This article will walk you through group level permissions and how to edit them.
User permissions in Ironclad are managed at the group level. Administrators in Ironclad have access to the Groups page to manage user permissions for all users in the company’s instance.
The sections below walk you through the various group permission settings and how to edit them.
The sections below walk you through the various group permission settings and how to edit them.
Edit Group Permissions
- Click on your profile icon in the top right corner, and then select Company Settings > Users & Groups.
- Click on the Groups tab to view all groups in your company’s instance.
- Select a group, and then click Edit Group to view the group’s permissions in Ironclad.
Insights
The Insights permission defines the group’s access the Insights reporting feature. You can set it to No Access to Insights to prevent a group from access this, or Access to view and create charts. Note that any limits to specific workflows or records defined in other permissions may affect what data is available in charts.
Ironclad Editor
The Ironclad Editor permission defines the group’s access to Ironclad Editor’s document editing, commenting, and accepting/rejecting tracked changes. To learn more about Ironclad Editor permissions, refer to Comment Only Permission for Ironclad Editor.
Playbooks
The Playbook permission defines the group’s access to Playbook clauses in Ironclad Editor. There are three Playbook permission access levels:
- Edit: Edit the standard and fallback clauses that users can view when editing workflows. Editors can edit the Playbook from Ironclad Editor or from Workflow Designer.
- View: View the standard and fallback clauses when editing contracts in Ironclad Editor
- None: No access to view or edit the Playbook clauses
Repository
The Repository permission defines your group’s access to the Repository. There are three general categories for Repository permissions:
- No access
- Configure permissions by record type or on a per record basis
- Access to all records in Repository - either view only or view and edit
You’ll see five dropdown options in group settings. The five options are organized by the three general categories in the tables belowOur group recommendations vary depending on the record types in your Repository and groups. Review the tables below to learn more about the available settings:
NOTE
As you set your Repository permissions, consider the Workflow and Record Access permissions in Workflow Designer. These permissions work together to provide you with detailed control of your company's access. For example, if you give a group the "Choose access for specific Record and Record types" setting, but don't provide access per record, then that group will gain access to the Repository tab, but they won't see any records in the tab. Without this permission selected, however, they would not see the Repository tab at all.
We recommend that you choose Choose access for specific Record and Record types. By default, this makes the Repository available to users, but does not grant them access to any records. You can then grant access to individual records based on custom criteria either in Workflow Designer or in the Repository.
If you select No access to Repository, users will not be able to access the Repository and if they are later granted access to any records, they will not be able to access them until this global group permission is changed.
As you set your Repository permissions, consider the Workflow and Record Access permissions in Workflow Designer. These permissions work together to provide you with detailed control of your company's access. For example, if you give a group the "Choose access for specific Record and Record types" setting, but don't provide access per record, then that group will gain access to the Repository tab, but they won't see any records in the tab. Without this permission selected, however, they would not see the Repository tab at all.
We recommend that you choose Choose access for specific Record and Record types. By default, this makes the Repository available to users, but does not grant them access to any records. You can then grant access to individual records based on custom criteria either in Workflow Designer or in the Repository.
If you select No access to Repository, users will not be able to access the Repository and if they are later granted access to any records, they will not be able to access them until this global group permission is changed.
Repository Permissions
Click on the drop downs below to view more information on each Repository permission category:
No Access
Setting | Details | Recommendation |
---|---|---|
No Access to Repository
|
This is the most restrictive setting. Users in the group do not see any records in the Repository. Users in this group do not have access to the contracts nor the associated properties in the Repository. They may still be able to access contract data if they have Workflow access.
Users do not see any search results when they search for related records in a launch form because they do not have access to any Repository records. |
This setting is recommended for groups who do not need access to Repository reporting features to perform their functions. Participants of workflows can still access the contracts they are involved in by viewing the workflows from their Dashboard.
Do not select this setting if you expect users in the group to search for related records in the launch form to link to new workflows. |
No access to Repository, Autocomplete-only access to specific Record types
|
Autocomplete allows users in the group to access Repository properties from the workflow launch form. Users in the group do not see any records in the Repository. For any workflow questions that have Enable autocomplete selected in Workflow Designer, the users in the group have access to property data to autocomplete questions.
After you select this Repository permissions option, you need to select the record types that users will have access to in order to autocomplete form questions. For example, WonderWeb Inc. wants users from this group to see suggestions from their existing NDA records for their Counterparty Name question. They select this setting for the record type NDA. In a Workflow Designer definition, they select Enable autocomplete in the launch form question Counterparty Name. |
This setting is recommended for workflow requestors who do not need access to Repository reporting features to perform their functions but need to populate future workflows with past record data.
Do not select this option if you want to limit users’ visibility to Repository properties. For example, WonderWeb Inc. has some users that are sensitive to other users knowing who they have contracts with. Enabling autocomplete for the Counterparty Name property exposes the counterparties that your company has existing contracts with. |
Configure Permissions by Record Type or on a Per Record Basis
Setting | Details |
---|---|
Choose access rights for specific Records and Record types
|
This option provides the most flexibility when you configure Repository permissions. You can set permissions separately for each record in Repository. You do not need to check any of the boxes below to enable the permissions setting from Workflow Designer.
The Workflow Designer archive settings only configure the Repository permissions for records that are created and archived from an Ironclad workflow. Records that are directly imported into the Repository or created through Ironclad’s public API do not adopt the permissions that are set in Workflow Designer. Manage permissions by Record TypeIn addition to setting permissions on a per-record basis, you can set full access to certain record types for the group. Check the box for Select additional permission for each Record type. A dropdown list is displayed with all of the record types in your Repository. For each record type, you have the following options:
|
Access to All Records in Repository - Either View Only or View and Edit
Setting | Details | Recommendation |
---|---|---|
View-only access to all Record types (current and future)
|
Users in the group have access to view all contracts and their associated properties in the Repository. Users cannot edit the properties or the documents. Users can, however, download records.
|
This setting is recommended for groups that need broad access to contracts in order to perform their functions. For example, Compliance, Finance, and Legal team members. Users often need view access to create reports for their functions. |
View and edit access to all Record types (current and future)
|
This is the most permissive setting in Repository. Users in this group have access to all records in Repository, and have the ability to edit data and the documents for each record. Users also have the ability to create new records by uploading contracts to the Repository.
NOTE
You cannot grant users/groups the ability to import properties. To import properties, the user/group must be an Admin. |
This setting is recommended for groups that update contract data on a day to day basis. For example, contract managers, legal operations, deal desk, and Legal. |
Send Directly for Signature
Company administrators can control who can send documents for signature with user level permissions and workflow configurations. For most customers, documents will be sent for signature as part of a workflow. Documents can be immediately sent for signature once all approvals are received, or when manually triggered by a Signature Coordinator.
Administrators can also allow users with at least a requestor seat to send a document directly for signature using group permissions. Documents sent directly for signature bypass workflow configurations, including approvals. By default, only company administrators can send documents directly for signature.
The Send Directly for Signature permission has three options:
-
- Cannot send directly for signature: This is the default selection. Users cannot send for signature outside of a workflow.
- Can send directly for signature any record type (current and future): Users can send documents directly for signature. Documents can be stored as any record type available in your company.
- Can send directly for signature for specific record types: Users can send documents directly for signature. Specify the record types users can store documents as.
If you update the permission to full or partial access, users will have two options on their Dashboard: “Start a workflow” and “Upload for Signature”. Select “Start a workflow” to launch a workflow from a workflow configuration. Select “Upload for Signature” to upload, stamp, and send a document out for signature.
NOTE
Record types cannot be created when sending a document directly for signature, but can be created in Workflow Designer. Restricting the record types available when sending directly for signature can help maintain clean repository data.
Record types cannot be created when sending a document directly for signature, but can be created in Workflow Designer. Restricting the record types available when sending directly for signature can help maintain clean repository data.
Starting Workflows
The Starting Workflows permission defines which Workflow Designer definitions the group can launch from their Dashboard. We recommend that you specify which workflows are available for the default Everyone group, and create additional groups to set permissions for a smaller subset of users. For example, you can give the Everyone group access to launch NDA workflows. In addition, you can allow users in the Account Executives group to Start Workflows for Master Service Agreements.
Workflow Access
The Workflow Access permission defines which workflows the group can access by default. Users with Workflow Access do not necessarily need to be named as an active workflow Participant to view. Users with Workflow Access can see all workflows, including historic workflows, launched from the selected Workflow Designer definitions in their Dashboard. Add the workflows that you want the group to have access to. For example, you may tag the “Vendor Agreement” workflow for your Finance group so the Finance team can view all vendor agreement workflows, even when Finance has not been assigned a specific role in the workflow.
Workflow permissions and Repository permissions are configured separately in Ironclad.
Workflow permissions and Repository permissions are configured separately in Ironclad.
- If you provide a group with workflow access, the users in the group can see all of the draft contract, activity feed, and negotiation history of the workflow.
- If you provide a group with Repository access, the users in the group only have access to the final contract and associated properties in the Repository.
Users can access workflows using two different methods. The first method is through Group permissions, described above. The second method is as a participant in a workflow. Users with assigned roles (e.g. owner, approver, etc.) are automatically added as participants. Existing participants can also add additional participants to a workflow by tagging users in the Activity Feed or Editor comments, or by clicking the plus sign button located under the participants in the workflow.
Note: If you want users with workflow access to be able to engage with and take action on these workflows without being a participant, please see the Workflow Management permission.
API Management
The API Management permission grants the group permission to manage a variety of API actions:
- Show API page in Company Settings (requires purchase of API package)
- Show the Errors page in Company Settings
- Ability to create and delete webhooks
- Ability to create and delete API tokens
- Ability to create and delete client applications
Users and Groups Administration
Te admin group has access to all records and workflows, and has full control over the Ironclad product. There may be instances where you want to grant a user control over some parts of Ironclad CLM, with limited access to records and workflows. These permissions allow you to grant admin level control over specific parts of Ironclad. If this permission is enabled, the group can complete the following actions:
- View “Users & Groups” page in Company Settings
- View User Summary and CSV export
- View User’s seat type information
- View “Groups” tab in Users & Groups page
- Create groups
- Edit group name and permissions
- Add/remove users from groups
- Set the default user for a group
- Add users to groups during user invite
Workflow Designer
The Workflow Designer permission defines the group’s access to Workflow Designer and workflow templates. Administrators can always create and edit all workflow templates. There are three Workflow Designer permission access levels:
- No access
- Ability to edit specific workflow templates: This option displays a list of all published and unpublished workflows in Workflow Designer. You can then select whether the group should have None or Edit access to the workflow in Workflow Designer.
- Ability to create and edit all workflow templates
Workflow Management
The Workflow Management permission defines which workflows and contracts the the group can take action on without being an assigned participant, so long as they have access to the workflow. The group will be able to execute the following actions for the selected workflows:
- Allows the user to cancel workflows they are not a participant of
- Allows the user to remove invites to counterparties on workflows they are not a participant of
- Allows the user to send invites to counterparties on workflows they are not a participant of
- Allow the user to force allow share documents
- This is an additional WFD configuration option. There are three options:
- Allow everyone to share documents
- Configure which groups can share documents
- Only users with Workflow Management permission can share, and when they can share
- You configure this in WFD > Review > Settings > Share Documents
- This is an additional WFD configuration option. There are three options:
- Allow the user to force allow document downloads
- This is an additional WFD configuration option. There are three options:
- Allow everyone to download documents
- Configure which groups can download documents, and when they can download
- Only users with Workflow Management permission can download
- You configure this in WFD > Review > Settings > Download Documents
- This is an additional WFD configuration option. There are three options:
- Allow resetting approvals/overriding workflow approvals via Edit Info/Update Document during a workflow’s Sign step
- Allow changing signers during the Sign step
- Allow removing in-flight workflows’ participants
- Allow adding, removing, and reassigning role assignments’
- Allow the user to reassign approvers on workflows they are not a participant/approver on
AI Assist
The AI Assist permission defines the group’s access to the ability to access AI Assist to suggest changes to make to the contract during negotiation and editing. This feature must be enabled for your account in order to access its permissions.
You will want to carefully review the use of this feature with your legal teams, and there may be implications for using this feature which you can review here.