There are several ways, you can give access to the Accorto TIme+Expense application to users:

In general, it is suggested to create custom profiles to manage access.

Global (Profile) Access

When installing, select the "Install for All Users" option:

This updates all your custom profiles.  

You could also select Specific Profiles. 

In both cases, users only are able to see the application, if they are assigned a license.

> Setup > Installed Packages -- Manage Licenses link for Accorto T&E Plus

The access to information in Salesforce is determined by

  • Profile and Role
  • Permission Sets
  • Sharing Rules

The disadvantage of Profiles is that access information needs to be maintained manually after installation, so we suggest to use Permission Sets instead. So, if a release has a new field, there is no need to update the profiles, as we can maintain the Permission Sets centrally.

We follow the following "best practice":

  • Permission Sets for managing object field access (user to see invoiced amount of projects)
  • Sharing Rules for managing record access (user to see project ABC)

Note that removing fields from Layouts is not securing access - users can still use Reports, List View fields to view the information.

Muted Permissions (beta) give more options.

Permission Sets

The maintained Permission Sets provide access to objects and their fields:

Accorto T+E AdministratorFor users to create/maintain projects, invoices with a full/CRM license (i.e. can access Cases, Opportunities, ..)
Accorto T+E Administrator (Platform)For users to create/maintain projects, invoices with Platform license (i.e. cannot access Cases, Opportunities, ..)
Accorto T+E UserFor users creating Time and Expense items and reports with full or platform licensesno access to resource cost and pricing
Accorto T+E User (Community)For users creating Time and Expense items and reports with Community/Portal licensesno access to resource cost and pricing
Accorto T+E Create for All UsersFor people creating Time + Expense items and reports for other users. (View All, Modify All for T+E Item and Report)Convenience shortcut, to avoid maintaining Sharing Rules - does not follow the best practice - for easy setup in small companies

Sharing Rules

Sharing Rules determine what records the user can see.  The default settings for the main entities:

Time+Expense Items and ReportsPrivatethe user can see own records, not others
Project (Lines)Public Read Onlyuse user can see all projects, but not modify tem
Most other (e.g. Activity Type, ...)Public Read Only

One option to give additional users access is to create Sharing Rules.  For details check the Salesforce documentation.

We created two Public Groups for convenience - AccortoManager and AccortoAdministrator - you use your own groups or use any other option.

Example:  Giving read/write access to users in the AccortoManager public group:

Sharing Rule

Debugging Security

To check why a person has access or no access can be tricky.

In general, it is advisable to use Permission Sets for Field access and Sharing Rules for Record Access. 

Why? -- it is easier to maintain in the long run.  Rather using the convenient View/Modify All all selection in a permission set, use Permission Sets with Public Groups  (and assign/remove people to the groups)

The primary checking tool is the "Sharing" button in Salesforce Classic (not available in Lightning yet).

  • As Administrator in Classic, go to the record the person should or should not see and click "Sharing" - then Expand.
  • This gives you the why a specific user has access and why.
  • If the reason is "Administrator", one cause could be a "Modify All" in a Permission Set.

To test field access, the only option is to log in as the user and check.

Typical Scenarios

Access for Managers for Approval of Time+Expense Reports

The access to Time+Expense Items and Reports is Private.

By default, users in the approval hierarchy get access to the record to be approved temporarily (in this case: T+E Report) - but not to the T+E Items.

For this, create a Sharing Rule.

An easy way is to create a Sharing rule on T+E Item and T+E Report

  • (Step 3) Public Groups: All Internal Users
  • (Step 4) Public Groups: e.g. Accorto Managers
  • (Step 5) Access Level: Read/Only or Read/Write

Add the managers to the public Group.

This gives all managers access to all T+E Items and Reports. For lower granularity, grant access, e.g. to Roles and Internal Subordinates in Step 4. This requires, that the role hierarchies are maintained. Test in Classic via the "Sharing" button.

See only "My Projects"

By default, the sharing rule for Projects is Public Read Only - i.e. everyone can see all projects.

To restrict this, set the default Project Sharing for Project to Private.

We automatically give access to users who are referenced as Project Managers or assigned as Resource in Project Lines access to the project.

You can give additional Users access to the Project via Project Line Allocation.

You can give access to 

  • the project for all users by selecting the "Share all Lines"
  • the project line to all users by selecting "Share all"

Access for Project Administrators

By default, the sharing rule for Projects is Public Read Only - i.e. everyone can see all projects, and you need to give access to people who should maintain it (update or create lines, etc.).

When you select someone to be the project manager, that user gets read/write access.

One option (in the Classic UI) is to grant access.

Another option is to use one of the many options to create Sharing rules. The easy option via Public Groups is listed above.

Access to Resource Costs and Prices

Using the default permission sets, a user does not have access to 

  • Resource Price - Billing Rate and Cost Rate
  • T+E Item - Est. Billing Rate/ Amount - Est Cost Rate/Amount

This also means that the user cannot view their own billing and Cost information.

(If they can, please check the Profile and remove the object/field access there)

To enable users to see their own prices (but not of others) is a bit tricky and you may also want to look into Muted Permissions

  • Create a Permission Set with the ability to see Resource Price Info and T+E Item Rates/Amounts
    • Assign to the users
  • Change the Sharing Rule for Resource to Private
    • The access to Resource Price is based on the setting for the Resource
    • User Sharing rules to view Resources e.g. for Administrators/Managers
  • For T+E Item information
    • The user will now be able to see the T+E rates for all records they have access to.
    • You may want to use the other options of Sharing Rules (Roles, criteria based rules) to restrict access.