-related permissions to specific Inquiry templates; Reports-related permissions to specific Reports templates; and so on.

When

The update will happen gradually beginning in July 2023.

Considerations for you

You do not need to take any action to receive the update—the update will happen automatically.

We’re letting you know early, so you can learn and plan how you want to use the new features.

Below, we describe the update in more detail, and provide steps you can take to prepare.

Details: what’s new

The main change in this update is a standardized, finer-grained permissions model. These permissions are presented in a new, clean user interface.

Permissions model

The new permissions model is standardized and finer-grained.

  • Standardized:
    • Most permissions will have two standard choices: View and Edit permissions. (Before, permissions were not grouped into standard categories.) development-tab

    • The default Admin role will always have all possible permissions. (Before, the permissions for the Admin role could be edited.)

  • Finer-grained: The new model lets you specify environment-level and template-level access control. (Before, Cases let you specify template-level permissions, but otherwise you could not specify these permissions.)
environments-tab-with-two-envs-selected products-tab

User interface

We’ve updated the user interface that lets you edit which of these permissions each role has. The screenshots in this announcement give you a preview of the new UI.

To learn more about the new interface and how to use it, see this guide.

How your existing permissions will be migrated

When we release the update, we will migrate your existing permissions to use the new permissions model.

The migration is designed to minimize impact to your day-to-day operations. Here’s what to expect.

Environment-level access

Roles will retain the same environment-level permissions they had before the migration. This means:

  • By default, each role except for Admin will have access to Sandbox and Production environments. This is on par with existing behavior for roles.
    • The Admin role will have access to “all current and new environments.”
  • Only if your organization has worked with us to set up different roles and permissions across different environments today: We will preserve those per-environment permissions in this migration. A small minority of Persona organizations fall into this category.

Template-level access

Roles will retain the same template-level permissions they had before the migration. The only products that currently offer template-level access control is Cases and Reports. This means:

  • By default, in all products except for Cases and Reports, each role will have access to “all current and future templates” (where template-level permissions exist). This is on par with existing behavior for roles.
  • For Cases and Reports, we will migrate the template-level access. See the Special notes below.

Special notes

If you use the Cases product: Cases currently offers a set of permissions (at the bottom of the current roles configuration page) that lets you expand a role’s ability to view Cases—specifically those using specific Case templates. If you have set any of these permissions on a role, we will preserve these permission for that role.

To achieve this, we will create a role that just has the ability to view Cases that use the Case templates you have selected, and assign this role to the same set of users. (As a quick review, this works because permissions in Persona are additive, so users with this additional role will gain those permissions.)

For each role you have configured to use Case template permissions, we will create one role in your organization for this purpose.

If you use the Reports product: The same template caveats will apply to Reports template-level permissions.

Consolidating to View & Edit permissions

In general, permissions map in a straightforward way from the current model to the new model. Here are some details about how the mapping works.

Permissions

  • View and analytics permissions: Where view and analytics permission were already combined, we’ve kept these permissions combined under an analogous “View” permission. If view and analytics permissions were separate, we have kept these separate. For example:
    • The current Inquiries: View all inquiries and associated analytics permission and Inquiries: View a specific inquiry’s details permission will be consolidated into the View permission for the Inquiry details entity.
    • The current Cases: View case analytics permission will become the View permission for the Case analytics entity.
  • Create and edit permissions: In our current system, naming for “create” and “edit” permissions is inconsistent. Permissions that enable a role to “create” a given object also grant permission to edit the same object. In the new model, the “Edit” permission will by default encompass create and edit. For example:
    • The current Cases: Create a case permission will be renamed as the new Edit permission for Case details.
    • The current Reports: Create ad hoc reports in Dashboard permission will renamed as the new Edit permission for the Report details entity.
  • Actions beyond create and edit: We have preserved supporting actions that don’t fit neatly into create and edit, notably in the Cases and Reports products. These actions are listed in the next section, “Entities that have permissions”.

Entities that have permissions**

  • We have taken care to maintain which entities have View/Edit permissions. For example:
    • Within Inquiries, Verifications, Reports, Cases, Workflows, and Transactions: permissions for the object details (e.g. View/Edit Inquiry details) remain separate from permissions for the object templates or types (e.g. View/Edit Inquiry templates).
    • Within Graph: permissions for queries (which can only be viewed) remain separate from View/Edit permissions for query templates, and View/Edit permissions for other Graph configurations.
    • Within Cases, the permissions for the following entities remain separate: View/Edit Case details, View/Edit Case templates, View/Edit Case actions, ability to assign a Case, ability to Bulk assign or Bulk resolve, View Case analytics, Edit Case list table, View/Edit SAR details, Edit SAR configuration, ability to export a SAR, ability to file a SAR.
  • Within Reports, in addition to permissions for Reports remaining separate from Report templates, the following actions are also preserved: ability to create and re-run Reports, ability to dismiss matches on Reports, ability to pause or resume a Report that is set to recur.
  • We have also created a new entity with View/Edit permissions for Persona Marketplace, our integration hub.
    • Marketplace Connections: there will be permissions for Edit New Connections within Persona Marketplace and View/Edit Existing Connections within Persona Marketplace
  • However, in a few situations, we are consolidating permissions across products into a general permission. To minimize disruption to your operations, in the migration, by default, we will enable the new general permission for any role that has a product-specific version of the permission. Please reach out if you would like different behavior. In particular:
    • Redaction: Permission to redact objects (including Inquiries, Verifications, Reports, and Cases) will be consolidated into a single permission called Enable redaction for all products.
    • Export data: Permission to export data from the dashboard will be consolidated into a single permission called Enable export for all products.

Special notes

If you use the Document AI product: Permissions for Document AI will be consolidated under their associated product.

  • If you use Document AI associated with a Verification template, then it will be governed by the View/Edit permissions of that template.
  • If you use Document AI in a way that is not associated with Verifications (e.g. as an attachment for Cases), it will be part of that object (e.g. Cases in this example) and governed by the View/Edit permissions of that object’s details (e.g. View/Edit permissions for Case details).

Default roles

After the update, the default Admin role will always have all possible permissions. You will not be able to edit this Admin role.

How to prepare

Educate relevant members of your team

This change will impact how you manage roles and permissions. Please share this announcement with anyone on your team who handles administration of your Persona organization.

Schedule time to review your permissions, after the update

This migration is designed to minimize impact to your day-to-day operations. But because roles and permissions are important to get right, we recommend setting up time to manually review the permissions for each of your roles, after the migration. There are in-product tooltips to help you understand each permission.

Ask questions

Please feel free to reach out to your customer success manager or contact the Persona support team with any questions.

Related articles