Excluding External Vendors
We're hosted on-premise and we are allowing our external vendors to access Archer to respond to Vendor Management questionnaires (SIGLITE, etc.) and we've used record permissions to lock down their access to just about everything (even going as far as removing the General User role).
However, we have a number of reports that are open to the Everyone group where they can still see the name of the reports but no data. Our CISO is concerned with the vendors ability to even see the reports so we want to remove them view. This is where our issue lies:
We thought we could add a new group that includes the General User role and add that new group to all of these reports and while this does remove access from the external vendor there are a number of internal users that still don't have access to those reports who need access.
Any thoughts on how to do this more elegantly and effectively?
Hi Tim, How do you provision your users in Archer today? Would it be possible to add all your internal users to a new group during that process and separate the vendors into their own group? Then update the reports to use that group instead of the Everyone group. We use a nightly API application to create our users so that's where we built logic to put users in certain groups automatically. Hope that helps!
Thanks so much Doug.
For internal users we currently use Windows Integration authentication from our Active Directory. The AD simple indicates who is active and who is inactive but does create new user accounts. I wonder if there’s something we can do in the Manage LDAP Configuration as all External Vendors will never be created or updated using LDAP/AD (there will be no user domain for external vendors). Can you elaborate on how you assign groups from the API?
Not sure if the process is the same because we are using Archer Groups instead of linking with AD because we had issues with integration in version 4.5.
On a nightly basis we receive a flat file feed from PeopleSoft with all the info we need to create user accounts and assign the groups (email account, department, internal/external, supervisor indicator, etc.). We then use the AddUsersToGroup() method to add the users to the appropriate group. You might be able to do that as a separate application/process to add the users to the group. I don't see why it couldn't be a local Archer group instead of a domain group either.
Conversely, do you have any groups in your AD you could sync which have all the users you want?
Hope this helps!
Tim, sorry I wasn't very clear about this. You would need to develop an application in a language such as C#.NET, Java, Python or PowerShell. You will need a developer to create the application if you don't have application development experience yourself. Sorry for the confusion.