The granular permissions settings is one of those WORK[etc] CRM security features that doesn’t often get thrust into the spotlight. These settings are key in keeping your WORK[etc] data safe; they don’t just give you complete control over who can access the system, they also let you choose which parts of it they can see.
For example, it’s important for your project manager to access everything related to projects and tasks. The financial side of the business is outside of her area of expertise, so you decide to turn off access to WORK[etc]’s billing and invoicing tools.
Here’s another scenario: you have two people in sales, Jim and Bob. You can allow them both to see each other’s sales leads so that they don’t end up wasting time going after the same lead. However, each of them can only modify and delete the leads they created. Jim can see Bob’s leads but he can’t edit them and vice versa.
Granular permissions control what your employees can see and do in WORK[etc]. Our latest release, the location-aware Remote Access Control, lets you choose where they can access the system.
More Security, More Peace of Mind
Imagine you’ve just recently had to let go of one of your employees. They’re obviously not too happy about it. Even though you think they’re a good person, there’s this niggling feeling at the back of your mind that they might act irrationally.
We’ve all had that niggling feeling at one time or another. You know it. It starts off as a simple “What if?” that you quickly shake off. “No, they’d never do that,” you think to yourself. “They’re not that kind of person.”
You believe they know one of your remaining employees’ login credentials, and you’re afraid that they’ll access your WORK[etc] account and potentially do some major damage to your business. You do a company-wide password reset, which in all likelihood will already fix the problem by itself, but still — the thought persists.
Remote Access Control can help you get rid of that recurring anxiety and give you peace of mind. With this new feature, you can set it so that your employees can only access WORK[etc] when they’re sitting at their desks in your office and nowhere else.
This means that even if your irate ex-employee somehow manages to get his hands on a new password, he still won’t be able to access your WORK[etc] account unless he does it from inside your office.
Here’s how it works.
Limit Access to Specific IP Addresses
An IP — or Internet Protocol — address is a unique string of numbers separated by periods or dots (78.125.0.098, for example) that identifies each computer that communicates over your network. A street address determines where a letter should be delivered; computers use IP addresses to communicate with each other.
Internet service providers (ISPs) assign an IP address to every connection they provide. If you have a business-grade connection, this is usually a static or non-changing address. This IP address is also known as a WAN address; it’s what your router uses to connect to the Internet.
The new Remote Access Control feature lets you control exactly which WAN IP addresses or address ranges are given access to WORK[etc].
Let’s say your ISP-assigned IP address is 126.96.36.199. If you add that address to the list of allowed IP addresses in your WORK[etc] account’s security preferences, only those devices that connect through that specific IP address will be able to login to WORK[etc].
If you try to connect using any other IP address, the location-aware security feature won’t let you login to your WORK[etc] account.
These IP restrictions let you restrict access only to devices that connect to the Internet through your ISP-assigned IP address, but what if you have employees that are regularly off-site? You can still let them access WORK[etc] as long as you know the WAN IP that they’re connecting from.
For example, if you have a team working off-site, say at a client’s office or from home, you can ask them for the IP address at their location and add that address to the Remote Access Control settings.
As long as your off-site team members use only those specific IP addresses to connect, they’ll be able to access WORK[etc] without any problems. You can also temporarily allow them to access WORK[etc] regardless of the IP address they’re using to connect.
Mobile App Access
One big difference between WORK[etc]’s mobile apps and web app is that the former don’t have any sort of import or export capability. Mobile app users won’t be able to export sensitive company information such as sales leads and project and financial details.
As such, we’ve made it possible for you to allow your employees to access WORK[etc] through the mobile apps regardless of what IP address they’re currently using. This is particularly important as mobile devices usually have dynamic IP addresses which can change depending on the network they connect to.
Let’s say your company sells and installs routers. You have a team of five specialists who go out and install your products in clients’ homes and offices. Each of your specialists have the WORK[etc] mobile app installed on their phones to let them log time and quickly capture customer information on-site.
Even if you enable the Remote Access Control feature, you can still allow your installation specialists to access WORK[etc] through the mobile app. Your field team will still be able to do their jobs using the mobile apps while you continue to restrict access to the web app.
This is perfect for businesses who regularly have people out in the field but also wish to limit access to the main web app to within their office only.
Mix and Match According to Your Needs
The Remote Access Control feature lets you set different restrictions for the web and mobile apps at the same time. You can even lift the IP restrictions completely for trusted users.
Let’s say you’re going on a week-long overseas vacation. You’re a bit of a workaholic, though, so you still want to be able to check in on how everybody is doing from time to time.
You have the WORK[etc] mobile app installed on your phone, but you want the full power of the web app. You already limited web app access only to those desktop computers in your office that connect through your office internet connection.
Fortunately, Remote Access Control lets you give access from any IP address to specific users that you trust. You can log on to WORK[etc] no matter what IP address you use to connect.
Meanwhile, your office-based team can still only log on to the system using the computers at their desks; your people out in the field can use the mobile apps to access WORK[etc].
Setting It All Up
To enable IP access control, simply navigate to Settings > Manage Account > Security. There, hover over the pencil icon next to the IP Access Control option (which is set to Disabled by default) and click it. You will then see the following options:
- Check the box to enable or uncheck to disable.
- Enter the IP addresses that are allowed to access the account as a user (employee). You can use wanip.info to determine your WAN IP address.
- If required, check the box and select users that can are not included in these restrictions and can access from any IP address.
- Check this box to enable the mobile apps to be used from any IP address (usually required).
- Click on Save.
Since the IP access control settings dictates who can access WORK[etc] and from where, it’s important to fully understand this feature before you enable it. You don’t want to accidentally lock someone — or worse, everyone! — out of WORK[etc]. Check out the video below and our User Guide article for more details.