Security Groups

Christina DeYoung,

I mean, people always react to things differently, but I have had the best success in explaining that it is to help THEM avoid issues and errors.  When people are doing X, they do not want have to be worried about accidentally doing Y or Z because then the reporting gets messed up, or someone has to redo it later.  And while yes, sometimes people need two different sets of duties, and yes it IS annoying to have to go to "File\Relogin" to change your access, the thing is, again, it IS safer in terms of access but also, someone is rarely doing thing to two different aspects of the organization so interchangeably that they have to re-login every few minutes.  Usually you can stay logged in as one user group for a while and get X work done, and then later that day, log in as the other user group and get Y and Z work done.  If you can talk about it positively enough, sometimes that can work.  It also never hurts to show them what happens when mistakes get made and how much work it is to undo and fix issues.  But yeah, sometimes communicating to people can be difficult.  That is why we spend so much time on it!

Our Box Office Manager and Assistant Manager post all Box Office batches as well as the Web batch.  The person in our Development department who does the contribution entry is always the one who posts the contribution batches as well.  Usually just the one person, but there are two others who can do it as well.  Who ever does the entry does the posting.  That is easiest for us.  Everyone who posts sends the post numbers to Finance who then know who to ask if they have any questions.  I am sure there are other ways to do it, but that is how we do it.

John A. Moskal II

I agree with John 100%. My team is finally starting to understand that it isn't to block them from seeing/doing something (even if it is), its more about them having the exact tools that they need to do their job and not be bogged down by the rest of it. Trust me, as an Admin I've showed them what my screens look like and they all end up saying "ok, we are glad we don't have access to everything because that looks like a mess." 

There are a few people on my team that have access to multiple user groups, but it is rare that they have to jump between the two. It is more for the people who manage other User Groups so they can see what they see. For example, our Visitor Services Manager has access to both our VS Manager/Leads Group and the Visitor Services Group. She really only needs to go into the Visitor Services Group to see what her staff is seeing when something goes wrong. 

Our Finance Manager and Director of Business Administration are the only ones who post batches in our organization. 

I'll second what John said!  It's for their protection.  And also, sometimes I can spin it as "we're making the data more secure and everyone likes secure data, right? You only access what you need to do your job!" Though if I have a user who is really keen on learning more about different areas of Tess, I'll often grant elevated access in the Test environment for self-directed learning.

As far as posting, we're similar as well - the ticket office manager on duty does the ticketing batch types (incl. web), and the devo ops manager does contribution batches. If finance spots an issue, they can either investigate on their own, or they'll work with the ticketing ops mgr and devo ops mgr.  I only get called in once all other avenues are exhausted :-)

From an IT perspective this is the right thing to do.  Users should be giving the lowest amount of access needed to do the job.  This is the same setup that shold be employed with computer and network access. 

As for the batches, Box office posts their batches. We have a daily supervisor who check s that all are closed.  For Devo same thing, with the manager double checking.