Table of Contents


Understanding Security for External Users

External users such as customers, partners, distributors, and resellers are managed through CRM systems using Accounts and Contacts. Magentrix leverages these existing CRM relationships to establish sophisticated security mechanisms that control data access for Partner and Customer users.

CRM-Based Security Foundation

Core Security Entities

Accounts: Represent organizations that your company has relationships with (partners, customers, distributors, etc.) Contacts: Represent individual people within those organizations who need portal access

Data Access Control Mechanism

Magentrix uses Account and Contact associations to automatically filter data visibility for Partner and Customer users:

  • Account-Based Filtering: Users can only see data associated with their Account record
  • Contact-Based Ownership: User permissions are validated against their Contact record
  • Hierarchical Access: Account hierarchy enables expanded access across related organizations

Account Hierarchy Security Model

How Hierarchy Affects Data Access

Account hierarchy determines which records Partner and Customer users can access beyond their direct Account association.

 
 
account hierarchy

 

Using the Account hierarchy shown above:

Account 1 Users (Top Level)

  • Can see records for the entire hierarchy (Account 1, Account 2, Account 3)
  • Access includes all child accounts and their associated data
  • Ideal for parent companies or main distributors who need visibility across subsidiaries

Account 2 Users (Mid Level)

  • Can see records for Account 2 and all its child accounts (Account 3)
  • Cannot see records from other Account 2 branches or Account 1 parent records
  • Ideal for regional managers or subsidiary administrators

Account 3 Users (Leaf Level)

  • Can only see records directly associated with their specific Account 3
  • No access to parent account records or sibling account records
  • Ideal for individual customers or end-user organizations

Configuring Hierarchy Access

Account hierarchy access is controlled through:

  • CRM Account Parent Field: Establishes the hierarchical relationship in your connected CRM
  • Security Role Hierarchy Settings: Determines whether users can access parent/child account data
  • Entity-Level Configuration: Specifies which Account lookup field is used for security filtering

Common Account Hierarchy Patterns

Multi-Tier Partner Channel Structure

  1. Level 1: Main Partners or Distributors (AcmeTech Distribution)
  2. Level 2: Indirect Partners or Resellers (AcmeTech Canada, AcmeTech Europe)
  3. Level 3: Partner/Reseller Customers - Headquarters (Regional Corp HQ)
  4. Level 4: Partner/Reseller Customers - Branches (Regional Corp Branch A, Branch B)

Direct Customer Structure

  1. Level 1: Direct customers or geographic locations
  2. Level 2: Customer departments or subsidiaries
  3. Level 3: Customer project teams or specialized groups

Hybrid Organizational Model

Organizations can establish Account records for their own locations and link customers under each location, creating geography-based security boundaries while maintaining customer relationships.

Security Implementation Strategy

Planning Account Hierarchy Security

Assess Current CRM Structure

  • Review existing Account relationships and Parent field usage
  • Identify any hierarchy gaps that need to be established
  • Validate that Account structure supports intended security boundaries

Define Access Requirements

  • Determine which organizations should have hierarchical access
  • Plan data visibility needs for different user types
  • Consider compliance and confidentiality requirements

Security Role Alignment

  • Create Security Roles that leverage Account hierarchy appropriately
  • Configure entity permissions to work with Account-based filtering
  • Test hierarchy access with different Account structures

Integration with Security Role System

Entity Permissions and Hierarchy

  • Partner & Customer Security Roles automatically respect Account associations
  • Entity permissions (Read, Create, Edit, Delete) apply within the user's Account scope
  • Hierarchy settings in Security Roles determine whether users can access parent/child Account data

Field Security Considerations

  • Field Security applies regardless of Account hierarchy
  • Sensitive fields remain hidden even if hierarchy grants access to the record
  • Plan Field Security to protect confidential data across Account boundaries

Multiple Account Lookup Configuration

  • When entities have multiple Account lookup fields, administrators must designate which field controls security
  • This configuration affects how hierarchy access works for that entity
  • Consistent configuration across entities ensures predictable security behavior

Best Practices for External User Security

Account Structure Design

  • Clear Hierarchy: Establish logical parent-child relationships that match business structures
  • Consistent Naming: Use naming conventions that clearly indicate Account relationships
  • Regular Maintenance: Keep Account hierarchy current as business relationships change
  • Documentation: Maintain records of Account structure decisions and their security implications

Security Testing and Validation

  • Test Hierarchy Access: Validate that users at different hierarchy levels see appropriate data
  • Cross-Account Validation: Ensure users cannot access inappropriate Account data
  • Permission Verification: Test that Security Role permissions work correctly within Account scope
  • User Experience Testing: Confirm that hierarchy access supports actual business workflows

Ongoing Management

  • Regular Audits: Review Account hierarchy and associated user access periodically
  • Change Management: Plan for Account structure changes and their security implications
  • User Communication: Ensure external users understand their data access scope
  • Support Processes: Establish procedures for handling access requests and hierarchy changes

Integration with Other Security Features

User Groups and Content Sharing

  • User Groups work within Account-based security boundaries
  • Auto-segmentation can include Account hierarchy criteria
  • Content sharing respects both User Group membership and Account access rights

Team Access Module

  • Team Managers can only manage users within their Account scope
  • Account hierarchy affects which Contacts Team Managers can activate as users
  • Delegated administration works within the established Account security boundaries

Module-Specific Security

  • All Magentrix modules respect Account-based security filtering
  • Module content sharing works within Account boundaries
  • Reporting and analytics automatically filter data based on Account associations

Privacy & Security StatementTerms & Conditions
Copyright © 2025 by Magentrix Corporation - All rights reserved.
Powered by Magentrix