Users log into Intuit’s secure servers using an email address and password. While we’re on the subject of security, there’s one small drawback: the password is not case-sensitive and is therefore not considered a strong password.
A QuickBooks Attached Documents subscription is managed by a Company Administrator, the sole pre-defined role supported by the service. A user with the role of Company Administrator can:
- Edit the business profile
- Add other Attached Documents subscriptions
- Update the current subscription
Here’s a screenshot of the screen to add a new user, which shows the range of security settings. After a user is added, security settings can be modified by clicking on the Manage Users button in the upper right of the browser screen, followed by editing a specific user. You can only manage users from a browser-based interface, not from within QuickBooks itself. The Setup and Manage Users menu selection will only open browser access to Attached Documents.
The service supports 4 levels of application permissions:
- Administrator: can perform all functions and manage users
- Full Access: can perform all functions but cannot manage users
- View Only: can view any attachment in any area but cannot add new attachments and cannot modify or delete existing documents
- Custom Access: controlled access across 8 functional areas
Necessarily, the user with the role of Company Administrator must have Administrator application permissions, but other users can have Administrator application permissions as well. While those users will have powerful capabilities, they won’t have the powers specific to the role of Company Administrator, such as editing the company profile.
The Custom Access permission is used to control access to documents in functional areas of QuickBooks. Custom Access supports 8 functional areas:
- Sales and Accounts Receivable
- Purchases and Accounts Payable
- Checking and Credit Cards
- Time Tracking
- Payroll and Employees
- Sensitive Accounting Activities
- Company Documents
Within these 8 areas, there are 4 capabilities:
- Add: this is a global permission; if a user can add an attached document, he can add it to any area
- View: this permission allows a user to look at but not modify or delete a document
- Modify: this permission necessarily includes the View permission
- Delete: this permission is only available to a user with Modify permissions in the same area
Users assigned a Custom Access level can make use of their capabilities (i. e., Add, View, Modify, or Delete) on lists and transactions associated with that area of accounting. A user can be assigned to more than one area, a necessity in a small firm that still wants to set some restrictions on document access.
Before examining how Custom Access applies in specific areas, it’s important to understand how access to files in the Document Inbox is controlled. Any user with View permission in any area can see all unattached documents in the Document Inbox. Custom Access can’t take affect until after a document is attached and put into a specific area. Therefore, for documents requiring controlled access, care must be taken to start the upload process by attaching them from within QuickBooks. If you elect to upload a document to the Document Inbox and attach it later, it is viewable by any user with View permissions until it is attached to a list item or transaction.
8 Functional Areas
Let’s review which lists and transactions are associated with specific areas. Note that a list or transaction type can appear in more than 1 area. For example, the Other Names list appears in both the Sales and Accounts Receivable and the Purchases and Accounts Payable areas.
Sales and Accounts Receivable: Customers, Other Names, Fixed Asset Item List, Estimates, Sales Orders, Invoices, Sales Receipts, Credit Memos, and Payments.
Purchases and Accounts Payable: Vendors, Other Names, Fixed Asset Items, Bills, Bill Credits, Bill Payments, Credit Card charges, Credit Card credits, and Purchase Orders. Note that Checks – which represent a different transaction type – cannot be seen unless the user has View permissions in the area of Checking and Credit Cards.
Checking and Credit Cards: Vendors, Other Names, Fixed Asset Items, Checks, Deposits, Credit Card charges, and Credit Card credits. Note that users with View permission can see documents attached to transactions in bank or credit card accounts but cannot see documents attached to the bank or credit card accounts themselves. Note also that Transfers are not included in this area.
Time Tracking: Other Names and Timers.
Payroll and Employees: Employees, Other Names, Paychecks, Payroll Liability Checks, Liability Adjustments, and Year-To-Date Adjustments.
Inventory: Items, Vendors, Other Names, Fixed Asset Items, Bills, Bill Credits, Bill Payments, Purchase Orders, Item Receipts, Inventory Adjustments, and Build Assemblies.
Sensitive Accounting Activities: Accounts, Journal entries, and Transfers. Note that users with View permission can see documents attached to general ledger Accounts, but to also see documents attached to transactions in a particular area, View permission for that area is required. For example, to view a document attached to a Check, a user must have View permissions in the Checking and Credit Cards area.
Company Documents: Documents attached to the company file itself via the Company Information window.
This last area is not an accounting function similar to managing A/R or A/P. Instead, it includes more general corporate documents that are connected to accounting and recordkeeping. Documents here include those attached to the Company Information via the Company->Company Information… menu selection. A screenshot of this point of attachment is shown below. Examples of documents that might be attached here include corporate organization documents such as articles of incorporation, bylaws, or meeting minutes.
A few examples of how applying security in QuickBooks Attached Documents will illustrate the power and flexibility of this security model. First, consider the need to upload bank statements but to restrict access to selected individuals. Bank statements attached to the Account are only viewable by users with access to Sensitive Accounting Activities, so the specific bank account to which the statement applies is the best point of attachment. We don’t recommend bank statements be attached to other list entities, such as Other Names, because documents attached to those lists are accessible to other areas.
Next, consider the need to upload payroll tax forms. If every user requiring access to the payroll tax forms will also have access to the Sensitive Accounting Activities area, one good point of attachment might be the liability account to which the tax form relates. Another approach might be to treat these forms as Company Documents, and attach them to the Company Information. A workable but slightly less desirable method would be to create employees representing the tax agency as placeholders and attach tax forms to the relevant placeholder employee. However, even though a tax form is often accompanied by a payment to a Vendor, we don’t recommend attaching a tax form to a Vendor because documents attached to that list item would be accessible to other areas, such as Purchase and Accounts Payable.
Both of these examples illustrate an important concept in making use of security in Attached Documents. Start by attaching a document to an area with the greatest restrictions and only attach it to other areas as required. If you attach a document to areas that include lists or transaction types that overlap, you may end up making the document available to a wider audience than you originally intended.