2023:Permission Sets: Difference between revisions

Revision as of 11:38, 28 March 2023

A Permission Set is a property that allows you to restrict user access to repositories, pages, and certain activities. This helps eliminate the possibility of an unauthorized individual from editing or deleting information or Batches.

In this article we will show you how to add and update Permission Sets to access different areas of a repository in Grooper 2023.

‼	New Functionality in 2023: Not only can you now restrict access to certain areas of a repository, you can now restrict what actions individuals can take while working in Grooper!

About

There may be times where you do not want everyone to have full access to your Grooper repository. After putting in hours of work into customizing your repository design for your company needs, you do not necessarily want someone without training being able to edit your work.

You may have some employees that design the repository and you may have others that simply review the extracted data. Each employee working in Grooper may have different needs and require different restrictions. With Permission Sets you can customize who has access to which page of the Grooper repository.

A common Permission Sets configuration will add two sets of permissions:

Designer permissions
- Grooper admins and designers should be given full access to all pages, including Design.
- This will give this users full control to configure Grooper nodes in Design, as well as full rights to review Batches in the "Batches" and "Tasks" pages.
Reviewer permissions
- Grooper reviewers should have more limited access. Typically, they will only be given access to the "Batches" and/or "Tasks" pages and NEVER the "Design" page.
- This will allow reviewers to review Batches in the "Batches" and/or "Tasks" pages, but restrict their ability to configure Grooper nodes in "Design".

You can also restrict what actions an individual can take while working in Grooper. If you want to avoid someone accidentally deleting a Batch or clicking cut instead of copy, you can restrict those actions.

How To

Adding Permission Sets

There are two parts to configuring permission sets:

granting/restricting page access
granting/restricting object command permissions.

Page AccessObject Command Permissions

Page Access

The first part of configuring permission sets is configuring what groups can have access to which pages in Grooper. By default, everyone has access to every page in your repository. For example, if you would like users to only have access to the "Batches" and "Tasks" pages, we can do that here.

Open Grooper and click on the "Design" icon.
Make sure the repository root node is selected and click on the "Root" tab if not already selected. Click the ellipsis button at the end of the Permission Sets property.
Once the Permission Sets window opens, click the plus sign button in the top righthand corner to add a new Permission Set. On the right side of the window, you will have a set of options to choose from.
To the right of Name enter the name you wish to give to this permission set. In this example we are going to use the name "Reviewer". Click the ellipsis button to the right of the Applies To property.
In the window that pops up, search for the group you wish this permission set to apply to. If you want to assign Permission Sets to individual people, first click the person icon above "Description" to switch to a list of individuals rather than groups.
Double click the group or individual you want to assign to the Permission Set. You can add multiple at one time. Click "OK".
On the Permission Sets window, click the arrow to the left of the Page Access property to open up another set of properties. Add a check mark next to each item you wish the groups or individuals to have access to. Click "OK".
Now that we have restricted the pages we wish the "Users" group to have access to. Take a look at the next tab to learn how to restrict what "Users" can do in those pages. If you do not wish to edit permissions, just click "OK" on the Permissions Sets window and click the save icon.

⚠

Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.

After saving your Permission Sets in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server. This will force everyone to log out of their current session, eliminating potential security risks.

Object Command Permissions

You may want to restrict which commands a user can apply to an object in Grooper. For example, you may have a group of review users who are purely data entry clerks. A smaller group of review users may be charged with administrating Batches (deleting Batches, updating their Batch Processes when changes are published, or resetting completed steps). You can use the Permissions properties to allow the review admins to perform commands, like deleting a Batch, but prevent the data clerk reviewers from doing so.

This tutorial will show you how to remove a user's right to delete a Batch.

At the bottom of the properties list on the right, there are three sets of permissions you can apply to the selected Permission Set: Node Permissions Attachment Permissions Link Permissions
Click on the ellipsis button to the right of the property. For this example we are going to configure the Node Permissions.
In the window that pops up, you will see multiple options. Here we have three: Batch, Batch Folder, and Batch Page.
Select the type of permissions you wish to configure. In this example we are going to select Batch. On the right side of the window, click the arrow next to Command States to open the list of different individual permissions you can set. By default, all of the permissions are selected. If you wish to restrict permission to perform a specific action, just uncheck the box next to the action.
In this example, we are going to prevent anyone with the User permission set from deleting batches. Scroll through the Command States until you find the "Delete" command and uncheck the box to the right of the command. Click "OK" to save your work and close the window.
Click "OK" to close the Permission Sets window.
Click the save icon to save the configured Permission Sets.

⚠

Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.

After saving your Permission Sets in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server. This will force everyone to log out of their current session, eliminating potential security risks.

Click here to return to the top of the section

@@ Line 28: / Line 28: @@
-You can also restrict what actions an individual can take while working in Grooper. If you want to avoid someone accidentally deleting a batch or clicking cut instead of copy, you can restrict those actions.
+You can also restrict what actions an individual can take while working in Grooper. If you want to avoid someone accidentally deleting a '''Batch''' or clicking cut instead of copy, you can restrict those actions.
 == How To ==
@@ Line 59: / Line 59: @@
 |-
 |valign=top|
-#<li value=4> Once the '''''Permission Sets''''' window opens, click the plus sign button in the top righthand corner to add a new '''''permission set'''''.
+#<li value=4> Once the '''''Permission Sets''''' window opens, click the plus sign button in the top righthand corner to add a new '''''Permission Set'''''.
 # On the right side of the window, you will have a set of options to choose from.
 |
@@ Line 77: / Line 77: @@
 |-
 |valign=top|
-#<li value=10> Double click the group or individual you want to assign to the permission set. You can add multiple at one time.
+#<li value=10> Double click the group or individual you want to assign to the '''''Permission Set'''''. You can add multiple at one time.
 # Click "OK".
 |
@@ Line 90: / Line 90: @@
 |-
 |valign=top|
-#<li value=15>Now that we have restricted the pages we wish the "Users" group to have access to, take a look at the next tab to learn how to restrict what "Users" can do in those pages. If you do not wish to edit permissions, just click "OK" on the '''''Permissions Sets''''' window and click the save icon.
+#<li value=15>Now that we have restricted the pages we wish the "Users" group to have access to. Take a look at the next tab to learn how to restrict what "Users" can do in those pages. If you do not wish to edit permissions, just click "OK" on the '''''Permissions Sets''''' window and click the save icon.
 |
 [[File:2023-Permission Sets - Creation 15.png]]
@@ Line 102: / Line 102: @@
 Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.
-After saving your '''''Permission Sets''''' in the Grooper web client, as best practice to eliminate any security risks by recycling the app pool in IIS. This will force them to log out of their current session.
+After saving your '''''Permission Sets''''' in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server. This will force everyone to log out of their current session, eliminating potential security risks.
 |}
@@ Line 110: / Line 110: @@
 ====Object Command Permissions====
+You may want to restrict which commands a user can apply to an object in Grooper.  For example, you may have a group of review users who are purely data entry clerks.  A smaller group of review users may be charged with administrating '''Batches''' (deleting '''Batches''', updating their '''Batch Processes''' when changes are published, or resetting completed steps).  You can use the '''''Permissions''''' properties to allow the review admins to perform commands, like deleting a '''Batch''', but prevent the data clerk reviewers from doing so.
+This tutorial will show you how to remove a user's right to delete a '''Batch'''.
 {|cellpadding=10 cellspacing=5
@@ Line 118: / Line 122: @@
 #* '''''Attachment Permissions'''''
 #* '''''Link Permissions'''''
-You may want to restrict which commands a user can apply to an object in Grooper.  For example, you may have a group of review users who are purely data entry clerks.  A smaller group of review users may be charged with administrating Batches (deleting '''Batches''', updating their '''Batch Processes''' when changes are published, or resetting completed steps).  You can use the '''''Permissions''''' properties to allow the review admins to perform commands, like deleting a '''Batch''', but prevent the data clerk reviewers from doing so.
-This tutorial will show you how to remove a user's right to delete a '''Batch'''.
 |
 [[File:2023-Permission Sets - Permissions Tab 01.png]]
@@ Line 166: / Line 166: @@
 Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.
-After saving your '''''Permission Sets''''' in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server.  This will force them to log out of their current session, eliminating potential security risks.
+After saving your '''''Permission Sets''''' in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server.  This will force everyone to log out of their current session, eliminating potential security risks.
 |}