Configuration‎ > ‎

QBO Security

posted Mar 21, 2011, 8:44 AM by Eric Patrick

QBO security boils down to two concepts:
  • What functions can a user perform (functional security), and 
  • Which rows can a user perform these functions on (extranet security)?
Functional Security

Functional security is maintained via Design > Security, and include build-in system functions such as:
  • Valuation Search: grants a user permission to search for valuations
  • Loan Select: grants a user permission to select (view) loans
  • Attachment Insert: grants a user permission to insert attachment (document images)
  • Message Update: grants a user permission to update existing messages
  • Calendar Delete: grants a user permissions to delete calendars (milestones)
Granting a user permission to select (view) a loan does not necessarily imply that they get to select any loan in the system; instead, they can only select those loans to which they have access via extranet security (see below).

Extranet Security

Once functional security has been address, one should consider which rows of data a user may perform these functions on.  For example, in a BPO system, BPO clients should typically have the right to search and select valuations, but they should be limited to search for and selecting only those valuations for which they are a client.  BPO agents should be able to select (view) and update the data associated with a BPO (valuation update), but only for those BPOs which they are the agent for.  Extranet security limits access to only those rows of data which the user has been granted access to.

Fortunately, granting access to a row of data is typically done automatically by the QBO system.  For the examples above:
  • Setting Valuation.Client to 'Bank of America' will automatically grant BofA users access to that valuation
  • Setting Valuation.Broker to 'Agent, Johnny' will automatically grant Johnny Agent access to that valuation
When a BofA user navigates to a BPO Search page, and searches for all BPOs, the system will check:
  1. Does the user have the 'valuation search' functional permission, and
  2. Does the user have access to the BPO(s) in question?
Universal Access

For many situations, users may well need to essentially view all rows in a system. The company that contracts directly with Quandis to create a QBO instance (Quandis' 'client') will typically have users that should be able to see all data, regardless of which client sent them the data, or which vendor may be fulfilling services related to the data.  Such users should be members of a 'universal access' Role.  Members of a universal access role bypass the extranet security model, but are still subject to the functional security role.