Groups serve as the foundational set of permissions for users, while workflow- and record-specific access offer the ability for more granular control over which contracts users can access and actions they can take in Ironclad.
Groups function both as a collection of users and a bundled set of permissions that ensures that users have appropriate levels of access to contracts and Ironclad features. All Ironclad users are part of one or more groups.
Within a group, administrators grant access to core parts of the Ironclad platform, including the workflows and records on the Dashboard, Workflow Designer, Insights, and more.
Group permissions are set in Company settings > Groups.
Note: Users have the sum of permissions based on the groups in which they’re a part of. This means if a user is a part of multiple groups, they will inherit the highest level of permissions according to all groups of which they are a part.
Use Case
At Classics Inc., the Sales Operations team manages contract workflows and templates used by account executives and sales managers in Ironclad. To streamline operations and maintain appropriate access, an administrator created Account Executives and Sales Associates groups. These groups are only assigned the permissions needed to launch workflows, view relevant records, and send documents for signature. This ensures that sensitive company-wide configurations remain secure while giving the Sales team the tools they need to operate efficiently.
Permissions
| Features | Company Settings |
| Permissions | Admin role |
Manage Group Permissions
When you update a group’s permissions, it may result in a seat type change for all users in that group. On the Groups page, you can identify which seat type is assigned to users that are part of a specific group, according to the permissions set for that group, by referring to the Seat Type column.
- Click on your profile icon in the top right corner, and then select Company Settings > Groups. All of the groups in your company’s instance are displayed.
- Select a group, and then click Configure Group.
- Customize the group’s permissions. Refer to the Group Permissions Overview table for details on each permission.
- Click Save.
Group Permissions Overview
Group permissions are split into two categories: General and Admin.
General Permissions
General permissions control access to standard areas of Ironclad and do not change the group’s seat type to Administrator, though it may change to Standard or Viewer/Requester.
| Permission | Function |
|---|---|
| AI Assist | The AI Assist permission defines the group’s access to the ability to access AI Assist to suggest changes to make to the contract during negotiation and editing. This feature must be enabled for your account in order to access its permissions. |
| Insights | The Insights permission defines the group’s access the Insights reporting feature. |
| Ironclad Editor | The Ironclad Editor permission defines the group’s access to Ironclad Editor’s document editing, commenting, and accepting/rejecting tracked changes. |
| Jurist | The Jurist permission defines the group’s access to the ability to access and chat with Jurist. This feature must be enabled for your account in order to access its permissions. |
| Playbooks | The Playbook permission defines the group’s access to Playbook clauses in Ironclad Editor. |
| Repository and Entities | The Repository permission defines the group’s access to use, view, edit, and create records/entities. |
| Send Directly for Signature | The Send Directly for Signature permissions defines the group’s ability to send documents directly for signature. |
| Starting Workflows | The Workflow Launch permission defines which Workflow Designer definitions the group can launch from their Dashboard. |
| Workflow Access | The Workflow Access permission defines which workflows the group can access by default. Users with Workflow Access do not necessarily need to be named as an active workflow Participant to view and engage in the workflow. |
Admin Permissions
Admin permissions grant admin level access to different areas of Ironclad and may result in the group being upgraded to an admin seat type. To learn more about configuring admin level permissions, refer to Configure Group Admin Permissions.
| Permission | Function |
|---|---|
| AI Clauses | The AI Clauses permission grants the group permission to access the AI Clauses tab in Company Settings. |
| API Management | The API Management permission grants the group permission to manage a variety of API actions. This feature must be enabled for your account in order to access its permissions. |
| Data Manager | The Data Manager permission grants the group permission to access the Data Manager tab in Company Settings. |
| Global Clause Library | The Global Clause Library permission defines the group’s access to the Global Clause Library. This includes creating, deleting, and importing clauses. |
| Integrations Management | The Integrations Management permission grants the group access to set up, configure, and enable all company integrations. This includes access to the Integrations and Errors pages in Company Settings. |
| Metadata Import | The Metadata Import permission grants the group access to the Metadata Import tool via the Dashboard and Entities tab. |
| Security and Data Management | The Security and Data Management permission grants the group access to the Security & Data section in Company Settings. This feature must be enabled for your account in order to access its permissions. |
| Settings Management | The Settings Management permission grants the group access to configure Company Settings. |
| Users and Groups Administration | The Users and Groups Administration setting grants the group access to the Users and Groups pages in Company Settings. This includes the ability to create and delete users and groups, edit group permissions, set the default user for groups, and more. |
| Delete Workflows | The Delete Workflows permission grants the ability to delete workflows. |
| Workflow Designer | The Workflow Designer permission defines the group’s access to Workflow Designer and workflow configurations. |
| Workflow Management | The Workflow Management permission allows users to take actions on workflows they are not participants of, as long as they have access to the workflow. |
AI Assist
The AI Assist permission defines the group’s access to the ability to access AI Assist to suggest changes to make to the contract during negotiation and editing. This feature must be enabled for your account in order to access its permissions.
You will want to carefully review the use of this feature with your legal teams, and there may be implications for using this feature which you can review here.
Insights
The Insights permission defines the group’s access the Insights reporting feature. You can set it to No Access to Insights to prevent a group from accessing Insights, or Access to view and create charts to provide them access to the Insights tab to view and create charts.
Any limits to specific workflows or records defined in other permissions may affect which data is available in charts.
Ironclad Editor
The Ironclad Editor permission defines the group’s access to Ironclad Editor’s document editing, commenting, and accepting/rejecting tracked changes. Can Comment is the lowest level of Ironclad Editor access. The Can Comment permission allows users to only leave internal comments on a document, but does not allow them to make any edits or changes to the underlying document. Internal comments are only visible to your internal team, and stay at the document level.
To learn more about Ironclad Editor permissions, refer to Manage Ironclad Editor Permissions.
Jurist
The Jurist permission defines the group’s access to the ability to access and chat with Jurist. Jurist must be enabled for your account in order to access its permissions.
Playbooks
The Playbook permission defines the group’s access to Playbook clauses in Ironclad Editor. There are three Playbook permission access levels:
- No access to Playbooks: No access to view or edit the Playbook clauses
- Can negotiate with Playbooks: View the standard and fallback clauses when editing contracts in Ironclad Editor
- Can configure and negotiate with Playbooks: Edit the standard and fallback clauses that users can view when editing workflows. Editors can edit the Playbook from Ironclad Editor or from Workflow Designer.
Repository and Entities
The Repository permission defines the group’s access to use, view, edit, and create records/entities. There are five types of Repository and Entities permissions:
- No access to repository and entities
- Use in workflows, contracts, and contract relationships (no access to entities)
- Choose access rights for specific records, record types, and entity types:
- View-only access to all record types and entity types (current and future)
- View, edit, and create access to all record types and entity types (current and future)
Our group recommendations vary depending on the record types in your repository and groups. Review the sections below to learn more about the available settings.
Repository Permissions
Scroll through the table below for more information on each Repository permission category:
| Permission | Details | Recommendation |
|---|---|---|
| No access to Repository or entities | This is the most restrictive setting. Users in the group do not see any records in the Repository. Users in this group do not have access to the contracts nor the associated properties in the Repository. They may still be able to access contract data if they have Workflow access. Users do not see any search results when they search for related records in a launch form because they do not have access to any Repository records. |
This setting is recommended for groups who do not need access to Repository reporting features to perform their functions. Participants of workflows can still access the contracts they are involved in by viewing the workflows from their Dashboard. Do not select this setting if you expect users in the group to search for related records in the launch form to link to new workflows. |
| Use in workflows, contracts, and contract relationships (no access to entities) | This setting allows users in the group to access record properties from the workflow launch form. Users in the group do not see any records in the repository. For any workflow questions that have Enable autocomplete selected in Workflow Designer, the users in the group have access to property data to autocomplete questions. After you select this Repository permissions option, you need to select the record types that users will have access to in order to autocomplete form questions. For example, WonderWeb Inc. wants users from this group to see suggestions from their existing NDA records for their Counterparty Name question. They select this setting for the record type NDA. In a Workflow Designer definition, they select Enable autocomplete in the launch form question Counterparty Name. |
This setting is recommended for workflow requestors who do not need access to Repository reporting features to perform their functions but need to populate future workflows with past record data. Do not select this option if you want to limit users’ visibility to Repository properties. For example, WonderWeb Inc. has some users that are sensitive to other users knowing who they have contracts with. Enabling autocomplete for the Counterparty Name property exposes the counterparties that your company has existing contracts with. |
| Choose access rights for specific records, record types, and entity types |
This option provides the most flexibility when you configure Repository permissions. You can set permissions separately for each record in Repository. You do not need to check any of the boxes below to enable the permissions setting from Workflow Designer.The Workflow Designer archive settings only configure the Repository permissions for records that are created and archived from an Ironclad workflow. Records that are directly imported into the Repository or created through Ironclad’s public API do not adopt the permissions that are set in Workflow Designer.
|
-- |
| View-only access to all record types and entity types (current and future) | Users in the group have access to view all contracts and their associated properties in the Repository. Users cannot edit the properties or the documents. Users can, however, download records. | This setting is recommended for groups that need broad access to contracts in order to perform their functions. For example, Compliance, Finance, and Legal team members. Users often need view access to create reports for their functions. |
| View, edit, and create access to all record types and entity types (current and future) | This is the most permissive setting in Repository. Users in this group have access to all records in Repository, and have the ability to edit data and the documents for each record. Users also have the ability to create new records by uploading contracts to the Repository. You cannot grant users/groups the ability to import properties. To import properties, the user/group must be an Admin. |
This setting is recommended for groups that update contract data on a day to day basis. For example, contract managers, legal operations, deal desk, and Legal. |
Workflow and Record Access Permissions in Workflow Designer
As you set your Repository permissions, consider Workflow and Record Access permissions in Workflow Designer. These permissions work together to provide you with detailed control of your company's access. For example, if you give a group the "Choose access for specific Record and Record types" setting, but don't provide access per record, then that group will gain access to the Repository tab, but they won't see any records in the tab. Without this permission selected, however, they would not see the Repository tab at all.
We recommend that you choose Choose access for specific Record and Record types. By default, this makes the Repository available to users, but does not grant them access to any records. You can then grant access to individual records based on custom criteria either in Workflow Designer or in the Repository.
If you select No access to Repository, users will not be able to access the Repository and if they are later granted access to any records, they will not be able to access them until this global group permission is changed.
Entity Permissions
Entity permissions in Ironclad closely mirror repository permissions and are tied to a group's access to records. These permissions determine how users interact with entities across workflows and records, and whether or not users can view/edit/create entities on the the Entities tab. Currently, permissions can only be configured by entity type—per-entity permissions for entities are not supported.
Admins can manage entity permissions by navigating to Company Settings > Groups > Configure Group. Based on the selected permission level, users can view, select, or manage entities, with granular options available for specific entity types. In the Repository and Entities section, select from the following:
| Permission | Impact |
|---|---|
| No access to Repository or entities | The group will not be able to view the Entities tab. |
| Use in workflows, contracts, and contract relationships (no access to entities) | The group access for entities will be set to “no access”. |
| Choose access rights for specific records, record types, and entity types |
When you select this option, you can define what level of access the group will have for each entity type.For each entity relationship type and for “entities without a type,” the user can choose either:
Below the dropdown, there is an Allow users to upload and create new contracts and entities of any type checkbox to allow users to create entities of any type. |
| View-only access to all Rrcurrent and future) | This group will be able to view Entities in the Entities tab, but cannot edit, create, or import entities. Users in this group can also use entities in contracts, workflows, and records. |
| View, edit, and create access to all record types and entity types (current and future) | This group will be able to view, edit, and create entities in the Entities tab. |
Send Directly for Signature
Company administrators can control who can send documents for signature with user level permissions and workflow configurations. For most customers, documents will be sent for signature as part of a workflow. Documents can be immediately sent for signature once all approvals are received, or when manually triggered by a Signature Coordinator.
Administrators can also allow users with at least a requestor seat to send a document directly for signature using group permissions. Documents sent directly for signature bypass workflow configurations, including approvals. By default, only company administrators can send documents directly for signature.
There are three Send Directly for Signature permission access levels:
- Cannot send directly for signature: This is the default selection. Users cannot send for signature outside of a workflow.
- Can send directly for signature any record type (current and future): Users can send documents directly for signature. Documents can be stored as any record type available in your company.
- Can send directly for signature for specific record types: Users can send documents directly for signature. Specify the record types users can store documents as.
If you update the permission to full or partial access, users will have two options on their Dashboard: “Start a workflow” and “Upload for Signature”. Select “Start a workflow” to launch a workflow from a workflow configuration. Select “Upload for Signature” to upload, stamp, and send a document out for signature.
Note: You cannot create record types when sending a document directly for signature, but you can create them in Workflow Designer. Restricting the record types available when sending directly for signature can help maintain clean repository data.
Starting Workflows
The Starting Workflows permission defines which Workflow Designer definitions the group can launch from their Dashboard. We recommend that you specify which workflows are available for the default Everyone group, and create additional groups to set permissions for a smaller subset of users. For example, you can give the Everyone group access to launch NDA workflows. In addition, you can allow users in the Account Executives group to Start Workflows for Master Service Agreements.
Workflow Access
The Workflow Access permission defines which workflows the group can access by default. Users with Workflow Access do not necessarily need to be named as an active workflow Participant to view. Users with Workflow Access can see all workflows, including historic workflows, launched from the selected Workflow Designer definitions in their Dashboard. Add the workflows that you want the group to have access to. For example, you may tag the “Vendor Agreement” workflow for your Finance group so the Finance team can view all vendor agreement workflows, even when Finance has not been assigned a specific role in the workflow.Workflow permissions and Repository permissions are configured separately in Ironclad.
- If you provide a group with workflow access, the users in the group can see all of the draft contract, activity feed, and negotiation history of the workflow.
- If you provide a group with Repository access, the users in the group only have access to the final contract and associated properties in the Repository.
Users can access workflows using two different methods. The first method is through Group permissions, described above. The second method is as a participant in a workflow. Users with assigned roles (e.g. owner, approver, etc.) are automatically added as participants. Existing participants can also add additional participants to a workflow by tagging users in the Activity Feed or Editor comments, or by clicking the plus sign button located under the participants in the workflow.
Note: If you want users with workflow access to be able to engage with and take action on these workflows without being a participant, please see the Workflow Management permission.
AI Clauses
The AI Clauses permission grants the group permission to access the AI Clauses tab in Company Settings.
API Management
The API Management permission grants the group permission to manage a variety of API actions:
- Show API page in Company Settings (requires purchase of API package)
- Show the Errors page in Company Settings
- Ability to create and delete webhooks
- Ability to create and delete API tokens
- Ability to create and delete client applications
Data Manager
The Data Manager permission grants the group permission to access the Data Manager tab in Company Settings.
Global Clause Library
The Global Clause Library permission defines the group’s access to the Global Clause Library. By default, this is set to No unless you are a part of the Administrators group.
Users with this permission can view the Clause Library page in Company Settings and add, edit and/or delete global clause types and global clauses from this view. Users with this permission and with Workflow Designer access can also add new clause types and clauses to the Clause Library from the Workflow Designer.
This table below covers the interaction between Global Clause Library permission and the Workflow Designer permission for a non-Administrator user.
| Global Clause Library Permission | Workflow Designer Permission | Resulting Abilities for a Non-Administrator user |
|---|---|---|
| Enabled | Enabled | User can add, edit and/or delete clause types and global clauses from the “Clause Library” page in Company Settings. From Workflow Designer, user can also add clause types and clauses to the Clause Library and tag existing clauses from the Clause Library. |
| Enabled | Disabled | User can add, edit and/or delete clause types and clauses from the “Clause Library” page in Company Settings. Changes to clauses made by the user from the “Clause Library” page that affect workflow configurations will not be published until another user with Workflow Designer access publishes those affected workflows configurations. |
| Disabled | Enabled | User can only view existing clauses in the Clause Library from Workflow Designer and use these clauses in their workflow configurations through tagging. User will not be allowed to add any clauses to or modify any existing clauses in the Clause Library from Workflow Designer. |
Integrations Management
The Integrations Management permission defines the group’s access to the Integrations section in Company Settings. Users with integrations access can:
- View available integrations
- Enable (if entitled) specific integrations
- Configure and manage integrations
This group does not have workflow launch permissions.
Metadata Import Tool
The Metadata Import Tool permission grants the group access to the Metadata Import tool via the Dashboard and Entities tab. Users must also have edit or create record access to use this tool.
Security and Data Management
The Security and Data Management permission grants the group access to the Security & Data section in Company Settings. This feature must be enabled for your account in order to access its permissions.
Note: Users with "Users and Groups Administration" permission are able to manage users and groups in general but the "Security and Data Management" permission setting is not visible for them unless they are in the Administrators group.
Settings Management
The Settings Management permission grants the group access to configure Company Settings.
Users and Groups Administration
The admin group has access to all records and workflows, and has full control over the Ironclad product. There may be instances where you want to grant a user control over some parts of Ironclad CLM, with limited access to records and workflows. These permissions allow you to grant admin level control over specific parts of Ironclad. If this permission is enabled, the group can complete the following actions:
- View “Users & Groups” page in Company Settings
- View User Summary and CSV export
- View User’s seat type information
- View “Groups” tab in Users & Groups page
- Create groups
- Edit group name and permissions
- Add/remove users from groups
- Set the default user for a group
- Add users to groups during user invite
Delete Workflows
The Delete Workflows permission grants the ability to delete workflows. Users can only delete workflows they have access to.
Workflow Designer
The Workflow Designer permission defines the group’s access to Workflow Designer and workflow templates. Administrators can always create and edit all workflow templates. There are three Workflow Designer permission access levels:
- No access
- Ability to edit specific workflow templates: This option displays a list of all published and unpublished workflows in Workflow Designer. You can then select whether the group should have None or Edit access to the workflow in Workflow Designer.
- Ability to create and edit all workflow templates
Workflow Management
The Workflow Management permission defines which workflows and contracts the the group can take action on without being an assigned participant, so long as they have access to the workflow. The group will be able to execute the following actions for the selected workflows:
- Allows the user to cancel workflows they are not a participant of
- Allows the user to remove invites to counterparties on workflows they are not a participant of
- Allows the user to send invites to counterparties on workflows they are not a participant of
- Allow the user to force allow share documents
- This is an additional WFD configuration option. There are three options:
- Allow everyone to share documents
- Configure which groups can share documents
- Only users with Workflow Management permission can share, and when they can share
- You configure this in WFD > Review > Settings > Share Documents
- This is an additional WFD configuration option. There are three options:
- Allow the user to force allow document downloads
- This is an additional WFD configuration option. There are three options:
- Allow everyone to download documents
- Configure which groups can download documents, and when they can download
- Only users with Workflow Management permission can download
- You configure this in WFD > Review > Settings > Download Documents
- This is an additional WFD configuration option. There are three options:
- Allow resetting approvals/overriding workflow approvals via Edit Info/Update Document during a workflow’s Sign step
- Allow changing signers during the Sign step
- Allow removing in-flight workflows’ participants
- Allow adding, removing, and reassigning role assignments’
- Allow the user to reassign approvers on workflows they are not a participant/approver on
Resources
Explore articles, courses, and support options to get the most out of Ironclad.