Permissions Platform

The Permissions Platform allows Firm Administrators to set up policies so that only authorized users can make changes to each client's engagement. A policy is made up of a user group, role, and resource group. The permission policy determines which functional rights users have and which clients (resources) they can work with.

 

Getting Started with Permissions

As Firm Administrator you will need to setup permissions in both Permissions Platform and CCH Axcess Dashboard. This can be done by following the steps below:

Note: Firm Administrator is designated in CCH Axcess Staff Manager.

  1. Log in to Axcess Engagement

  2. Click Settings in the top right-hand corner. The Permissions platform will open in a new tab.

  3. Select the appropriate permission policies:

    1. Role - Select a default Role or create a new Role where at least one functional right is selected. Please refer to the "Roles" section to learn how to create a new role and select functional rights.

    2. User Group - Open an existing User Group or create a new User Group and assign the applicable staff members. Please refer to the 'User Groups' section below to learn how to create a new user group and assign your staff to a user group.

    3. Resource Group - Open an existing Resource Group or create a new Resource group and assign the applicable clients. Please refer to the 'Resource Groups' section below to create a new resource group and include clients to a resource group.

    4. Policy - Select a default Policy or create a new Policy where the Role, User Group and Resource Group are assigned. Please refer to the 'Policies' section below to learn how to create a new policy.

  4. Log in to the CCH Axcess Dashboard and choose Security Groups.

  5. To allow staff to login to Axcess Engagement:

    1. Select a Security Group.

    2. Click on Functional rights

    3. Under the ‘Administration Manager’ tab > Expand Staff Manager

    4. Under the Staff profile module > Select Grant in the View column

    5. Under the General function > Select Grant in the View column

  1. To allow staff to view the clients in Axcess Engagement:

    1. Select a Security Group

    2. Click on Functional rights

    3. Under the ‘Administration Manager’ tab > Expand Client Manager

    4. Under the Client profile module > Select Grant in the View column

    5. Under the General Module > Select Grant in the View column

    6. Under the General Information function > Select Grant in the View column

  2. To allow staff to open documents in Axcess Engagement:

    1. Select a Security Group

    2. Click on Functional rights

    3. Under the "Administration Manager" tab > Expand Firm

    4. Under the Firm setup module > Select Grant in the View column

Important: For these changes to take effect immediately, each staff person assigned to the security group must log in to the CCH Axcess Dashboard application. Otherwise, staff can wait until the next day, because changes are automatically processed every night.

Axcess Engagement can be accessed by Firm Administrators and staff after these steps are completed.

 

Policies

The Permissions Platform allows Firm Administrators to set up policies so that only authorized users can make changes to each client's engagement.

 

Permission Policy

A policy is made up of a user group, role, and resource group. The permission policy determines which functional rights users have and which resources they can work with.

  • User Group: User groups are made up of your staff. When the user group is assigned to a permission policy, the staff in the group inherit the permissions from the role assigned to the permission policy and access to clients included in the resource group assigned to the policy.

  • Role: Roles define the functional permissions the members in the user group can perform.

  • Resource Group: Resource groups are your groups of clients. When the resource group is assigned to a permission policy, the staff in the user group assigned to the permission policy can work with these clients.

 

Note: You can search for a specific policy by entering the policy name in the search box. You can also filter by policy type (e.g. Grant or Deny) by clicking on the filter icon.

 

Default Policies

Firm Administrators can create policies or use one of the following default policies:

  • Full Rights
  • Super Modifier
  • Super Viewer
  • Roles Manager
  • Policy Manager
  • User Group Manager
  • Resource Group Manager

 

Types of Policies

There are two types of permission policies:

Grant Policy

The grant policy specifies which user group should be granted functional permissions when they work with resources in a resource group.

Deny Policy

Deny policies specify which user group should be denied access to a resource group's resources for a particular role.

 

 

Note: A deny policy overrules grant policies where a member of the user group is assigned.

 

Create New Policy

To create a custom policy:

  1. Click Create Policy.
  2. Enter the policy name and description.
  3. Select policy type (e.g. Grant or Deny).
  4. Use drop down menus to select the appropriate user group, role, and resource group.
  5. Click Save once all fields are complete. A “Policy was created successfully” toast message should appear.

 

View or Edit Policies

You can view or edit a policy name, description, type, user group, role, and resource group by clicking on its name in the Policy tab.

Notes

  • Custom policies can be edited.

  • The status of the active bar can be changed with default policies.

  • Click Filter to filter by grant or deny policies.

  • Enter policy name in the search bar to quickly find an existing policy.

 

Roles

Firm Administrators can create roles or use one of the following default roles:

  • Full Rights*
  • Super Modifier
  • Super Viewer
  • Roles Manager
  • Policy Manager
  • User Group Manager
  • Resource Group Manager
  • Preparer
  • Reviewer
  • Full Product*

Note:

  • The difference between Full Rights and Full Product roles are that users with Full Rights role are authorized to perform all actions in the product, including access to the Permissions Platform where they can create, edit and assign policies.

    Full Product role grants all functional permissions, excluding access to the Permissions Platform. Users with the Full Product role cannot view or edit permission policies.

 

List of Functional Permissions:

Firm administrators can grant or deny staff members access to perform the following actions in the application:

Engagement List:

  • Create new engagement

  • Roll forward engagement

  • Delete Engagement

  • Lock Engagement (Engagement Pro & Knowledge Coach)

  • Unlock Engagement (Engagement Pro & Knowledge Coach)

Workpapers:

  • Upload Workpaper

  • Upload new version of workpaper

  • Remove active user from workpaper

  • Lock workpaper (Engagement Pro)

  • Unlock workpaper (Engagement Pro)

  • Sign off workpaper as a preparer (Engagement Pro & Knowledge Coach)

  • Sign off workpaper as a reviewer (Engagement Pro & Knowledge Coach)

  • Send (Delete) to recycle bin

  • Restore workpaper from recycle bin

  • Permanently delete workpaper from recycle bin

Notes: (Engagement Pro & Knowledge Coach)

  • Add note

  • Set note to roll forward

  • Set other staff’s note to roll forward

  • Clear note

  • Clear other staff’s note

  • Delete note

  • Delete other staff’s note

  • Delete reply (of other staff)

Migration Plans:

  • View Migration Plans

  • Approve migrated engagements

  • Reject migrated engagements

Firm Settings:

  • Firm Options

  • Export Engagement List to Excel

  • Manage Templates

  • Engagement Types

  • License Status

 

Create New Role

To create a custom role:

  1. Click Create Role.

  2. Enter role name and description.

  3. Under Functional Rights, select the functional permissions that are applicable to the role.

  4. Click Save.

Notes:

  • If the check box for the module is selected then all the permissions within the module will also be selected.

  • Firm Settings permissions in the Role should be selected if the Resource Group has "Administrative Settings" applied. Not doing so will prohibit staff in the Permission Policy access to the Firm Settings defined in this Role.

View or Edit Role

To view or edit a role:

  1. Click on the role name from the "Policy" or the "Roles" tab.

  2. Edit the name, description, and functional rights for each module.

 

Resource Groups

Firm Administrators can create Resource Groups or use this default group:

  • Admin – All

 

Create New Resource Groups

To create a custom resource group:

  1. Click Create Resource Group.

  2. Enter the name and description of the resource group.

    1. Select Resources:

      1. Client

        • Select client(s) to include in the resource group by their organizational unit.

        • The client may also be selected individually under "Other Clients." Search for the required client by entering the name or email of the client in the search box. Click Search and the dropdown list will display all the client names matching the search criteria.

          Notes:

          • If there is no match, then empty dropdown list will display.

          • Click here to learn how to set up your firm’s organizational structure.

        • Check Firm if you would like to include all clients in the Resource and all Office and Business Units will also be selected.

    2. Administrative Settings:

      1. Select "Access to administrative settings firm wide" to provide staff access to Firm Settings such as:

        • Firm Options

        • Export Engagement List to Excel

        • Manage Templates

        • Engagement Types

        • License Status

          Note: When selecting "Access to administrative settings firm wide," a Role with Firm Settings permissions should be added to the Permission Policy. Not doing so will prohibit staff in the Permissions Policy access to the Administrative settings defined in this Resource Group.

        • Click Save.

View or Edit Resource Group

To view or edit a resource group:

  1. Click a resource group tile on the "Policy" or the "Resource Groups" tab.

    Note: Enter resource group name in the search bar to quickly find an existing resource group.

  2. Edit the name, description, and resources, as needed.

 

Add Clients to a Resource Group

  1. Click on a resource group tile.

  2. Click the expand arrow next to Other Clients.

  3. Enter the client name or email in the search bar.

  4. Click Search . A list displays with client names matching the search criteria.

  5. Select a client.

  6. Click Add.

 

View or Edit or Delete Existing Resources

In the table, you will see a list of existing resources, which include organizational units and/or clients.

  1. View or Edit the Include/Exclude option by clicking on the button next to the existing organizational unit or client.

  2. Click Delete checkbox next to the existing organizational unit or client.

  3. Click Save.

 

User Groups

Create a New User Group

To create a new user group:

  1. Click Create User Group.

  2. Enter the name and description of the user group.

  3. Select Firm or an Organizational Unit or Other Staff to include in the user group.

  4. Click Save.

 

View or Edit User Group

To view or edit a user group:

  1. Click on the User Group tile to edit the name or description of the user group.

    Note: Enter user group name in the search bar to quickly find an existing user group.

  2. Click View Edit Assigned Staff tab to change the organizational units or staff included in the user group.

  3. Click Save.

 

Default Policies
  Full Rights Policy to manage all administrative actions
Super Modifier Policy to manage edit actions on permissions configuration
Super Viewer Policy to manage view actions on permissions configuration

Roles Manager

 Policy to manage role configuration
Policy Manager Policy to manage policy configuration
User Group Manager Policy to manage user group configuration
Resource Group Manager Policy to manage resource group configuration
Default Roles
  Full Rights Role to manage all administrative actions
Super Modifier Role to manage edit actions on permissions configuration
Super Viewer Role to manage view actions on permissions configuration
Roles Manager Role to manage role configuration
Policy Manager Role to manage policy configuration
User Group Manager Role to manage user group configuration
Resource Group Manager Role to manage resource group configuration
Preparer Permissions granted for a preparer role
Reviewer Permissions granted for a reviewer role
Full Product Role that grants all permissions for licensed applications, excluding permissions configuration
Default User Groups
  Full Rights Limited to full rights administrative users
Super Modifier Users who are able to modify permissions configuration
Super Viewer Users who are able to view permissions configuration
Roles Manager Users who are able to manage roles
Policy Manager Users who are able to manage policies
User Group Manager Users who are able to manage user groups
Resource Group Manager Users who are able to manage resource groups

Default Resources Groups

  Admin All available resources