Platform Security Overview

Taino provides a flexible multi-layer security model that lets agency owners and administrators precisely control who can see and do what. This overview explains the three core layers and how system roles and custom permission groups work together.

Three Security Layers

Office Isolation – Data (customers, policies, documents, tasks, etc.) can be isolated by office. Agents assigned to one office cannot see other office data when isolation is enabled. This protects sensitive regional or branch information. See enforcing office‑level isolation for the enablement steps.
Agent Data Scope – Optionally restrict an agent so they only see or search records they created or are explicitly associated with. Association typically happens automatically when an agent creates a record (e.g., customer, policy) or is assigned to it. Learn how in restricting an agent to only their own (associated) data.
Feature & Action Permissions – Fine-grained feature toggles (menus, actions, workflows) are controlled by permission groups. You can enable/disable capabilities per group for full operational control. For configuration details see creating a custom permission group.

System Roles vs Custom Permission Groups

Out of the box, the platform provides System Roles (e.g., Agent, CSR, Viewer, Administrator) which map to built‑in permission groups. These deliver a quick “happy path” for onboarding. When you need deeper customization, create a custom permission group to override or refine access rights beyond the defaults.

Default scope note: The built‑in AGENTS system role normally permits viewing data owned by other agents in the same office. If your policy requires an agent to only see their own assigned records, clone it into a custom group and set Agency: Access to data related to any agent to No (and optionally disable cross‑office access if needed).

System Roles: Pre-packaged, not editable, ideal for fast setup.
Custom Permission Groups: Agency-defined collections of access rights. Start from a base group, then toggle individual rights (feature switches) to tailor access.

Typical Security Flow

Create/assign offices and enable office-level isolation if branches must be private (guide).
Onboard agents using the closest system role (e.g., Agent, CSR).
Create custom permission groups only where a role needs exceptions (tighten or expand rights).
Enable agent data-scope restriction for roles handling sensitive or client-specific data (so they only manage what they own or are assigned).
Periodically review feature toggles & group membership as your operational model evolves.

Key Benefits

Granular control without overwhelming setup steps.
Separation of branches/offices for compliance & confidentiality.
Least-privilege alignment: agents can be limited to only their own workload.
Fast onboarding with system roles; precision tailoring with custom groups.

Administration Location

Navigate to: Administration > Security > Permission Groups.

There you will see two sets of groups:

System (read-only, shipped defaults)
Agency (your custom groups)

When creating a custom group you will:

Select members (agents) to immediately associate.
Choose a base group (optional but recommended) to inherit a starting rights set.
Toggle additional rights through feature switches (enable/disable actions, menus, modules).
Save to apply new access rules instantly.

Quick Visual Model

Layered security flow: Office Isolation → Agent Data Scope → Feature & Action Permissions — Security layers: office isolation → agent data scope → feature & action permissions.

Next Steps

Decide if office isolation is required for your structure.
Audit which roles need custom tailoring.
Draft initial custom groups (start from closest system role).
Plan rollout & periodic review schedule.