Managing Security Settings in Raiser’s Edge
Setting up security privileges in Raiser’s Edge can leave many database administrators scratching their heads. The overwhelming options for group privileges, record types, and the combinations for add, edit, and delete rights can cause an organization to have dozens of possible security groups. Often, organizations face the conundrum that one user within a group needs an additional privilege that other users within that group do not. Should you place that user in another group that contains the privilege they need but also grants privileges they don’t? Or should you create an entirely new group for that one user? Because clients bring this issue to JCA time and again, we have developed a security model that most organizations can adopt and adapt to suit their needs.
In this model, all users are assigned to one primary security group. The primary group grants the minimum privileges allowed based on the users’ experience and training. As users gain more training, they are granted additional privileges through subgroups. Since group privileges are cumulative in Raiser’s Edge, the user will have access to privileges in all groups to which they are assigned.
The following table describes the primary security groups (PG), provides an example of the staff positions associated with the group, and a description of privileges included within the group. Every user is assigned to one, and only one, of these groups.
|PG Inactive||Former staff||Users have no rights within the system. They are kept in the system for historical and audit purposes. This category is for employees who are no longer with the organization or moved departments that do not require access to Raiser’s Edge.|
|PG View Only (Level I)||Volunteers, Interns, President, CEO||Restricted access – view only. Depending on your organization, Gift and Prospect records can be hidden for most users in this group but added back in for certain users by including them in additional subgroups (see below).|
|PG Basic User (Level II)||Development staff, Marketing staff||Intermediate access. Assigned to most Development staff. Used for staff who need to adjust addresses, names and demographic details. Access to Gift and Prospect records are view-only.|
|PG Gift Entry (Level III)||Gift and data entry staff||Advanced access. Includes standard gift entry needs, processing of gifts, batch, and maintenance of demographic details.|
|PG Super User (Level IV)||Database Administrator, Data Integrity Analyst||Advanced access. Just short of having Supervisor Rights this category is intended for select and limited users to support more complex issues or DBA tasks such as access to select Config and Admin tools (including Table creation/addition).|
|Supervisor Rights||Not assigned to an individual, only used as a login for a specific task.||Complete access. Technically not a Security Group, Supervisor Rights is a level of security selected by the radio button in a user record. This is the highest level possible without logging in as “Supervisor.” Users logged in with these rights are able to delete gifts and constituents. JCA recommends reserving this login for database administrators.|
The following table describes subgroups (SG). Individuals are added to specific security subgroups once that user receives the appropriate training and demonstrates a need for the privileges.
|SG Query/Export/Report||Access to view, create and modify queries, exports and reports.|
|SG Gift Edit/Delete||Ability to amend, adjust and delete gifts.|
|SG Gift View Only||Can view all gift information but not make changes.|
|SG Administrative||Ability to perform administrative tasks such as global updates, imports, add tables, merge constituents, etc.|
|SG Volunteer||Ability to edit and delete volunteer data. These users would be able to create new volunteers, assign new jobs/tasks, schedule volunteers and record volunteer hours.|
|SG Prospect||Ability to view and edit prospect information including prospect notes and prospect actions.|
|SG Membership||Ability to edit and delete membership information. These users would have the ability to adjust constituent’s membership categories and levels and adjust expiration dates.|
|SG Event||Ability to edit and delete event information. These users would have the ability to create events, add sponsors, registrants, guests and assign seating.|
Below is an example of how this model works by Role. It describes the position held within an organization, the primary group to which the user is assigned, and additional subgroups that would help the user with his/her role.
|President||PG View Only (Level I)||SG Prospect
SG Gift View Only
|Finance Director||PG Basic User (Level II)||SG Query/Export/Reports
SG Gift View Only
|Manager of Development Operations||PG Gift Entry (Level III)||SG Gift Edit/Delete
|Major Gifts Officer||PG Basic User (Level II)||SG Prospect
SG Gift View Only
|Events Manager||PG Basic User (Level II)||SG Event|
The advantage of this model is that organizations do not have to create dozes of security groups for different users. Combining the right primary group with the appropriate subgroups allows for an endless combination of security privileges. This model also allows you to see who has access to certain privileges, easily, without having to open up every security group to check. Setting up your Raiser’s Edge security in a way that is organized and easy to manage is how JCA helps nonprofits work smarter…not harder.
Sign up for our monthly newsletter to receive the latest tips from our consultants on fundraising best practices, optimizing your technology, and more.