by Carl Turner | Nov 22, 2022 | Article
Guest post by Carl Turner, the Senior Client Success Manager at Good Grants, who occasionally writes about topics he addresses with clients.
Good Grants provides unlimited access to the platform for your whole grants team—whether you have one grant manager or one hundred. We provide the opportunity to run your grant program worldwide without worrying about digital licenses.
With the ability to have as many program users as you see fit comes the need for managing these users securely in the platform. In this article, we’ll provide some best practices on how to manage your users and their permissions to best protect your program’s data and integrity.
Good Grants allows users to create a profile at first log-in. Typically, when a user registers an account for the first time, their user profile is connected to a specific grant program, which we call a membership. That membership is managed using roles to control what that user can do and see within that program.
In many cases, a user may have two or more memberships, which means their profile is connected to multiple programs. The roles they happen to have in each program are unique to each program, so if a user happens to have the applicant role in one program and the application role in another program, that’s just a coincidence!
Therefore, a single person could be an applicant in one program while being a grant manager in another.
(You can learn more about multiple accounts here and more about user accounts here!)
This is where security comes in: If a user log-in is shared with others to access a specific program where that user profile has two or more memberships, then anyone who has access to that user profile now has access to all programs in which the user is registered.
Personal information is important; it’s not something you want to freely give out, especially in today’s digital world where there is an ever-present risk of identity theft.
To help ensure the protection of every person who creates a user profile in the platform, we require a complex password containing a combination of upper and lower-case characters, numbers and special characters (i.e. ! @ # $).
Users can also add the additional protection of multifactor authentication (MFA or 2FA) for any membership they have. Program organisers even have the option to force MFA on users based on the role added to their user profile, a best practice that should be exercised for anyone with manager-level access.
For some, it might seem easier to share access to a program by allowing people in a team to use the same login credentials. But this approach should be avoided at all times!
Using a shared profile to access a program increases the risk of a data or privacy breach. This can be especially problematic if the user profile being shared has high-level access to personal and sensitive information collected in the program.
For example, it’s problematic if a staff member who has access to the program via the shared access profile is unwillingly dismissed from their position. They could, out of spite, access the account, change access details, steal data, steal intellectual property or even permanently destroy data. This could end up creating a big (legal) problem for an organisation who have been trusted to keep its users’ data, application information and funding details confidential.
Ensuring everyone has their own user profile with their own unique access helps with accountability, and accountability can’t be enforced if a single user profile is shared with the team. It’s also important in the case of program audits. You’ll want to have a clear log of all actions taken in the platform. A shared login would obfuscate these details.
In addition to each user having their own profile and login, it’s also important to use caution with high-level permissions. The high-level, all-access role in the Good Grants platform is commonly used for grant managers who need almost unlimited access to all the program’s data.
Giving this level of access should only be done after careful consideration.
Good Grants provides at the top level of permissions the “account owner” role, which can only be assigned to one user who is the primary owner of the account. Below that is the program manager role. The account owner is the only person with permission to remove grant manager-level access from other managers, as well as the only person who can permanently delete data from the account such as applications and user profiles.
The account owner is also the only person who can approve changes to the account subscription. Therefore, the account owner role should never be shared with anyone, ever! If needed, the account owner role can be transferred to someone else, but this can only be done by the current account owner from the billing portal in the account.
The Good Grants client success team are available to help, guide and assist when you need them, 24 hours a day, 5 days a week. However, for security reasons, the client success team will ask you to provide identification through an email address used by the account. The client success team can easily identify you if you have a user profile, and can see how many memberships you have as well as your level of access to each membership.
If someone emails the client success team from an email address that does not have a membership with any accounts, then the level of support possible is limited and can only be general in nature; any account-specific information won’t be shared.
This can be problematic if a team is using a shared profile and the user who reaches out does have an associated email with the account. To keep your program secure, we want to make sure every user who has access to the account is legitimate.
Good Grants works hard to ensure our software is the most secure grants management platform on the market. By setting role permissions and security clearances for your program’s sensitive data, you’ll protect your program’s integrity and data security.
Articles
Feature focus
Ebooks
Videos
Releases
Δ