Widget security

SECURITY  Admin level security

NAVIGATION   > Admin > Features and Settings > Application-wide (shared) features > System Settings > Site Setup > Allow HTML widgets on shared dashboards

General widget security principles

Widgets, similar to searches and reports, display only data you have permission to view. These permissions are defined in the security level your user profile is associated with.

EXAMPLE  The widgets on your dashboard display entities (organizations, tickets or projects) where your permission setting is at least Mine, in lines of business you are associated with.

If you don't have permission to view certain types of data, for example billing data, you won't even be able to create widgets for that, although you may see them on tabs shared by another user.

Widgets that display information only accessible in reports (for example survey results) apply the report security permissions defined in your security level.

EXAMPLE  Users with access to the Contracts module or view permissions for Contracts & Billing reports will be able to create Pending Billing Item, Posted Billing Item, and Invoice Item widgets. If a user has neither of these permissions but has access to any widgets of these types (via shared tabs or previously created) such widgets will never display any data.

EXAMPLE  The same rule applies to Milestone widgets with the exception that access to Projects also provides access to Milestone widgets.

EXAMPLE  For Work Entry widgets, users with Contracts permissions or view permissions for Time & Expense reports can see all work entries. Otherwise they will only see work entries for themselves and users they are timesheet approvers for.

EXAMPLE  You can see survey results for tickets where you are a resource. To see all survey results, you need Admin report security.

Exception: HTML widgets security system setting

Why does Autotask provide this system setting?

HTML widgets allow users to render custom content inside of a dashboard widget. This level of flexibility comes with a potential risk of malicious behavior. Knowledgeable users could exploit various attack vectors to create HTML widgets that produce harmful results. Shared tabs could distribute these widgets and extend this potential harm to multiple users in your organization Your Autotask instance may be configured to use one of the following terms instead: Account, Business Unit, Client Company, Customer, Site..

What does this system setting do?

"Allow HTML widgets on shared dashboard tabs" determines whether shared dashboard tabs can include HTML widgets.

This setting is disabled (not checked) by default. When it is disabled, you cannot add HTML widgets to a shared dashboard tab. If you share a tab that already contains an HTML widget, the widget will not render content when the shared tab is edited or accessed by the assigned users.

To allow HTML widgets on shared dashboard tabs, select the system setting check box to enable the system setting.

IMPORTANT  If you choose to allow users to include HTML widgets on shared dashboard tabs, we recommend that you be selective about which security levels have permission to manage shared tabs. Refer to Creating or editing a custom security level.