Security Roles is where you can create user groups and set permissions for each user group. You can apply permissions to portals, pages, modules and fields. A user cannot view anything unless the Arena Administrator grants permission to do so by either security role permission or individual permission. Security roles are cumulative, meaning if you add a user to multiple Security Roles, the permissions stack. Therefore, the user have access to all portals, pages, modules, sections and fields that each separate role allows.
Arena has four core security roles with permissions set. The remaining security roles are a starting point for you to customize. Use the remaining security roles to customize for your organization. (No permissions are set for these security roles but they do have access to default web portal templates.)
•All Users – This role applies to all accessible pages for each portal users can view in front of any login page such as the home page for each portal. In general, use this role for pages you want users to view in front of the login page. You cannot delete this role. As you apply custom security for you organization, you will likely remove the All Users role from selected pages so be sure to verify if this role is also on the page that you might be trying to limit access.
•Arena Administrators – Users in this role can view and modify all content for all portals. You can modify permissions for this role.
•Global Administrators - Users in this role can view and modify all content for all portals. You cannot delete this role or modify permissions. From a day-to-day basis, Arena Administrators should not be in this role. On the occasion when Global access is required, you can either add an Arena Administrator record temporarily to this role or create a Global login separate from the Arena Administrator login.
•Registered Users – This role applies to any authenticated user on the external portals. Any user who is successfully logged in (been authenticated) automatically has the permissions defined by this role. You cannot delete this role.
Before we walk through the steps to create and apply security roles, let’s review the overall options. While it is logical to create security roles by person or department, you might consider creating security roles by function. For example, you could create a general security role for all staff where they can view common features like searching and viewing records, view tags and groups, sending email and viewing lists. You can then create another security role for more advanced staff who should be able to add or edit records, edit or add tags and groups, and create lists.
Before we cover the detail steps to customize a security role, the basic steps are as follows:
•Customize a Security Role.
•Set Permissions for the security role.
•Add existing records to the Security Role.*
•Set login and password for each user or sync with an Active Directory Group.*
•Set template permissions, if needed. This step is applicable for new security roles.
*Arena has other options to add records to security roles, logins and passwords. We cover these after covering the basic steps.
Customize a Security Role
1. From the Administration menu, click the Security Roles option located under the SECURITY heading.
2. Click the Security Role you want to edit. All but the previously mentioned Security Roles are placeholders for you to customize. They have no permissions set.
3. Click the Edit Details button.
4. Customize the Role Name. You might consider adding a unique preface to the security roles you customize to distinguish ones you have customized from the ‘placeholder’ security roles. For example if the name of your organization is Passage Community Church, you can add PCC in front of all security roles you customize in order to easily identify the ones that have been customized and applied. You might also consider adding a numerical value in the front of the PCC so that these security roles are listed in the first position. Security roles are listed in numeric/alpha order.
5. Click the Add New Sync Source button, if you plan to sync the security role with another object. Using this option, the ONLY method to add records to the role is to add the record(s) to Assignment Type Worker tab, Tag, Group, Active Directory Group or Group Area Role.
6. This option synchronizes the security role with the selected Assignment Type Workers, Event Tag, Serving Tag, Ministry Tag, Group, Active Directory Group or Area Role. To use this option, start the Sync Role Agent and Arena generates a login (e.g., ASample or ASample2 if this login already exists) and uses an initial password. (Arena sends emails if the user has an active email address on their record. If the record does not have an email address, Arena sends the email once the email address is added to the record.) The user is prompted to change the password at initial login. You also want to check the Notify New Members check box and customize the email for new users. If your organization wants to use logins other than first initial and last name, manually create the logins on the individual records under the Security tab.
7. Enter a Description for this security role.
8. Select the Notify New Members check box if you want Arena to send an email to users when added to the role or sync source. This assumes all users have a valid email address on their record.
9. Enter a Notification Subject for the email.
10. Enter Notification HTML Message to include in the email. Use the merge fields to include login information in the email. You can also add HTML code in this message box.
11. Enter Notification Text Message to include in the email for plain text recipients. All merge fields work for this email format.
12. Click the Update button.
Set Permissions for a Role
You can set permissions for all tabs before clicking update or you can update as you set permissions to avoid any timeout settings for inactivity.
1. Click the Edit Permissions button for the security role.
2. From the portal drop-down list, select the portal you want to apply permissions. You can set permissions for multiple portals in one security role. For example, if you want to set general staff access for the Arena (staff) portal, Arena Web (member) portal, and Arena Mobile (smart phone) portal, you can do this in one security role. We use the Arena (Internal) portal for this example.
3. Set permissions on the Pages/Modules tab. On this tab, you can set permissions for the Page and for the Modules applied to the page. As you think about user access, consider each page they need access and the module on each specific page. In order for a user to ‘use’ the module, they need Edit permission for the module.
•View – Users with View permission can view the page or module. It is important to remember that while a security role or individual may have View permission to a module, if they do not also have View permission to the page they will not have permission to view or use the module.
•Edit – Users with View and Edit permission can edit the page or the module. In cases where users need to use the module, select Edit. Setting Edit on a page allows users the permission to edit the page that is typically limited to Arena Administrators.
•Edit Security – Users with Edit security permission can edit security for the page or module.
•Edit Modules – Users with Edit module permission can edit module settings directly from the page. Module setting changes are global for all users and are typically restricted to Arena Administrators.
•Approve – Users with Approve permission can approve the object such as communications, promotions, events, registrations, merging records, etc. Approval is available for features such as communication, event and promotion approval. Users in a security role where Approve is selected bypass the approval step.
4. Select the Applications tab to set permissions for the Family Registration (Self-hosted only), Contributions, Mailing, Remittance Mailing and Check-In click-once applications and Arena Hub. You can also set security for these applications on the Application Security page.
5. Click the Attributes tab to set permission for Person Attributes that are available on the Individual Information tab of the Person Detail page for all records. As you set permission for these fields, keep in mind that in order for users to be able to edit a field in the ‘section’ they also need Edit permission for the section. Press the "Ctrl" key to propagate security for the page or section.
In addition to individual permission, you also need to consider setting permission for Security Management page and module. Keep in mind, users only have permission for the fields you give permission.
6. Click the Person Fields tab to set permission for individual fields on the Individual Information tab on the Person Detail page.
7. Click the Tags tab and then the Tag Type to set permission for specific tags. If you want users to only add/remove people to/from that tag, they only need View and Edit people permission.
•View – Select this check box to give users view permission.
•Edit – Select this check box to give users permission to copy and edit the details of the tag.*
•Edit Security – Select this check box to give users permission to edit security for this tag.
•Edit People – Select this check box to give users permission to add, edit and remove people to/from the tag.
*For users to have View permission only for all tags, set permission on the Pages/Module tab as shown below.
*For users to have permission to add tags beyond the first level of the tag tree, set View and Edit permission on the Pages/Modules tab as shown below.
*For users to have permission to add tags at the root level of the tag tree, set View and Edit permission on the Pages/Modules tab as shown below.
Keep in mind, you can set security tags on the Security tab of the tag. If the tag has child tags, you can click the Cascade Permission button to propagate security to all child tags.
Event Tag Permission has additional permissions for Edit Registration and Allow Refunds. Edit Registration is required to set up the registration details for the tag.
•Edit Registration - This permission gives users the ability to edit the information for registrants on the Edit Registration tab.
•Allow Refunds - This permission gives users the ability to process registration refunds.
8. Select the Groups tab and select Groups Type to set permission for specific groups. The below permission gives users the permission to edit group details and edit the people in the group.
* For a user to have permission to add new group clusters, set permission on the Pages/Modules tab as shown below.
Keep in mind, you can set security for specific groups and group trees on the Security tab of the group. Click the Cascade Permissions button to propagate security to all groups under the current group level.
9. Click the Save button.
Create Logins and Add an Existing Record to a Security Role
If you have elected to use the option to Sync a Security Role with a Group, Tag, Assignment Workers or Active Directory group, add the user to the Security Role.
1. Go the Security tab of the record you want to add to the security role.
2. Click the Add New Login icon.
3. Enter login credentials.
•Enter a Login for this user. Arena assigns a login using the first initial and last name. If more than one user has the same first initial and last name, Arena adds the next sequential numerical value to the login, e.g., JSmith2. You can optionally change logins. You can use alpha, numerical and special characters.
•Enter a Password for the user if using Database authentication. Passwords must be between 5 and 30 characters long and must contain at least one digit.
•Select Authentication Type. Options are Database or Active Directory. (For Arena Hosted you must select Database.) If using the Change Password option with Active Directory authentication, Arena attempts to change the Active Directory password.
•Leave the Active check box marked for active logins. Consider making logins inactive when users are away for an extended period.
•Select the User must change password at next login check box to prompt the user to change the password after logging in successfully the first time.
•Select the Account is locked check box to lock the user account.
4. Click the Update button.
5. From the Arena Roles section on the Security tab of the Person Detail page, select the security role you want to add the user to from the Add Person to Role drop-down list.
6. You can also add a user to the security role on the Security Role page.
7. Click the Add New Security Member button. If using the email notification option, an email notification is sent to the new user.
As you develop your security strategy, it is more efficient to copy a security role and then edit the copied security role. This is particularly more efficient in cases when you want to create an Arena Administrator security and only remove some permissions such as Security or Contributions.
Copy a Security Role
1. From the Administration menu, click the Security Roles option located under the SECURITY heading.
2. Select the security role to copy from the Copy Role list.
3. Enter the name for the new security role in the As: field.
4. Click the Copy button to create the duplicate Security Role.
5. Edit Permissions for the copied Role.
6. If needed, verify the new security role has the appropriate permissions for the Login Logout, Quick Search and ArenaChMS Navigation modules on the Arena Basic template.