Hi michelle.butler.0, thanks for confirming , and no worries at all on the delay!
When it comes to sharing access with third parties, especially offshore providers, we’ve found that using User Groups is a solid foundation for restricting client access. It’s widely adopted across licensees and helps ensure that users only see client’s they are working on.
That said, outsourcing does introduce new complexities, particularly when outsourced admin teams require broad access to perform tasks efficiently. The key is to start by clearly defining what tasks the third-party user needs to perform, and then work backwards to determine the minimum access required to support those duties.
Some things to consider:
- If they’re doing data entry, they’ll likely need access to most client fields.
- If they’re generating documents (e.g. fact finds), they’ll need merge capabilities.
- If they’re managing datafeeds, broader client access may be unavoidable.
To help limit exposure to sensitive data, you can explore:
- Access Levels and Custom User Fields to control visibility/editability
- Page-level user conditions to restrict access to specific screens
- Capability-driven access to limit what functions users can perform
- Client-level access via User Groups to restrict visibility to certain clients only
However, it’s worth noting that some tools (like document generation or export reports) may still allow access to data in ways that are harder to restrict. So, it’s important to regularly review what users can do, not just what they can see.
There’s no one-size-fits-all solution here, but a layered approach, combining technical controls with clear role definitions, tends to work best.
Regards
Jackie