• Blog
    • >
    • Understanding Client Portal Access Controls

    Understanding Client Portal Access Controls

    by ARS Support

    One of the first steps in implementing your client portal is understanding and planning your approach to access control, or said another way, determining what level of access users will have to client portal assets (ex. client pages, invoice posts, file posts, attachments, etc.).

    Overview

    By default, logged in, active users, assigned to an active company are able to access all client pages assigned to their respective company, along with all client file posts and attachments, and client invoice posts and attachments assigned to that company. All logged in, active users, assigned to only active companies, are also able to access all global client pages, global file posts, and global file attachments by default.

    The Constellation Client Portal Pro plugin also allows you to adjust the default user access, and restrict access to client portal assets by deactivating users and companies, and/or by excluding users, roles, and/or companies at various levels. This allows you to adjust and configure access controls at a more granular level to suit the needs of your operation.

    High Level View

    The access control matrix, below, provides a high level view that illustrates the Constellation Client Portal Pro access controls and how they affect access to client portal assets.

    Constellation Client Portal Pro Access Control Matrix

    Asset
    Access
    Control
    Client Page Assigned to Specific Company
    Global Client Page
    Client File Post
    Client Invoice Post
    Global File Post
    Client File Shortcode Generated List
    Client Invoice Shortcode Generated List
    Global File Shortcode Generated List
    Client File Attachment
    Client Invoice Attachment
    Global File Attachment
    User Level Access Control
    User StatusInactive/Pending
    User Company AssignmentNot Assigned to any company.
    Company Level Access Control
    Company Status Inactive 1User assigned to 1 company.
    Company Status MixedUser assigned to multiple companies - at least 1 inactive company.
    /
    /
    /
    /
    /
    /
    /
    Client Page Level Access Control
    Client PageExcluded User/Role
    Client Page CategoryExcluded User/Role
    Global Client Page Level Access Control
    Global Client PageExcluded User/Role
    Global Client Page CategoryExcluded User/Role
    Client File Level Access Control
    Client FileExcluded User/Role
    Client File CategoryExcluded User/Role
    Client Invoice Level Access Control
    Client InvoiceExcluded User/Role
    Client Invoice CategoryExcluded User/Role
    Global File Level Access Control
    Global FileExcluded User/Role/Company
    Global File CategoryExcluded User/Role
    Client File Shortcode Level Access Control
    Client File ShortcodeExcluded User/Role
    Client Invoice Shortcode Level Access Control
    Client Invoice ShortcodeExcluded User/Role
    Global File Shortcode Level Access Control
    Global File ShortcodeExcluded User/Role/Company
    1. A company status of "inactive" means any status that contains an action set to "prevent access," regardless of the company status name.

    Access Control Matrix Legend

    Deny access to all assets of type.
    Deny access to the specific asset associated with the access control block.
    / Deny access to the assets associated with the inactive company (a company that contains a status with a "Prevent Access" action specified), and allow access to assets associated with active companies.
    Allow access to the asset.

    Access Control Levels

    Access controls can be applied at the following levels.

    • User Level
    • Company Level
    • Client Page/Global Client Page Level
    • Client File Level
    • Client Invoice Level
    • Global File Level
    • Client File Shortcode Level
    • Client Invoice Shortcode Level
    • Global File Shortcode Level

    Below, is an explanation of each level, and the available methods for restricting access within that level.

    User Level Access Controls

    Access Control Methods

    • User status (client status).
    • User company assignment (or no company assignment).

    User Status

    Changing a user’s client status to “pending” or “inactive,” within the user’s profile, will prevent the user from accessing any and all client assets (global assets or assets assigned to a company).

    User Company Assignment

    Removing all company assignments within a user’s profile will prevent the user from accessing any and all client assets (global assets or assets assigned to a company).

    Company Level Access Controls

    Access Control Methods

    • Company status (user assigned to only one company).
    • Company status (user assigned to multiple companies with mixed statuses).

    Company Status (user assigned to one company)

    If a company has a status with an “action” set to “prevent access,” any user assigned to that company will not be able to access any client assets (global assets or assets assigned to a company).

    Company Status (user assigned to multiple companies with mixed statuses)

    If a user is assigned to multiple companies, and any one of those companies has a status with an “action” set to “prevent access,” the user will not be able to access any client assets associated with the inactive company. Additionally, the presence of an inactive company (even if the user is also assigned to an additional active company) will prevent the user from accessing any and all global assets (global client pages, global file posts, and global file attachments).

    The user will, however, be able to access assets associated with any active companies that they are assigned to.

    Client Page and Global Client Page Level Access Controls

    Access Control Methods

    • Client Page excluded user list.
    • Client Page excluded role list.
    • Client Page Category excluded user list.
    • Client Page Category excluded role list.

    Client Page Excluded User List

    Specific users can be added to the excluded user list within individual client pages (and client pages marked as “global”) to prevent those users from accessing that specific client page. Adding users to the excluded user list on this page will NOT prevent those users from accessing the following assets.

    • Other client pages that these users have not been excluded from.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists (if embedded on a client page that they have not been excluded from).
    • Client invoice shortcode generated lists (if embedded on a client page that they have not been excluded from).
    • Global file shortcode generated lists (if embedded on a client page that they have not been excluded from).

    Client Page Excluded Role List

    User roles can be added to the excluded role list within individual client pages to prevent any user with that role from accessing that specific client page. Adding roles to the excluded role list on this page will NOT prevent users with those roles from accessing the following assets.

    • Other client pages that these roles have not been excluded from.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists (if embedded on a client page that they have not been excluded from).
    • Client invoice shortcode generated lists (if embedded on a client page that they have not been excluded from).
    • Global file shortcode generated lists (if embedded on a client page that they have not been excluded from).

    Client Page Category Excluded User List

    Specific users can be added to the excluded user list within a client page category and that category can then in turn be assigned client pages to prevent those users from accessing client pages assigned to that category. Adding users to the excluded user list in this category will NOT prevent those users from accessing the following assets.

    • Other client pages that these users have not been excluded from within the page or category.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists (if embedded on a client page that they have not been excluded from).
    • Client invoice shortcode generated lists (if embedded on a client page that they have not been excluded from).
    • Global file shortcode generated lists (if embedded on a client page that they have not been excluded from).

    Client Page Category Excluded Role List

    User roles can be added to the excluded role list within a client page category and that category can thin in turn be assigned to client pages to prevent any user with that role from accessing client pages assigned to that category. Adding roles to the excluded role list in this category will NOT prevent users with those roles from accessing the following assets.

    • Other client pages that these roles have not been excluded from within the page or category.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists (if embedded on a client page that they have not been excluded from).
    • Client invoice shortcode generated lists (if embedded on a client page that they have not been excluded from).
    • Global file shortcode generated lists (if embedded on a client page that they have not been excluded from).

    Client File Level Access Controls

    Access Control Methods

    • Client File excluded user list.
    • Client File excluded role list.
    • Client File Category excluded user list.
    • Client File Category excluded role list.

    Client File Excluded User List

    Specific users can be added to the excluded user list within individual client files to prevent those users from accessing that specific client file post and an any attached file (if any). Adding users to the excluded user list in this post will NOT prevent those users from accessing the following assets.

    • Other client files (or client file attachments) that these users have not been excluded from.
    • Client pages.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Client File Excluded Role List

    User roles can be added to the excluded role list within individual client files to prevent any user with that role from accessing that specific client file post or attached file. Adding roles to the excluded role list in this post will NOT prevent users with those roles from accessing the following assets.

    • Other client files (or client file attachments) that these roles have not been excluded from.
    • Client pages.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Client File Category Excluded User List

    Specific users can be added to the excluded user list within a client file category and that category can then in turn be assigned client files to prevent those users from accessing client file posts (and client file attachments) assigned to that category. Adding users to the excluded user list in this category will NOT prevent those users from accessing the following assets.

    • Other client files that these users have not been excluded from within the file post or category.
    • Client pages.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Client File Category Excluded Role List

    User roles can be added to the excluded role list within a client file category and that category can then in turn be assigned to client files to prevent any user with that role from accessing client file posts (and client file attachments) assigned to that category. Adding roles to the excluded role list in this category will NOT prevent users with those roles from accessing the following assets.

    • Other client files that these roles have not been excluded from within the post or category.
    • Client pages.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Client Invoice Level Access Controls

    Access Control Methods

    • Client Invoice excluded user list.
    • Client Invoice excluded role list.
    • Client Invoice Category excluded user list.
    • Client Invoice Category excluded role list.

    Client Invoice Excluded User List

    Specific users can be added to the excluded user list within individual client invoices to prevent those users from accessing that specific client invoice post and an any attached file (if any). Adding users to the excluded user list in this post will NOT prevent those users from accessing the following assets.

    • Other client invoices (or client file attachments) that these users have not been excluded from.
    • Client pages.
    • Client file posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Client Invoice Excluded Role List

    User roles can be added to the excluded role list within individual client invoices to prevent any user with that role from accessing that specific client invoice post or attached file. Adding roles to the excluded role list in this post will NOT prevent users with those roles from accessing the following assets.

    • Other client files (or client file attachments) that these roles have not been excluded from.
    • Client pages.
    • Client file posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Client Invoice Category Excluded User List

    Specific users can be added to the excluded user list within a client invoice category and that category can then in turn be assigned client invoices to prevent those users from accessing client invoice posts (and client invoice attachments) assigned to that category. Adding users to the excluded user list in this category will NOT prevent those users from accessing the following assets.

    • Other client invoices that these users have not been excluded from within the file post or category.
    • Client pages.
    • Client file posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Client Invoice Category Excluded Role List

    User roles can be added to the excluded role list within a client invoice category and that category can then in turn be assigned to client invoices to prevent any user with that role from accessing client invoice posts (and client invoice attachments) assigned to that category. Adding roles to the excluded role list in this category will NOT prevent users with those roles from accessing the following assets.

    • Other client invoices that these roles have not been excluded from within the post or category.
    • Client pages.
    • Client file posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Global File Level Access Controls

    Access Control Methods

    • Global File excluded user list.
    • Global File excluded role list.
    • Global File excluded company list.
    • Global File Category excluded user list.
    • Global File Category excluded role list.
    • Global File Category excluded company list.

    Global File Excluded User List

    Specific users can be added to the excluded user list within individual global files to prevent those users from accessing that specific global file post and an any attached file (if any). Adding users to the excluded user list in this post will NOT prevent those users from accessing the following assets.

    • Other global files (or global file attachments) that these users have not been excluded from.
    • Client pages.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Global File Excluded Role List

    User roles can be added to the excluded role list within individual global files to prevent any user with that role from accessing that specific global file post or attached file. Adding roles to the excluded role list in this post will NOT prevent users with those roles from accessing the following assets.

    • Other global files (or global file attachments) that these roles have not been excluded from.
    • Client pages.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Global File Excluded Company List

    Companies can be added to the excluded company list within individual global files to prevent any user to a company in that list from accessing that specific global file post or attached file. Adding companies to the excluded role list in this post will NOT prevent users assigned to those companies from accessing the following assets.

    • Other global files (or global file attachments) that these companies have not been excluded from.
    • Client pages.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Global File Category Excluded User List

    Specific users can be added to the excluded user list within a global file category and that category can then in turn be assigned global files to prevent those users from accessing global file posts (and global file attachments) assigned to that category. Adding users to the excluded user list in this category will NOT prevent those users from accessing the following assets.

    • Other global files that these users have not been excluded from within the file post or category.
    • Client pages.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Global File Category Excluded Role List

    User roles can be added to the excluded role list within a client global category and that category can then in turn be assigned to global files to prevent any user with that role from accessing global file posts (and client file attachments) assigned to that category. Adding roles to the excluded role list in this category will NOT prevent users with those roles from accessing the following assets.

    • Other global files that these roles have not been excluded from within the post or category.
    • Client pages.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Global File Category Excluded Company List

    Companies can be added to the excluded company list within a client global category and that category can then in turn be assigned to global files to prevent any user assigned to a company in the list from accessing global file posts (and client file attachments) assigned to that category. Adding roles to the excluded role list in this category will NOT prevent users assigned to those companies from accessing the following assets.

    • Other global files that these companies have not been excluded from within the post or category.
    • Client pages.
    • Client file posts or attachments.
    • Client invoice posts or attachments.
    • Global file posts or attachments.
    • Client file shortcode generated lists.
    • Client invoice shortcode generated lists.
    • Global file shortcode generated lists.

    Client File Shortcode Level Access Controls

    Access Control Methods

    • Client File Shortcode excluded user list.
    • Client File Shortcode excluded role list.

    Important

    It is important to note that access controls applied at the shortcode level only prevent users from viewing a particular list that is generated by a given shortcode, and that adding access controls at this level will not prevent users from accessing any underlying asset if a user has a direct link to the asset. As example, if a user is added to the excluded user list in a shortcode, but the user has a direct link for a client file post or attachment, the user would still be able to access the file post and/or attachment.

    Client File Shortcode Excluded User List

    Specific users can be added to the excluded user list within individual client file shortcodes to prevent those users from viewing lists generated by the respective shortcode.

    Client File Shortcode Excluded Role List

    User roles can be added to the excluded role list within individual client file shortcodes to prevent any user with that role from viewing lists generated by the respective shortcode.

    Client Invoice Shortcode Level Access Controls

    Access Control Methods

    • Client Invoice Shortcode excluded user list.
    • Client Invoice Shortcode excluded role list.

    Important

    It is important to note that access controls applied at the shortcode level only prevent users from viewing a particular list that is generated by a given shortcode, and that adding access controls at this level will not prevent users from accessing any underlying asset if a user has a direct link to the asset. As example, if a user is added to the excluded user list in a shortcode, but the user has a direct link for a client file post or attachment, the user would still be able to access the file post and/or attachment.

    Client Invoice Shortcode Excluded User List

    Specific users can be added to the excluded user list within individual client invoice shortcodes to prevent those users from viewing lists generated by the respective shortcode.

    Client Invoice Shortcode Excluded Role List

    User roles can be added to the excluded role list within individual client invoice shortcodes to prevent any user with that role from viewing lists generated by the respective shortcode.

    Global File Shortcode Level Access Controls

    Access Control Methods

    • Global File Shortcode excluded user list.
    • Global File Shortcode excluded role list.
    • Global File Shortcode excluded company list.

    Important

    It is important to note that access controls applied at the shortcode level only prevent users from viewing a particular list that is generated by a given shortcode, and that adding access controls at this level will not prevent users from accessing any underlying asset if a user has a direct link to the asset. As example, if a user is added to the excluded user list in a shortcode, but the user has a direct link for a client file post or attachment, the user would still be able to access the file post and/or attachment.

    Global File Shortcode Excluded User List

    Specific users can be added to the excluded user list within individual global file shortcodes to prevent those users from viewing lists generated by the respective shortcode.

    Global File Shortcode Excluded Role List

    User roles can be added to the excluded role list within individual global file shortcodes to prevent any user with that role from viewing lists generated by the respective shortcode.

    Global File Shortcode Excluded Company List

    Companies can be added to the excluded company list within individual global file shortcodes to prevent any user assigned to a company within the list from viewing lists generated by the respective shortcode.

    Get Constellation Client Portal

    Get Started
    ARS