Best Practice for Managing User Groups

Question

Hi Network 👋 Keen to tap into your collective wisdom on best practice strategies for managing user groups in Xplan. For practices that outsource administration and paraplanning, and need to grant third-party access to their Xplan site—what key considerations should be kept in mind when adding or removing clients from user groups to ensure appropriate access and data security? Thanks in advance for sharing your insights 🙏

courtney.youngblutt · Answer

This is a great topic! And I think it&nbsp; does call for the collective wisdom of licensees and practices who face this challenge every day. I'm going to put the call out and see what other Advisely members do in this space....&nbsp;

jaclyn.bazin4 · Answer

Hi Michelle,
Great topic! Just to make sure we’re on the same page, are you looking for best practices around:

Sharing access with third parties (e.g. outsourced admin/paraplanners), or
Limiting access to sensitive data (like file notes, documents, or specific client info)?

Happy to share insights once I understand your focus a bit better! 😊
Jackie

bridget.lowe · Answer

Hey Michelle, what a great question!This is something I recently discussed with one of our kiwi Xplan businesses, who is looking at setting up virtual administrators to support their various practices. As well as managing user groups on their Xplan site, clearly defining their&nbsp;users capabilities (as to what they can view, create, or amend) and making smart use of Xplan's&nbsp;Access Levels is important. We've also explored how Xplan assists with security measures such as IP whitelisting for geolocation.&nbsp; Would love to hear from other advice businesses and what their processes are around this.

rainier.reyes · Answer

Great topic, michelle.butler.0​&nbsp; 🙌&nbsp; – I imagine it’s something a lot of practices quietly wrestle with, especially when one misstep could risk a data breach.
Would love to hear how others are approaching it!

jaclyn.bazin4 · Answer

Hi michelle.butler.0​, thanks for confirming , and no worries at all on the delay!
When it comes to sharing access with third parties, especially offshore providers, we’ve found that using User Groups is a solid foundation for restricting client access. It’s widely adopted across licensees and helps ensure that users only see client’s they are working on.
That said, outsourcing does introduce new complexities, particularly when outsourced admin teams require broad access to perform tasks efficiently. The key is to start by clearly defining what tasks the third-party user needs to perform, and then work backwards to determine the minimum access required to support those duties.
Some things to consider:

If they’re doing data entry, they’ll likely need access to most client fields.
If they’re generating documents (e.g. fact finds), they’ll need merge capabilities.
If they’re managing datafeeds, broader client access may be unavoidable.

&nbsp;
To help limit exposure to sensitive data, you can explore:

Access Levels and Custom User Fields to control visibility/editability
Page-level user conditions to restrict access to specific screens
Capability-driven access to limit what functions users can perform
Client-level access via User Groups to restrict visibility to certain clients only

&nbsp;
However, it’s worth noting that some tools (like document generation or export reports) may still allow access to data in ways that are harder to restrict. So, it’s important to regularly review what users can do, not just what they can see.
There’s no one-size-fits-all solution here, but a layered approach, combining technical controls with clear role definitions, tends to work best.
RegardsJackie