When adding new users to your Virtuous database, you’ll need to select a permission group to assign to each user. Each Virtuous instance comes pre-loaded with three permission groups:
- No financial data
The Admin permission group, as the name implies, has the ability to see and do everything in Virtuous, and modify configuration settings. The abilities of the Admin group cannot be modified. When managing users, it’s important to strike the right balance. Having just one Admin is generally too few, but having too many Admins can also cause a number of problems. The recommended number Admin users is typically around 2-3, with one primary Admin and one or two backups.
The No financial data and User groups are set up to allow users restricted access, without seeing any giving or financial information (No financial data), or for basic user access (User). Either of these permission group can be modified by an Admin. Just click on the edit icon to the right of either group. To learn more about the various permission options, see below.
In addition to modifying the default system groups, Admins can also create any number of additional permission groups. Just click on the "Create a Permission Group" button in the upper-right.
You'll see the option to create a new custom group from scratch, or start with an existing template.
Select the template option, and you'll see four base templates that can be used as-is, or with some modifications. Just enter a name for your new group, and you'll be in business.
If you opt to create a new custom group, you’ll be prompted to enter a name for the new group and a description. Use the description as a way to communicate with other Admins just what your new permission group is for. Then, click save to go to the edit screen.
Whether creating a new group or editing an existing group, you’ll be taken to the Permission edit screen. There, you’ll see a list of all of the various features in Virtuous with the ability to restrict or permit certain actions. The Selected Permissions show which actions are enabled from a quick view.
Select each feature to configure the specific permissions you’d like to select for your group. For most objects, the permission settings include three basic abilities:
- Read - The ability to view specific data or features. Users without any permissions for certain features, like the Merge Tool, will not see those features at all in the left side menu.
- Write - The ability to create OR edit specific data or records. Users with Write permission on Contacts, for example, will be able to edit Contact data like addresses, names, or phone numbers, and they will also be able to add new Contact records to Virtuous entirely.
- Delete - The ability to delete specific data or records. This should be strictly limited.
Some objects will have additional permissions. Check out each section below to learn more about these features.
Campaign permissions only include settings for Read, Write, and Delete.
Contact permissions do not include the Read permission, as this permission is assumed for anyone who will be working in your CRM. There is a Delete permission setting, even though Contact records cannot be deleted, only archived. The Delete permission here covers actions like deleting Contact Methods, Tags, Addresses, and other Contact details. Other permissions in this section include:
- Audit Logs - Allows users to see administrative data, like Contact Name changes and Gift updates, in the Activity Feed when viewing a Contact.
- Bulk edit - This allows users to perform bulk actions and edits from the results of Contact queries. Note that doing so requires BOTH the Bulk Edit permission AND Write permission.
- Restrict by Owner - The “eyes on your own work” permission, this restricts users from seeing any tasks other than their own on a Contact record.
- View Private - Most Contacts will be public, as that is the default, but users may choose to create specific Contact records as private Contacts, generally to protect sensitive information or protect the privacy of public figures. Private Contacts can only be viewed by Admins, and users with the “View Private” permission.
- View Wealth - Users will need this permission enabled in order to view DonorSearch data or other external data imported to the wealth data section on a Contact record.
Contact Note permissions are separate from Contact permissions, to allow users without Contact Write permission to still document activity. In addition to the Read, Write, and Delete permissions, Contact Note settings include:
- Default to Private - Some users may need to exclusively use Private Notes. Enabling this permission will set all notes created by a user to Private by default.
- Restrict Task By Owner - Limits a user to seeing ONLY their own Contact Notes (those created by them).
- View Private - Private notes can only be seen by Admins, the user who creates the note, and anyone with the “View Private” permission enabled.
Custom Report Permissions are for enabling Metabase reports. You can enable those reports that are needed by your users.
Users with Manage permission here will be able to access and use the Merge Tool, including running duplicate searches and manually merging Contact records, and review addresses, phone numbers, and email addresses that Virtuous has flagged for review. Users without this permission will not see the Data Health icon at all in their menu. NOTE: Once merged, two Contact records cannot be unmerged, so it is advised to limit this permission only to a small group of power users.
These settings only apply for organizations using Virtuous Email. The options include:
- Manage Email List Settings - Users with this enabled can create and edit Email Lists for your organization.
- Manage Plain Text Emails - Allows users to create and edit Personalized Email Templates. Note that this only restricts template management; any user can send an email using a Personalized Email Template.
- Subscribe Contact Individuals - Users with this permission can add Individuals to existing Lists.
- Unsubscribe Contact Individuals - Only users with this permission can manually unsubscribe Individuals from Lists.
Event permissions only include settings for Read, Write, and Delete.
Only organizations with Virtuous Forms included in their subscription will see this option. The only settings included are Read, Write, and Delete.
The settings available for Gift permissions include Read, Write, and Delete, as well as some additional options for restricting access and visibility. The Write permission here includes creating/editing Tribute information in addition to Gifts.
Other settings include:
- Bulk Edit - This allows users to perform bulk actions and edits from the results of Gift queries. As with the Contact Bulk Edit, making bulk updates requires BOTH the Bulk Edit permission AND Write permission. However, users with Bulk Edit who DO NOT have Write permission WILL be able to receipt Gifts in bulk for the results of a Gift query.
- Restrict by Project - In some cases, it may be necessary to limit some users' visibility, allowing them to only see certain Gifts. The Restrict by Project option will ONLY allow users to Gifts, or even portions of Gift, designated to Projects where that user is an Owner. For more on setting Project Owners, see our article on creating Projects.
- View Private - Unlike private Contacts or Contact Notes, users without the "View Private" permission can still see private Gifts, but they won't be also to see who the giver is. Private gifts are a way to identify anonymous Gifts. Users with this permission enabled will be able to see the full Gift details, including donor info, just as Admins do.
- View Statistics - The life-to-date giving totals visible in the header of Contact records, and the data shown in many dashboards reports and widgets, are all statistics, based on Gift data. The View Statistics permission is necessary for viewing financial data and reports. Similarly, this should not be enabled for any users who do not have access to financial data.
Because Gift Asks are so closely related to Gifts, the permission settings include the same ability to Restrict by Project, in addition to the basic Read, Write, and Delete options.
These permissions apply to the Grant Management section of Virtuous, and include just the standard Read, Write, and Delete settings.
The Import permissions control access to the Gift & Contact Import tool, and include just the standard Read, Write, and Delete settings. However, in order for a user to access the tool and perform Gift entry, they must have not only Read and Write permission for Imports, but also Read and Write permissions for Gifts and Write permission for Contacts. Users without all of these permissions may be able to access the Gift & Contact Import screen, but they will not be able to actually view or manage any imports.
The integration permissions allow for IT or other technical users to manage connections between Virtuous and other external systems without having full Admin access. The only settings included are Read, Write, and Delete.
Letters on Demand
Only organizations with Letters on Demand included in their subscription will see this option. Users with View Letters on Demand permission here will be able to access the Letters on Demand page in Virtuous Marketing. Any user with access to that page can create or edit Letter or Postcard templates for use with Automation.
There is no ability to delete Media Outlets or restrict their visibility; only the Write permission may be limited to specific users.
Planned Gift permissions only include settings for Read, Write, and Delete.
The Pledge permissions are closely aligned with Gift permissions, so the settings found here are very similar to those already reviewed under Gift permissions.
Projects have similar settings to those that have already been seen in other areas, including Bulk Edit, Read, Write, and Delete. Specific to Projects is the Restrict by Owner permission, which is closely related to the Restrict by Project permission for Gifts. Users with Restrict by Owner enabled will only be able to view Projects where they are listed as an owner.
Because Projects are an area of Virtuous where field or program staff are usually active, the permissions available for Projects are very granular. The Expense permissions would allow certain users, for example, to have read-only access to Projects, but be able to log expenses. The only settings included are Read, Write, and Delete.
These permissions allow you to control user access to the Goals tab on Project records. The only settings included are Read, Write, and Delete.
As with the other Project permissions, the notes permissions grant users specific access to an area of Project records, specifically the Impact tab. Project notes are recorded as Impact Updates. The settings are similar to those for Contact Notes, and include Read, Write, Delete, and View Private.
There are only two settings available under query permissions:
- Execute - Users without this setting enabled will not be able to access the Query Tool at all. It is recommended that any restricted users — those who are limited to seeing only specific Contacts or only certain Gifts — should not have access to queries.
- Reminder Source - This setting allows users to use the Automated Task query type. This query option is designed specifically for Admin users, allowing the ability to query for all automated or recurring tasks assigned for a specific user and then reassign those tasks in bulk, in the event of a staffing change.
The Receipting permission settings control access to the receipting tool and the ability to manage templates, queue, and generate receipts. The settings include:
- Create Receipt Groups - Users will need this permission in order to create or edit any of the Receipting Groups used in the receipting tool. This is not required in order to queue or send receipts, since these functions may be managed separately for your organization.
- Create Receipt Templates - This allows users to create or edit mail or email receipt templates for your organization. Users without this permission will not see the templates tab when viewing the receipting screen.
- Queue Receipting - Users must have this permission in order to queue the receipting process. Note that receipting is a two-stage process; this only allows users to begin the process, not generate actual receipts.
- Run Receipting - This permission allows users to actually run receipting once receipts have been successfully queued.
- View Receipting - Users must have this permission checked in order to access the receipting screen.
The Recurring Gift permissions are closely aligned with Gift permissions, so the settings found here are very similar to those already reviewed under Gift permissions.
The report permission settings allow for customization of the dashboard report options available to users. These options are valuable for almost all users, as it removes any extraneous reports and reduces confusion, especially for newer users. Select the checkbox next to each report you'd like to enable for a particular permission group. To learn more about each report, check out our article on running reports. Users will need to have the View setting enabled in order to run any reports at all, so be sure to check that if you wish to grant users access to dashboard reports.
The Edit Virtuous Giving setting allows users the ability to access Virtuous Giving information and edit the account setup for your organization.
As with the Virtuous Giving permission, users will need the View Virtuous Marketing setting enabled in order to access Virtuous Marketing. Users who will not need access to creating or sending emails, or to Virtuous Giving or Forms, will not need access to this area.
Volunteer Opportunity permissions only include settings for Read, Write, and Delete.
Workflow permissions only include settings for Read, Write, and Delete.
In some cases, you might want to require additional security measures for your users. To do this, you may choose to optionally require users to use two-factor authentication when they log in, or to use single sign-on and log in via their Google or Microsoft account. On the Organization Settings page, you can even restrict the single sign-on provider for your organization to either Google or Microsoft (the system default is to allow both).
When editing a permission group, look below the name and description and you'll see toggles for requiring two-factor authentication or for requiring single sign-on (SSO). Note that you may only select one or the other, not both.
If you are editing an existing permission group that already has active users assigned to it, those users will be prompted to set up two-factor authentication or single sign-on (if they haven't done so already) the next time they access Virtuous. Users actively working in Virtuous will be prompted to take action as soon as they attempt to load a new page.