Managing User Permissions

Some of the functionality described in this article is available as part of our Petit Verdot release and will not be available if your Practifi instance is not upgraded to this release.

Overview

Firms can control user access to certain features or types of information in Practifi to reduce operational risk or minimize unnecessary navigation items. Because we're built on Salesforce, we leverage their powerful platform tools to provide you with this control, and we recommend that administrators learn all about what's possible from the data security module on Trailhead, Salesforce's online learning portal. To make it easier to get started with Practifi, however, we include a set of predefined configuration options for these platform tools, including:

Profiles that determine the user's license type, either Practifi User - Salesforce or Practifi User - Salesforce Platform. Every user must be assigned one profile. 

Permission sets that group permissions and settings together to enable certain functionality, e.g., access to the data, on-screen functionality and automation required to use integrations. Permission sets will also set which app the user has access to within your organization.

Permission set groups comprise multiple permission sets grouped by user type or role function, e.g., all the permission sets a typical user needs to use Practifi.

• Recommended Setup
• Assigning Permissions to Users
• What's Included With Practifi?
  • Profiles
  • Permission Sets
  • Permission Set Groups

Recommended Setup

When you first create a user, they need to be assigned a profile. Profiles provide the user record with a minimal set of permissions and access. The ones we include with Practifi are only used to determine which license type the user is using, either Platform or Salesforce. All users must be assigned a profile. System Administrator users must have the profile of Practifi User - Salesforce in order to have System Administrator access. 

Next, add the permission set group that best corresponds to the user's access category: Standard User, Super User, or Administrator. These groups each contain the permission sets that users of this type require, e.g., Standard Users can create and edit records, and Super Users can create, edit and delete them. 

Finally, a user must have an app permission set assigned to their user profile to grant them access to their default app - Advisor, Client Service, Compliance, Management, Marketing or Team Member. These permission sets can grant users access to additional apps such as Data Management or Settings. When a user is assigned one app permission set, it will be the only Practifi app they'll access from the App Launcher; however, users who need to use multiple apps can be granted access by assigning multiple app permission settings.

Permission sets can optionally be added to users if they need access to a certain feature independently of other users they share set groups with. For example, you may only wish to enable the eMoney integration for advisors, as other team members would prefer not to have planning information clutter their client record page. Because advisors and other team members all use the Standard User permission set group, you can assign the eMoney permission set to advisors directly.

Assigning Permissions to Users

The assignment takes place in Salesforce Setup and can occur in a couple of places: 

• Go to the User record page if you're assigning multiple permission sets or set groups to a single user.
• Go to the Permission Set or Set Group page if you're assigning that item to multiple users.

There's a clear section on the User record page midway down the screen highlighting where permissions are assigned. Click the relevant Edit Assignments button to access the menu where you can add or remove permission sets/set groups from:

On the Permission Set or Set Group page, a Manage Assignments button takes you to a list of users who you can either add to or remove by using the relevant buttons:

 

What's Included With Practifi?

Here's a summary of the configuration items we include with our product.

Profiles

Profiles only specify information about the user's license type. If the profile name contains "Salesforce," it uses the Salesforce user license type and can be used to create a System Administrator user. Otherwise, it's for the Salesforce Platform license type and is available for Standard and Super users. Standard and Super users can be created using a Salesforce license, though it is recommended to ensure these are not needed for an Administrator user before assignment.

• Practifi User - Salesforce
• Practifi User - Salesforce Platform

Permission Set Groups

The permission sets included in each set group are described below. These set groups can be added to and removed from as needed by your firm.

Standard User

• Practifi - Console User
• Practifi - Custom objects, fields & system - View & modify
• Practifi - Manage Topics
• Practifi - Records - Reassign records
• Practifi - Reports & Dashboards - Create & modify
• Practifi - Rollups - Run & modify
• Practifi - Salesforce objects & system - View & modify
• Practifi - Sharing - Export reports & record tables
• Practifi - Tab Visibility - Custom
• Practifi - Tab Visibility - Standard

Super User

• Practifi - Custom objects, fields, & system - View, modify, and delete
• Practifi - Deep Delete Records
• Practifi - Feed - Manage groups
• Practifi - Feed - Manage posts
• Practifi - Manage Topics
• Practifi - Records - Reassign records
• Practifi - Reports & Dashboards - Create & modify
• Practifi - Reports & Dashboards - Manage folders
• Practifi - Reports & Dashboards - Manage subscriptions
• Practifi - Rollups - Run & modify
• Practifi - Salesforce objects & system - View, modify & delete
• Practifi - Sharing - Export reports & record tables
• Practifi - Tab Visibility - Custom
• Practifi - Tab Visibility - Standard

Administrator

• Practifi - Assigned Apps - All
• Practifi - Custom objects, fields & system - Administrator
• Practifi - Feed - Manage groups
• Practifi - Feed - Manage posts
• Practifi - Login - Reset passwords & unlock users
• Practifi - Manage Rules
• Practifi - Manage Topics
• Practifi - Processes & Tasks - Modify due dates for workflow tasks*
• Practifi - Processes & Tasks - Reopen completed workflow tasks*
• Practifi - Records - Reassign records
• Practifi - Reports & Dashboards - Administrator
• Practifi - Reports & Dashboards - Create & modify
• Practifi - Reports & Dashboards - Manage folders
• Practifi - Reports & Dashboards - Manage subscriptions
• Practifi - Rollups - Run & modify
• Practifi - Salesforce objects & system - Administrator
• Practifi - Sharing - Export reports & record tables
• Practifi - Tab Visibility - Custom
• Practifi - Tab Visibility - Standard

*As part of the Petit Verdot upgrade, these permission sets were also added to the Standard User and Super User permission set groups for existing Practifi organizations. For new organizations going forward, these two permission sets will be added only for the Administrator permission set group by default.

Permission Sets

These provide access to specific features and product functionality, which we've broken down into a handful of categories.

Wherever possible, assign permission sets to set groups rather than directly to users. This will make it easier to consistently assign permissions across users of the same type, e.g., to remove a permission set from users who share a permission set group. You can remove it from the group rather than go to each user separately.

Foundational permissions

These permissions should be assigned to every Practifi user and are included in all permission set groups by default.

• Practifi - Console User
• Practifi - Mobile App - Team Member
• Practifi - Rollups - Run & modify
• Practifi - Tab Visibility - Custom
• Practifi - Tab Visibility - Standard

Apps 

These permissions set which apps the user has access to within your organization. If a user requires access to all apps the permission set of Practifi - Assigned Apps - All should be assigned to their user profile. Otherwise, these app permissions should be assigned based on the user's role within your organization. 

• Practifi - Assigned Apps - Advisor 
• Practifi - Assigned Apps - All
• Practifi - Assigned Apps - Client Service
• Practifi - Assigned Apps - Compliance
• Practifi - Assigned Apps - Data Management 
• Practifi - Assigned Apps - Management 
• Practifi - Assigned Apps - Marketing
• Practifi - Assigned Apps - Settings
• Practifi - Assigned Apps - Team Member 
• Practifi - Assigned Apps - Team Member Mobile

Add-ons

• Practifi - Add-Ons - Promote User: Add this to users where Practifi Promote subscriptions have been ordered. It provides access to the Marketing app and Salesforce's campaign management features.

Additional features

Teams can optionally turn these on to expose extra functionality within Practifi. Typically added to permission set groups to make the capability available broadly.

• Practifi - Deep Delete Records: Provides access to the Deep Delete action on record tables and pages.
• Practifi - Policy Feature: Provides access to the Policy Coverage object for tracking insurance information.
• Practifi - Risk Profile Feature: Provides access to the Risk Profile section of the Client record page and related functionality.
• Practifi - Time Tracking - User: Provides access to time tracking for tasks and events, using the Log Time action and additional data capture fields in the Complete Task action.

Custom objects, fields and system

All Practifi users must have one of these permission sets assigned to be able to use the system. Set names indicate the general level of access the user has to the Practifi data model.

• Practifi - Custom objects and fields - Customer Community: Intended for portal users.
• Practifi - Custom objects, fields & system - Administrator: Intended for system administrators.
• Practifi - Custom objects, fields & system - View & modify: Intended for standard users.
• Practifi - Custom objects, fields, & system - View, modify, and delete: Intended for super users.

Integrations

Add these permission sets to the users who need access to these integrations.

• Practifi - Addepar
• Practifi - Advisory
• Practifi - Black Diamond
• Practifi - eMoney User
• Practifi - Envestnet
• Practifi - Money Guide Pro
• Practifi - Pershing
• Practifi - Schwab

Login policies

• Practifi - Login - Enforce two-factor authentication: Requires users to use multiple factors of authentication before being allowed access to Practifi, such as an email verification code or issues using a third-party tool such as Salesforce Authenticator. Add this to permission set groups as part of a Multi-Factor Authentication rollout.

Platform features

• Practifi - Feed - Manage groups
• Practifi - Feed - Manage posts
• Practifi - Manage Topics
• Practifi - Records - Reassign records

Reports and dashboards

• Practifi - Reports & Dashboards - Administrator: Enables the user to edit and delete reports and dashboards owned by other users.
• Practifi - Reports & Dashboards - Create & modify: Enables users to create and edit their own dashboards.
• Practifi - Reports & Dashboards - Manage folders
• Practifi - Reports & Dashboards - Manage subscriptions

Salesforce objects and system

All Practifi users must have one of these permission sets assigned to be able to use the system. Set names indicate the general level of access the user has to the Salesforce platform and data model.

• Practifi - Salesforce objects & system - Administrator
• Practifi - Salesforce objects & system - View & modify
• Practifi - Salesforce objects & system - View, modify & delete

Sharing

• Practifi - Sharing - Create public links to files
• Practifi - Sharing - Export reports & record tables
• Practifi - Sharing - View encrypted data

System Administration

• Practifi - Login - Reset passwords & unlock users: Allows users to reset passwords for other users. A good way to delegate a common administration task to other users.