The granular permissions settings is one of those WORK[etc] CRM security features that doesn’t often get thrust into the spotlight. These settings are key in keeping your WORK[etc] data safe; they don’t just give you complete control over who can access the system, they also let you choose which parts of it they can see.
For example, it’s important for your project manager to access everything related to projects and tasks. The financial side of the business is outside of her area of expertise, so you decide to turn off access to WORK[etc]’s billing and invoicing tools.
Here’s another scenario: you have two people in sales, Jim and Bob. You can allow them both to see each other’s sales leads so that they don’t end up wasting time going after the same lead. However, each of them can only modify and delete the leads they created. Jim can see Bob’s leads but he can’t edit them and vice versa.
Granular permissions control what your employees can see and do in WORK[etc]. Our latest release, the location-aware Remote Access Control, lets you choose where they can access the system.
More Security, More Peace of Mind
Imagine you’ve just recently had to let go of one of your employees. They’re obviously not too happy about it. Even though you think they’re a good person, there’s this niggling feeling at the back of your mind that they might act irrationally.
We’ve all had that niggling feeling at one time or another. You know it. It starts off as a simple “What if?” that you quickly shake off. “No, they’d never do that,” you think to yourself. “They’re not that kind of person.”
You believe they know one of your remaining employees’ login credentials, and you’re afraid that they’ll access your WORK[etc] account and potentially do some major damage to your business. You do a company-wide password reset, which in all likelihood will already fix the problem by itself, but still — the thought persists.
Remote Access Control can help you get rid of that recurring anxiety and give you peace of mind. With this new feature, you can set it so that your employees can only access WORK[etc] when they’re sitting at their desks in your office and nowhere else.
This means that even if your irate ex-employee somehow manages to get his hands on a new password, he still won’t be able to access your WORK[etc] account unless he does it from inside your office.
Here’s how it works.
Limit Access to Specific IP Addresses
An IP — or Internet Protocol — address is a unique string of numbers separated by periods or dots (78.125.0.098, for example) that identifies each computer that communicates over your network. A street address determines where a letter should be delivered; computers use IP addresses to communicate with each other.
Internet service providers (ISPs) assign an IP address to every connection they provide. If you have a business-grade connection, this is usually a static or non-changing address. This IP address is also known as a WAN address; it’s what your router uses to connect to the Internet.
The new Remote Access Control feature lets you control exactly which WAN IP addresses or address ranges are given access to WORK[etc].
Let’s say your ISP-assigned IP address is 220.127.116.11. If you add that address to the list of allowed IP addresses in your WORK[etc] account’s security preferences, only those devices that connect through that specific IP address will be able to login to WORK[etc].
If you try to connect using any other IP address, the location-aware security feature won’t let you login to your WORK[etc] account.
These IP restrictions let you restrict access only to devices that connect to the Internet through your ISP-assigned IP address, but what if you have employees that are regularly off-site? You can still let them access WORK[etc] as long as you know the WAN IP that they’re connecting from.
For example, if you have a team working off-site, say at a client’s office or from home, you can ask them for the IP address at their location and add that address to the Remote Access Control settings.
As long as your off-site team members use only those specific IP addresses to connect, they’ll be able to access WORK[etc] without any problems. You can also temporarily allow them to access WORK[etc] regardless of the IP address they’re using to connect.
Mobile App Access
One big difference between WORK[etc]’s mobile apps and web app is that the former don’t have any sort of import or export capability. Mobile app users won’t be able to export sensitive company information such as sales leads and project and financial details.
As such, we’ve made it possible for you to allow your employees to access WORK[etc] through the mobile apps regardless of what IP address they’re currently using. This is particularly important as mobile devices usually have dynamic IP addresses which can change depending on the network they connect to.
Let’s say your company sells and installs routers. You have a team of five specialists who go out and install your products in clients’ homes and offices. Each of your specialists have the WORK[etc] mobile app installed on their phones to let them log time and quickly capture customer information on-site.
Even if you enable the Remote Access Control feature, you can still allow your installation specialists to access WORK[etc] through the mobile app. Your field team will still be able to do their jobs using the mobile apps while you continue to restrict access to the web app.
This is perfect for businesses who regularly have people out in the field but also wish to limit access to the main web app to within their office only.
Mix and Match According to Your Needs
The Remote Access Control feature lets you set different restrictions for the web and mobile apps at the same time. You can even lift the IP restrictions completely for trusted users.
Let’s say you’re going on a week-long overseas vacation. You’re a bit of a workaholic, though, so you still want to be able to check in on how everybody is doing from time to time.
You have the WORK[etc] mobile app installed on your phone, but you want the full power of the web app. You already limited web app access only to those desktop computers in your office that connect through your office internet connection.
Fortunately, Remote Access Control lets you give access from any IP address to specific users that you trust. You can log on to WORK[etc] no matter what IP address you use to connect.
Meanwhile, your office-based team can still only log on to the system using the computers at their desks; your people out in the field can use the mobile apps to access WORK[etc].
Setting It All Up
To enable IP access control, simply navigate to Settings > Manage Account > Security. There, hover over the pencil icon next to the IP Access Control option (which is set to Disabled by default) and click it. You will then see the following options:
- Check the box to enable or uncheck to disable.
- Enter the IP addresses that are allowed to access the account as a user (employee). You can use wanip.info to determine your WAN IP address.
- If required, check the box and select users that can are not included in these restrictions and can access from any IP address.
- Check this box to enable the mobile apps to be used from any IP address (usually required).
- Click on Save.
Since the IP access control settings dictates who can access WORK[etc] and from where, it’s important to fully understand this feature before you enable it. You don’t want to accidentally lock someone — or worse, everyone! — out of WORK[etc]. Check out the video below and our User Guide article for more details.
This is very timely as we have just had to make some redundancies, but also new staff with different roles have come onboard.
It’s pretty cool that you can restrict access based on IPs as we have remote workers in Sydney, Melbourne and in and around the Adelaide area of Australia. It’s good to know that we can lock down our client info and only expose those parts needed to our staff.
Thanks for this interesting write-up, we will have to look further into the settings and see how we can benefit with some of these changes.
I think that the permission and automatic escalation issues are the two main features the need improvement, for the permission one, any business will need to have a hierarchical structure permissions, so if you have multiple sales managers, say 4 and each one has 3 reps, one should be able to allow each manager to have full access on his 3reps, to monitor, give an remove permissions, see their work, but not the other reps of his colleague manager and you need the VP of sales to have general access on all his employees but not on the Finance employees for example, and so should the HR manager have full access on all the employees personal information and not their individual sales records, what’s happening now is that if we give access to an employee on say contacts to view, edit and delete, he or she can have that access to all employees in the company!! This needs to be improved if possible please. The remote IP is a great addition and we need more improvements on the permissions front.
Thank you all
I am looking forward to bring this new feature to our team. 1 team member travels 2 weeks of the month and we are always worried about wifi hotspot intrusions. I believe this will help with that worry. Thank you for your continued effort on our part, the improvements are useful, insightful and most appreciated. Keep up the good work.
Interesting point Karen – I tend to use additional security tools whenever I’m working remotely and am very picky about the hotspots I connect to and what I do on them.
I have all projects locked from deletion, even from designers (who otherwise have high level permissions) to avoid “accidents”. If someone double enters a project they have to request that it be deleted – by supplying the project name and number by email. This provides a double check…. and well worth doing as last week a project was sent up for removal that had been confused. The one requested had two years of info in it… the check ensured that this wasn’t lost and the error flagged.
Praise be for granular permissions!
James raises a good point here. I always try to highlight certain aspects of the permissions on trainings. Contact bulk deletion being top of the list (that’s someone else’s horror story to share), closely followed by Contact Export (I was responsible for data protection in a previous role – still a bit obsessed by it at times), and ALL the delete options and setting controls. Not only does it help protect your business data, but it makes the interface a bit cleaner for people too.
It’s easy to give short shrift to security until it is too late. I’d really rather spend a bit of time to anticipate and prevent a problem than spend loads of time and money doing clean up and repair. I am certain we can use the granular permissions, a stronger password protocol and the new location-aware security to tighten things up. As more members of our team explore and dive deeper into the WORKetc system, we are ready to take a closer look at our overall security profile. Thanks for the additional layer of security.
This is awesome. Being involved with IT security in my company it’s cool to see others recognize the importance of security, and allow others to improve security with their important company information. Kudos and thanks for making these important improvements to the Work[etc] application!
We use a number of tools starting with Okta Multi-factor SSO with Cloudlock and deploy an active MDM solution with managed apps. We preclude access to certain content through non-managed apps when an individual is outside of our network. We also have all of our devices registered which give us the ability to lock and wipe a device remotely if required.
I am excited to be a well thought out security plan being implemented. There is a great deal of valuable information for any business inside Worketc. This is a great launching pad for more security features. In today’s hacking and data breach environment there can’t be too many options to give us control over access to valuable data.
Obviously, this will never solve all issues, but this is a great step. I really enjoy the ability to separate one user’s security from another (without relying on different ‘classes’ of users) and to have the mobile app handled on it’s own. Let everyone do whatever they need to do!
I like the permission feature. We use it when we have to give access to WORKetc to a new employee that don’t fully know how to use worketc yet. Indeed, it’s easy for someone to delete something by mistake and as there isn’t an undo button it can be dramatic. I like the new location aware security layer, it’s primordial for a company to know that its data is protected !