Tasks appearing unexpectedly for cloned roles

Hello Janet,


Thank you for addressing this issue.


An example of new features turned on in clone roles would be the Gender and Race settings. We have a cloned Platform Manager role, "Platform Manager - No Rights, Only Hide" which should have no tasks, so I am positive these fields were not selected to start with.


Regarding how to make new features available to be discovered: that's a good question. Some schools might prefer they just show up, and some might prefer they are opt-in only. Perhaps make a distinction between manager/supervisor-level tasks, and general use tasks? For example, editing rights for new user fields or setup access would be manager/supervisor-level tasks, while viewing rights could be viewed as general use.


Another option might be to make new fields/abilities visible by default (to the roles where it makes sense), but make editing these fields an opt-in task, only turned on by default for the Platform Manager.


I look forward to seeing a complete description of the hidden tasks associated with each role, and hope this will include a description of exactly what each task does.


-Petra.


 

Thanks for your prompt follow up Janet, hope all is well for everyone.  


The example I found in our environment is a cloned Platform Manager role made in January 2019.  We wanted a user that could view all Contact card info and Enrollments,  use People Finder to search folks, and Export handled profile changes.  I reached out to BB support to guide me on what tasks to enable, they sent me this KB article:  https://kb.blackbaud.com/articles/Article/104509


Of those tasks, I only enabled People Finder Access.  


I believe I also enabled the following since People Finder wasn't covering everything I wanted to enable:

           

Search - Master Page

     

Relationship Types

         

School years and terms (SPA)

                   

User Export

User Profile

User Worklist

I was in the role last week and saw the following enabled also, and I believe these were auto enabled with changes that were rolled out since then.                  

*Lists - Master Page

Advanced Role Access

Advanced User Access

       

Table Values

                   

Class Information (maybe on this one,  we may have enabled it and I don't recall)

Courses (maybe on this one,  we may have enabled it and I don't recall)

         

View Sign In History

         

Gender

         

Race Types

                 

My Profile

View Access Details (maybe on this one,  we may have enabled it and I don't recall)

Re: New task rollouts for standard roles: 

I don't think auto-enable's a bad move,  we just need to know when they're enabled/added.  If you want to offer an opt-in option for clients to have new tasks enabled for their environment,  the process like data refresh seems like it would work:  Build some sort of opt in request/interface in the environment for admin users of the product to submit, roll out the opt-ins in bulk overnight or something.  If it's something that can refresh automatically on opt-in even better.  


As for disseminating information about the tasks that are added - I think now with the BBID layer it's very clear we can designate org admins and then admins for specific solutions. Clients with a BB Edu Mgmt Solution Admin designated can have that person subscribed to a maintenance update email,  like you have for Blackbaud Hosting products regarding upcoming maintenance periods. This would be helpful to get notice of the tasks before they're rolled out. Once they're rolled out task/role updates could be added to the release letter - that module's structured well and is easy to access and navigate for historical reference. 


To your last point, I"m not sure if you mean the NXT security model will replace the BBK12 EMS security module currently in place, or if the NXT model's just going to be exclusive to an NXT layer that's getting rolled out.  


If it's the former (full replacement) are there focus groups or some beta testers (maybe I'm thinking about EAP, but I'd like us to be able to revert if it doesn't go well) for testing this new module before rollout?  Would really like to get a look at that before it's live.  


If it's the latter I'd still want some granular documentation on the current permission library. I know there are a lot of tasks and documenting all of them and what roles each task impacts is a large (and tedious) project.  But if we can't get around tasks embedded in a role I'd be much more at ease with the product knowing exactly I am turning on or turning off and what the ripple effect is of individual tasks that apply across all the platform modules and/or multiple roles.  



 

Janet Wittenberg:

Thank you for the recent examples and detailed replies! We can certainly research these recent cases to figure out how to solve this problem.
Karintha Marshall‍ Check out the Contact Card Manager role we created this time last year for access to profile data without granting Platform manager rights.


Check out some former analysis done and shared on this post:  https://community.blackbaud.com/forums/viewtopic/300/37726?post_id=143429#p143429

I realize it is still not the complete documentation you are asking for.


As for the NXT-type permissions - it will be a LOOOONG road before it is a full replacement, but yes, that is the direction we are headed.  This summer we'll be starting with just the new SKY Reporting dashboard builder pemissions.  There will certainly be opportunities for feedback as we progress.  



Janet

Oh wow - I am late to this party! I somehow didn't see I was tagged until now. Lots of great stuff here.


I would say the cloned roles I monitor most are the clones of Platform Manager. We have tried to cut way back, because even with everything unchecked, there's still a lot under the hood of that role. I have noticed Race, Gender, OneRoster Export, Organizations (that one may have been there), and I feel like there was one other recent one I didn't document. Just removed.


For us, cloning is useful and necessary. We just try to do it more cautiously now. We cloned Attendance Manager, took away the ability to change categories (since they are shared across school levels), and named it Attendance Staff. And that one is working really well for us. Ditto Learning Profile Manager.


Thanks for reaching out Janet. If I think of more, I will add them here.