2023:Permission Sets

From Grooper Wiki

This article is about an older version of Grooper.

Information may be out of date and UI elements may have changed.

20252023

Permission Sets define security permissions in a Grooper Repository for a user or group. This allows you to restrict user access to specified Grooper pages (such as the Design Page) and Grooper Commands.

  • "Permission Set" is the embedded object that defines security principles. They are added to a Grooper Repository and configured using the "Permission Sets" property found on the database Root node.

In this article we will show you how to add and update Permission Sets to access different areas of a repository in Grooper 2023.

!!

New Functionality in 2023: Not only can you now restrict access to certain areas of a repository, you can now restrict what actions individuals can take while working in Grooper!

Glossary

Batch Folder: The folder Batch Folder is an organizational unit within a inventory_2 Batch, allowing for a structured approach to managing and processing a collection of documents. Batch Folder nodes serve two purposes in a Batch. (1) Primarily, they represent "documents" in Grooper. (2) They can also serve more generally as folders, holding other Batch Folders and/or contract Batch Page nodes as children.

  • Batch Folders are frequently referred to simply as "documents" or "folders" depending on how they are used in the Batch.

Batch Process: settings Batch Process nodes are crucial components in Grooper's architecture. A Batch Process is the step-by-step processing instructions given to a inventory_2 Batch. Each step is comprised of a "Code Activity" or a Review activity. Code Activities are automated by Activity Processing services. Review activities are executed by human operators in the Grooper user interface.

  • Batch Processes by themselves do nothing. Instead, they execute edit_document Batch Process Steps which are added as children nodes.
  • A Batch Process is often referred to as simply a "process".

Batch: inventory_2 Batch nodes are fundamental in Grooper's architecture. They are containers of documents that are moved through workflow mechanisms called settings Batch Processes. Documents and their pages are represented in Batches by a hierarchy of folder Batch Folders and contract Batch Pages.

Permission Sets: Permission Sets define security permissions in a Grooper Repository for a user or group. This allows you to restrict user access to specified Grooper pages (such as the Design Page) and Grooper Commands.

  • "Permission Set" is the embedded object that defines security principles. They are added to a Grooper Repository and configured using the "Permission Sets" property found on the database Root node.

Review Queue: person_play Review Queues help organize and filter human-performed Review activity tasks. User groups are assigned to each Review Queue, which is then set either on a settings Batch Process or a Review step. Based on a user's membership in Review Queues, this will affect how inventory_2 Batches are distributed in the Batches page and how Review tasks are distributed in the Tasks page.

Review: person_search Review is an Activity that allows user attended review of Grooper's results. This allows human operators to validate processed contract Batch Page and folder Batch Folder content using specialized user interfaces called "Viewers". Different kinds of Viewers assist users in reviewing Grooper's image processing, document classification, data extraction and operating document scanners.

Root: The Grooper database Root node is the topmost element of the Grooper Repository. All other nodes in a Grooper Repository are its children/descendants. The Grooper Root also stores several settings that apply to the Grooper Repository, including the license serial number or license service URL and Repository Options.

About

There may be times where you do not want everyone to have full access to your Grooper repository. After putting in hours of work into customizing your repository design for your company needs, you do not necessarily want someone without training being able to edit your work.

You may have some employees that design the repository and you may have others that simply review the extracted data. Each employee working in Grooper may have different needs and require different restrictions. With Permission Sets you can customize who has access to which page of the Grooper repository.


A common Permission Sets configuration will add two sets of permissions:

  1. Designer permissions
    • Grooper admins and designers should be given full access to all pages, including Design.
    • This will give this users full control to configure Grooper nodes in Design, as well as full rights to review Batches in the "Batches" and "Tasks" pages.
  2. Reviewer permissions
    • Grooper reviewers should have more limited access. Typically, they will only be given access to the "Batches" and/or "Tasks" pages and NEVER the "Design" page.
    • This will allow reviewers to review Batches in the "Batches" and/or "Tasks" pages, but restrict their ability to configure Grooper nodes in "Design".


You can also restrict what actions an individual can take while working in Grooper. If you want to avoid someone accidentally deleting a Batch or clicking cut instead of copy, you can restrict those actions.

FYI

While Permission Sets restrict access to pages, they do not help in controlling work flow. Review Queues are a workflow mechanism designed to funnel users Batches and Review tasks using Windows ACL definitions. Permission Sets and Review Queues often work together to limit what users can access. Click here for more on Review Queues.

How To

Adding Permission Sets

There are two parts to configuring permission sets:

  • granting/restricting page access
  • granting/restricting object command permissions.

Page Access

The first part of configuring permission sets is configuring what groups can have access to which pages in Grooper. By default, everyone has access to every page in your repository. For example, if you would like users to only have access to the "Batches" and "Tasks" pages, we can do that here.

  1. Open Grooper and click on the "Design" icon.

  2. Make sure the repository root node is selected and click on the "Root" tab if not already selected.
  3. Click the ellipsis button at the end of the Permission Sets property.

  2. Once the Permission Sets window opens, click the plus sign button in the top righthand corner to add a new Permission Set.
  3. On the right side of the window, you will have a set of options to choose from.

  2. To the right of Name enter the name you wish to give to this permission set. In this example we are going to use the name "Reviewer".
  3. Click the ellipsis button to the right of the Applies To property.

  2. In the window that pops up, search for the group you wish this permission set to apply to.
  3. If you want to assign Permission Sets to individual people, first click the person icon above "Description" to switch to a list of individuals rather than groups.

  2. Double click the group or individual you want to assign to the Permission Set. You can add multiple at one time.
  3. Click "OK".

  2. On the Permission Sets window, click the arrow to the left of the Page Access property to open up another set of properties.
  3. Add a check mark next to each item you wish the groups or individuals to have access to.
  4. Click "OK".

  2. Now that we have restricted the pages we wish the "Users" group to have access to. Take a look at the next tab to learn how to restrict what "Users" can do in those pages. If you do not wish to edit permissions, just click "OK" on the Permissions Sets window and click the save icon.


Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.

After saving your Permission Sets in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server. This will force everyone to log out of their current session, eliminating potential security risks.

Object Command Permissions

You may want to restrict which commands a user can apply to an object in Grooper. For example, you may have a group of review users who are purely data entry clerks. A smaller group of review users may be charged with administrating Batches (deleting Batches, updating their Batch Processes when changes are published, or resetting completed steps). You can use the Permissions properties to allow the review admins to perform commands, like deleting a Batch, but prevent the data clerk reviewers from doing so.

This tutorial will show you how to remove a user's right to delete a Batch.

  1. At the bottom of the properties list on the right, there are three sets of permissions you can apply to the selected Permission Set:
    • Node Permissions
    • Attachment Permissions
    • Link Permissions

  2. Click on the ellipsis button to the right of the property. For this example we are going to configure the Node Permissions.

  2. In the window that pops up, you will see multiple options. Here we have three: Batch, Batch Folder, and Batch Page.

  2. Select the type of permissions you wish to configure. In this example we are going to select Batch.
  3. On the right side of the window, click the arrow next to Command States to open the list of different individual permissions you can set.
    • By default, all of the permissions are selected. If you wish to restrict permission to perform a specific action, just uncheck the box next to the action.

  2. In this example, we are going to prevent anyone with the User permission set from deleting batches. Scroll through the Command States until you find the "Delete" command and uncheck the box to the right of the command.
  3. Click "OK" to save your work and close the window.

  2. Click "OK" to close the Permission Sets window.

  2. Click the save icon to save the configured Permission Sets.


Please note that any user browsing the web client has their permission sets cached for their current session. If you change their accessibility in the permission sets, they will not see those changes take place until they are logged out of the current session.

After saving your Permission Sets in the Grooper web client, it is best practice to recycle the Grooper app pool in IIS on the web server. This will force everyone to log out of their current session, eliminating potential security risks.

Click here to return to the top of the section
Retrieved from "https://wiki.grooper.com/index.php?title=2023:Permission_Sets&oldid=22822"