By default, any item that has been added to Activ can be accessed by anyone who has been given ‘Read Only’ or higher access to the module that it is stored in (unless your system includes Teams, in which case Teams rules apply). In most cases this is not an issue as you will want all records within a module to be accessible to all users who have been given permissions for that module, either because they will need to modify/complete each record, or because they need to be aware of their contents. However, there may also be instances in which you or another user needs to create a record that should only be accessible to a small sub-group of those who have access to the module that the record is to be housed in. For example:
- you may need to record sensitive customer or employee complaints made against another of your employees or against the company as a whole;
- you may need to record employee data such as contracts, job descriptions, and disciplinaries in a system that does not include the Human Resources module;
- your directors/managers may need to record business sensitive information that should only be visible to other directors/managers (e.g. business forecasts, budgets, long-term business plans, critical business risks, etc).
To support this, Activ includes an inbuilt Privacy feature within those modules that are most likely to contain sensitive information. This is a record-specific flag that can be enabled either when the record is initially created, or during a subsequent edit of its contents. Privacy can be enabled for new records by any user with ‘Edit’ or higher permissions to the module that the record is housed in, and to existing records by their creator or the module’s Admin. However, once applied, the Privacy flag can only be removed by those who have been given full ‘Can Delete’ access to the record.
The Privacy flag will take effect as soon as the flag has been enabled and the record saved. At this point, the following security rules will automatically be enforced for the record:
- the record will be provided with its own set of Access Rights, which can (for certain modules) override normal module permissions for that record. This means that (e.g.) a ‘Read Only’ user for the module can be given edit rights to that specific item if required, and an ‘Admin’ user for the module can be denied access to the item if required.
- the record will only be accessible to those who have explicitly been given Access Rights to the item, and by default all users (other than the user who made the record private) will have no Access Rights. In effect, when an item is initially made Private, only the user who made it Private will have access.
- the individual who made the record Private will be given full Access Rights (including delete rights) to the record, enabling them to manage its contents and who has access to the record.
- the record will either be hidden from the module’s register (and searches) for anyone who does not have Access Rights to it, or will be displayed within the register with the title ‘this is a private [record type]’ (e.g. ‘this is a private improvement log’) and be unopenable by anyone who does not have access. It will only appear within the register with its proper title for those who have access.
Note that the above rules are also enforced in Teams-enabled systems, with the additional caveat that users must have access to the Team that the Private Item is stored in before they can gain access. In other words, if you want someone to be able to view a Private Item stored in ‘Team A’, the user must be given access to Team A’s content and must be given Access Rights to the item itself. See Team Hierarchies for more information.
At the time of writing, individual records can be made Private within:
- the Agreements Manager;
- the Business Risk Manager;
- the Improvement Log; and
- Processes.
In addition, Activ allows you to create Private Folders within any of its Libraries (i.e. File Manager, Company Libraries, and Employee/Confidential Libraries). These folders behave in broadly the same manner as individual Private records, with the caveat that the Privacy (and Access Rights) cascade down through the folder’s contents. In other words, the ‘Private’ tag and accompanying access is set and managed on the parent folder, and is then automatically applied to every folder and file within that folder.
