2023:Permission Sets: Difference between revisions

From Grooper Wiki
← Older edit
No edit summary
m Dgreenwood moved page 2023:Permission Sets (Property) to 2023:Permission Sets without leaving a redirect
 
(37 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{|cellpadding=10 cellspacing=5 style="margin:12px"
{{AutoVersion}}
|-style="background-color:#ed2330; color:white"
 
|style="font-size:14pt"|'''WIP'''
<blockquote>{{#lst:Glossary|Permission Sets}}</blockquote>
 
In this article we will show you how to add and update '''''Permission Sets''''' to access different areas of a repository in Grooper 2023.
 
{|class="important-box"
|
'''!!'''
|
|
This article is a work-in-progress or created as a placeholder for testing purposes.  This article is subject to change and/or expansion. It may be incomplete, inaccurate, or stop abruptly.
'''New Functionality in 2023''': Not only can you now restrict access to certain areas of a repository, you can now restrict what actions individuals can take while working in Grooper!
|}
 
==About==
There may be times where you do not want everyone to have full access to your Grooper repository. After putting in hours of work into customizing your repository design for your company needs, you do not necessarily want someone without training being able to edit your work.  


This tag will be removed upon draft completion.
You may have some employees that design the repository and you may have others that simply review the extracted data. Each employee working in Grooper may have different needs and require different restrictions. With '''''Permission Sets''''' you can customize who has access to which page of the Grooper repository.
 
 
A common '''''Permission Sets''''' configuration will add two sets of permissions:
# Designer permissions
#* Grooper admins and designers should be given full access to all pages, including Design. 
#* This will give this users full control to configure Grooper nodes in Design, as well as full rights to review '''Batches''' in the "Batches" and "Tasks" pages.
# Reviewer permissions
#* Grooper reviewers should have more limited access.  Typically, they will only be given access to the "Batches" and/or "Tasks" pages and NEVER the "Design" page.
#* This will allow reviewers to review '''Batches''' in the "Batches" and/or "Tasks" pages, but restrict their ability to configure Grooper nodes in "Design".
 
 
You can also restrict what actions an individual can take while working in Grooper. If you want to avoid someone accidentally deleting a '''Batch''' or clicking cut instead of copy, you can restrict those actions.
 
{|class="fyi-box"
|
'''FYI'''
|
While '''''Permission Sets''''' restrict access to pages, they do not help in controlling work flow. '''Review Queues''' are a workflow mechanism designed to funnel users '''Batches''' and '''Review''' tasks using Windows ACL definitions. '''''Permission Sets''''' and '''Review Queues''' often work together to limit what users can access. Click [[Review Queue - 2023|here]] for more on '''Review Queues'''.  
|}
|}


<blockquote style="font-size: 16pt">Add Permission Sets to Grooper 2023</blockquote>
== How To ==
 
===Adding Permission Sets===
 
There are two parts to configuring permission sets:
* granting/restricting page access
* granting/restricting object command permissions.
** '''''BE AWARE:''''' Object command permissions (defined by the set of '''''Permissions''''' properties) are ''only'' implemented for the Grooper web client.  Adjusting these settings will have ''no'' effect in the Grooper thick client applications.


In this article we will show you how to add and update permission sets to access different areas of a repository in Grooper 2023.
<tabs style="margin:20px">


==About==
<tab name="Page Access" style="margin:20px">


There may be times where you do not want everyone to have full access to your Grooper repository. After putting in hours of work into customizing your repository design for your company needs, you do not necessarily want someone without training being able to edit your work.
====Page Access====


You may have some employees that design the repository and you may have others that simply review the extracted data. Each employee that works with Grooper may have different needs and require different restrictions. With permission sets you can customize who has access to which part of the repository you are working on.  
The first part of configuring permission sets is configuring what groups can have access to which pages in Grooper. By default, everyone has access to every page in your repository. For example, if you would like users to only have access to the "Batches" and "Tasks" pages, we can do that here.  


====Adding Permission Sets====
{|cellpadding=10 cellspacing=5
{|cellpadding=10 cellspacing=5
|style="width:40%" valign=top|
|style="width:40%" valign=top|
Line 32: Line 66:
|-
|-
|valign=top|
|valign=top|
#<li value=4> Once the '''''Permission Sets''''' window opens, click the plus sign button in the top righthand corner to add a new '''''permission set'''''.  
#<li value=4> Once the '''''Permission Sets''''' window opens, click the plus sign button in the top righthand corner to add a new '''''Permission Set'''''.  
# On the right side of the window, you will have a set of options to choose from.  
# On the right side of the window, you will have a set of options to choose from.  
|
|
Line 45: Line 79:
|valign=top|
|valign=top|
#<li value=8> In the window that pops up, search for the group you wish this permission set to apply to.
#<li value=8> In the window that pops up, search for the group you wish this permission set to apply to.
# If you want to assign permission sets to individual people, first click the person icon above "Description" to switch to a list of individuals rather than groups.  
# If you want to assign '''''Permission Sets''''' to individual people, first click the person icon above "Description" to switch to a list of individuals rather than groups.  
|
|
[[File:2023-Permission Sets - Creation 05.png]]
[[File:2023-Permission Sets - Creation 05.png]]
|-
|-
|valign=top|
|valign=top|
#<li value=10> Double click the group or individual you want to assign to the permission set. You can add multiple at one time.  
#<li value=10> Double click the group or individual you want to assign to the '''''Permission Set'''''. You can add multiple at one time.  
# Click "OK".  
# Click "OK".  
|
|
Line 63: Line 97:
|-
|-
|valign=top|
|valign=top|
#<li value=15>Now that we have restricted the pages we wish the "Users" group to have access to. Take a look at the next tab to learn how to restrict what "Users" can do in those pages. If you do not wish to edit permissions, just click "OK" on the '''''Permissions Sets''''' window and click the save icon.
|
[[File:2023-Permission Sets - Creation 15.png]]
|}
{|class="attn-box"
|
&#9888;
|
Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.
After saving your '''''Permission Sets''''' in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server. This will force everyone to log out of their current session, eliminating potential security risks.
|}
</tab>
<tab name="Object Command Permissions" style="margin:20px">
====Object Command Permissions====
You may want to restrict which commands a user can apply to an object in Grooper.  For example, you may have a group of review users who are purely data entry clerks.  A smaller group of review users may be charged with administrating '''Batches''' (deleting '''Batches''', updating their '''Batch Processes''' when changes are published, or resetting completed steps).  You can use the '''''Permissions''''' properties to allow the review admins to perform commands, like deleting a '''Batch''', but prevent the data clerk reviewers from doing so. 
This tutorial will show you how to remove a user's right to delete a '''Batch'''.
{|cellpadding=10 cellspacing=5
|style="width:40%" valign=top|
# At the bottom of the properties list on the right, there are three sets of permissions you can apply to the selected Permission Set:
# At the bottom of the properties list on the right, there are three sets of permissions you can apply to the selected Permission Set:
#* '''''Node Permissions'''''
#* '''''Node Permissions'''''
#* '''''Attachment Permissions'''''
#* '''''Attachment Permissions'''''
#* '''''Link Permissions'''''
#* '''''Link Permissions'''''
# Click on the ellipsis button to the right of the property. For this example we are going to configure the '''''Node Permissions'''''.  
|
# In the window that pops up, you will see multiple options. Here we have three: '''''Batch''''', '''''Batch Folder''''', and '''''Batch Page'''''.  
[[File:2023-Permission Sets - Permissions Tab 01.png]]
# Select the type of permissions you wish to configure. In this example we are going to select '''''Batch'''''.
|-
|valign=top|
#<li value=2> Click on the ellipsis button to the right of the property. For this example we are going to configure the '''''Node Permissions'''''.  
|
[[File:2023-Permission Sets - Permissions Tab 02.png]]
|-
|valign=top|
#<li value=3> In the window that pops up, you will see multiple options. Here we have three: '''''Batch''''', '''''Batch Folder''''', and '''''Batch Page'''''.  
|
[[File:2023-Permission Sets - Permissions Tab 03.png]]
|-
|valign=top|
#<li value=4> Select the type of permissions you wish to configure. In this example we are going to select '''''Batch'''''.
# On the right side of the window, click the arrow next to '''''Command States''''' to open the list of different individual permissions you can set.  
# On the right side of the window, click the arrow next to '''''Command States''''' to open the list of different individual permissions you can set.  
#* By default, all of the permissions are selected. If you wish to restrict permission to perform a specific action, just uncheck the box next to the action.  
#* By default, all of the permissions are selected. If you wish to restrict permission to perform a specific action, just uncheck the box next to the action.  
# In this example, we are going to prevent anyone with the User permission set from deleting batches. First select the "Batch" type, then scroll through the ''''''Command States''''' until you find the "Delete" command.
|
# Uncheck the box to the right of the command.  
[[File:2023-Permission Sets - Permissions Tab 04.png]]
|-
|valign=top|
#<li value=6> In this example, we are going to prevent anyone with the User permission set from deleting batches. Scroll through the '''''Command States''''' until you find the "Delete" command and uncheck the box to the right of the command.  
# Click "OK" to save your work and close the window.  
# Click "OK" to save your work and close the window.  
# Feel free to go through all of the different permissions and select or deselect whatever permissions you would like to customize.
|
|
[[File:2023-Permission Sets - Creation 08.png]]
[[File:2023-Permission Sets - Permissions Tab 05.png]]
|-
|valign=top|
#<li value=8> Click "OK" to close the '''''Permission Sets''''' window.
|
[[File:2023-Permission Sets - Permissions Tab 06.png]]
|-
|-
|valign=top|
|valign=top|
# Once your permissions are set, click the save icon to save the configured '''''Permission Set'''''.
#<li value=9> Click the save icon to save the configured '''''Permission Sets'''''.
|
[[File:2023-Permission Sets - Permissions Tab 07.png]]
|}
|}
{|class="attn-box"
|
&#9888;
|
Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.
After saving your '''''Permission Sets''''' in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server.  This will force everyone to log out of their current session, eliminating potential security risks.
|}
</tab>
:[[#Adding Permission Sets|Click here to return to the top of the section]]
</tabs>

Latest revision as of 12:34, 9 September 2025

This article is about an older version of Grooper.

Information may be out of date and UI elements may have changed.

20252023

Permission Sets define security permissions in a Grooper Repository for a user or group. This allows you to restrict user access to specified Grooper pages (such as the Design Page) and Grooper Commands.

  • "Permission Set" is the embedded object that defines security principles. They are added to a Grooper Repository and configured using the "Permission Sets" property found on the database Root node.

In this article we will show you how to add and update Permission Sets to access different areas of a repository in Grooper 2023.

!!

New Functionality in 2023: Not only can you now restrict access to certain areas of a repository, you can now restrict what actions individuals can take while working in Grooper!

About

There may be times where you do not want everyone to have full access to your Grooper repository. After putting in hours of work into customizing your repository design for your company needs, you do not necessarily want someone without training being able to edit your work.

You may have some employees that design the repository and you may have others that simply review the extracted data. Each employee working in Grooper may have different needs and require different restrictions. With Permission Sets you can customize who has access to which page of the Grooper repository.


A common Permission Sets configuration will add two sets of permissions:

  1. Designer permissions
    • Grooper admins and designers should be given full access to all pages, including Design.
    • This will give this users full control to configure Grooper nodes in Design, as well as full rights to review Batches in the "Batches" and "Tasks" pages.
  2. Reviewer permissions
    • Grooper reviewers should have more limited access. Typically, they will only be given access to the "Batches" and/or "Tasks" pages and NEVER the "Design" page.
    • This will allow reviewers to review Batches in the "Batches" and/or "Tasks" pages, but restrict their ability to configure Grooper nodes in "Design".


You can also restrict what actions an individual can take while working in Grooper. If you want to avoid someone accidentally deleting a Batch or clicking cut instead of copy, you can restrict those actions.

FYI

While Permission Sets restrict access to pages, they do not help in controlling work flow. Review Queues are a workflow mechanism designed to funnel users Batches and Review tasks using Windows ACL definitions. Permission Sets and Review Queues often work together to limit what users can access. Click here for more on Review Queues.

How To

Adding Permission Sets

There are two parts to configuring permission sets:

  • granting/restricting page access
  • granting/restricting object command permissions.
    • BE AWARE: Object command permissions (defined by the set of Permissions properties) are only implemented for the Grooper web client. Adjusting these settings will have no effect in the Grooper thick client applications.

Page Access

The first part of configuring permission sets is configuring what groups can have access to which pages in Grooper. By default, everyone has access to every page in your repository. For example, if you would like users to only have access to the "Batches" and "Tasks" pages, we can do that here.

  1. Open Grooper and click on the "Design" icon.

  2. Make sure the repository root node is selected and click on the "Root" tab if not already selected.
  3. Click the ellipsis button at the end of the Permission Sets property.

  2. Once the Permission Sets window opens, click the plus sign button in the top righthand corner to add a new Permission Set.
  3. On the right side of the window, you will have a set of options to choose from.

  2. To the right of Name enter the name you wish to give to this permission set. In this example we are going to use the name "Reviewer".
  3. Click the ellipsis button to the right of the Applies To property.

  2. In the window that pops up, search for the group you wish this permission set to apply to.
  3. If you want to assign Permission Sets to individual people, first click the person icon above "Description" to switch to a list of individuals rather than groups.

  2. Double click the group or individual you want to assign to the Permission Set. You can add multiple at one time.
  3. Click "OK".

  2. On the Permission Sets window, click the arrow to the left of the Page Access property to open up another set of properties.
  3. Add a check mark next to each item you wish the groups or individuals to have access to.
  4. Click "OK".

  2. Now that we have restricted the pages we wish the "Users" group to have access to. Take a look at the next tab to learn how to restrict what "Users" can do in those pages. If you do not wish to edit permissions, just click "OK" on the Permissions Sets window and click the save icon.


Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.

After saving your Permission Sets in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server. This will force everyone to log out of their current session, eliminating potential security risks.

Object Command Permissions

You may want to restrict which commands a user can apply to an object in Grooper. For example, you may have a group of review users who are purely data entry clerks. A smaller group of review users may be charged with administrating Batches (deleting Batches, updating their Batch Processes when changes are published, or resetting completed steps). You can use the Permissions properties to allow the review admins to perform commands, like deleting a Batch, but prevent the data clerk reviewers from doing so.

This tutorial will show you how to remove a user's right to delete a Batch.

  1. At the bottom of the properties list on the right, there are three sets of permissions you can apply to the selected Permission Set:
    • Node Permissions
    • Attachment Permissions
    • Link Permissions

  2. Click on the ellipsis button to the right of the property. For this example we are going to configure the Node Permissions.

  2. In the window that pops up, you will see multiple options. Here we have three: Batch, Batch Folder, and Batch Page.

  2. Select the type of permissions you wish to configure. In this example we are going to select Batch.
  3. On the right side of the window, click the arrow next to Command States to open the list of different individual permissions you can set.
    • By default, all of the permissions are selected. If you wish to restrict permission to perform a specific action, just uncheck the box next to the action.

  2. In this example, we are going to prevent anyone with the User permission set from deleting batches. Scroll through the Command States until you find the "Delete" command and uncheck the box to the right of the command.
  3. Click "OK" to save your work and close the window.

  2. Click "OK" to close the Permission Sets window.

  2. Click the save icon to save the configured Permission Sets.


Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.

After saving your Permission Sets in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server. This will force everyone to log out of their current session, eliminating potential security risks.

Click here to return to the top of the section
Retrieved from "https://wiki.grooper.com/index.php?title=2023:Permission_Sets&oldid=30921"