Credentials Access

I agree with this, and I’d go a step further. Not only should Credentials as a permission be selectable without automatically giving them the full “Users” permission, we should be able to also select if it’s only for people assigned to the same site.  I would like to be able to have managers add credentials for their employees but not view/manage anyone outside their location. Site-based permissions (same as for global response sets, training, and other things) would be much more powerful.  I don’t want to manage everything for every site, or give someone access to the whole company.

Hi @ldutton, thanks so much for trying out our new Credentials functionality. My name is Rebecca and I’m the Product Manager for this feature. 

I’d love to know a little more about the permission you’d like to see for Credentials. Initially we tied it with User Management as you can add/manage credentials on the user profile and this requires user management permission currently. We actually thought the user profile would be the main area that users would add credentials but we are already seeing that the types page is getting heavier traffic. 

If we could make this change, would the person in your organisation who manages certificates/credentials be allowed to see all of the users & their information on the user profile but just not be able to manage anything other than Credentials? (I assume this is what you meant by view only?)

Alternatively, we could consider pulling the permission out and only granting access to manage/view credentials from the credentials page. This is a great suggestion.

We don’t currently have this prioritised as an improvement but I’d love to learn more from you so we can explore. 

Hey @Corey thank you also for trying out our new Credentials functionality. I absolutely agree with you about the site based permissions for users. We have hard from a number of customers during our Credentials research that often times it is site managers responsible for managing the Credentials of employees at their site. 

Would you envision those site managers would also have the ability to manage their users. E.g. Add users, upgrade/downgrade, change their permissions, add/manage credentials etc? So you could have a person at Site A who has User Management permission and they can only manage the other users who are at Site A and not see or manage anyone at other Sites? 

We are having many discussions at the moment about how we may start to introduce the concept of site or department managers who have certain higher levels of permission but only see limited content based on their sites/groups so it’s great feedback and very aligned with our thinking although we are in early stages of these discussions right now with no concrete plans yet on how to solve it. But I’d love to know more so we can really tackle this problem! 

Here is my idea.

• I would want to be able to assign someone as a site manager.
  • Add an option for “Site Manager”
    • In the Site’s feature, assign 1 or more people as the site manager.
    • This gives them access to any new features/permissions, as assigned, for the entire site.
  • See below for how I might use this to set different permission sets for the site’s management team as a whole vs. department/shift management.  I’m not sure if we need to go the level of adding “department/shift” management as a separate feature just yet, because I’m not sure how they would relate to things without much more structure.
  • This would unlock the ability for more granular permissions to be assigned for the sites they are set as Manager of. It would NOT give them access to other sites, even if they are a member of that site (but not manager). 
  • For example, Sally is a manager of Site A and a member of Site B. She gets special permissions only for Site A and nothing changes for her from how things work today with regards to Site B. 
• I would create a permission set for “Site Manager.”
  • By default, this new permission set would toggle on any of the new site-manager type permissions on for them. I’d also default giving them Templates Create, Issues Access, Schedules Create, Heads Up Manage, Analytics Create dashboards (site-based and individual-based).
  • However, I would like the ability to modify this permission set (just like any other) to turn off any features I may not want them to have.
  • Built-in, the system knows that if they have these “sites you manage” type permissions, it only works for sites they are set as Manager.  If they are set for none of them, then these new permissions do nothing for them.
  • The reason I want the new things below as separate permissions is that we may want to reduce their power.  Or we may want to set management and supervisors as “site managers” but then create two permission sets with reduced permissions for the supervisors (not give them the 3rd item below).
• Under the "Users" permission
  • Add a “View Users for Sites You Manage” permission.
    • This would let them see the Users page, showing the list of people for anyone assigned to a site they are set as manager of. This would give them view-only (no editing) of all profile features (User Settings, Training, Notifications, Devices, Templates, Groups, Sites, Credentials). If they have any additional permissions (see below) that allow editing specific features, they would override the view-only mode.
  • Add a "Edit Credentials for Sites You Manage" permission.
    • This would allow them to manage credentials for sites they have been set as a manager of. 
    • If you select the higher level (existing) "Credentials" option, that option would gray out.  
  • Add a “Edit Profiles for Sites You Manage” permission.
    • This would allow them to edit the other profile pages, including User Settings (Details and Password only, not Seat Type or Permission Set), Notifications, Devices and Groups. It would not give them access to edit Sites (leave to separate higher level Users permission as-is) or Credentials (changeable via the new permission above).
  • Selecting any of these would not automatically give them the full "Users" permissions. Just like how the other higher-level options work. For example, I can optionally select Create, Global Response Sets, Upload to Public Library, or Report Layouts interchangeably under Templates, but it does not automatically give the full "Templates" permissions.  To pull that off, you'd need to add another option under Users separately for "add, remove, and manage users” and make the current option more of a higher-level toggle for everything under it.

To be clear, I would NOT want any of these permissions to allow them to add users, upgrade/downgrade users, change users’ permission sets, or change users’ sites.  Those can affect costing any have many other ripple effects in access to data or ability to do things.  For now, I would not want to risk giving that power to people at a site.  Certainly, my mind could change on this down the road, especially if those were separate permissions as well.

@Corey suggestion above is really the only one that works long term with multiple sites

in the interim we would like 4 levels

1. view only (see no other profile data) just view credentials.
2. edit credentials and see no other profile data except usernames (and maybe sites)
3. view only other profile date edits for credentials
   • in our case you need site and groups to assess credentials
4. view and edit all profile data including credentials (currently admin level which works)

1 and 2 or 1 and 3 would be a great start

We are migrating from another system and therefore have approx  1000 technician compliance requirements that we would like to load against the user credentials. Because we have validated the details in the other system, we intend only entering specific date “obtained” and “expiry” date fields against the 15 or so compliance credentials. When the user details are updated an attachment of evidence of the qualification will need to be uploaded by site managers/onboarders.

Therefore, I have few questions:

1.  Is there a bulk loader (csv file) where we can upload the initial date data against the various compliance credentials per user
2. When an entry is updated can we trigger a notification to our compliance staff to review the validity of the credential
3. Is there an ability to set notifications periods prior to the expiry dates.
4. Ability to determine who notifications can be sent to.

We have already developed onboarding forms and will load via Workato, but the Credentials functionality will provide a nicer solution across our contractor companies. 

Because a lot of our contractors already use Safety Culture having a single Credentials Platform across Contractor and sub-contractors will be beneficial