You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/modules/admin/pages/permission_groups.adoc
+28-20Lines changed: 28 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,8 +2,8 @@
2
2
:toc:
3
3
4
4
A permission group is a set of permissions that is assigned to each user's account. With the number of permissions that are available in Evergreen, it would be very difficult to manage them individually; permission groups provide a more efficient and consistent way to organize and assign permissions.
5
-
The permission group assigned to a user determines what specific functions they can perform in the public catalog and in the staff client. For example, patrons have a small set of permissions that allow them to log in to the public catalog, place holds, and update their account preferences.
6
-
Staff permission groups are generally more extensive and complex, as they determine each specific function staff can perform their work in the staff client.
5
+
6
+
The permission group assigned to a user determines what specific functions they can perform in the public catalog and in the staff client. For example, patrons have a small set of permissions that allow them to log in to the public catalog, place holds, and update their account preferences. Staff permission groups are generally more extensive and complex, as they determine each specific function staff can perform their work in the staff client.
7
7
8
8
Every user must be assigned at least one main permission group, or profile, in their account. Users can have multiple, or secondary, permission groups assigned to their account. The process of assigning a secondary permission group is covered in xref:admin_initial_setup/describing_your_people.html#secondaryperms[Secondary Permission Groups].
9
9
@@ -17,7 +17,6 @@ The tree can be collapsed or expanded using the arrows next to each parent permi
17
17
18
18
To view the attributes and permissions of a group, click on the name of the group. To the right of the tree, two tabs will display: *Group Details* and *Group Permissions*.
19
19
20
-
21
20
== Group Details ==
22
21
23
22
**Group Details** includes the following attributes of the permission group:
@@ -50,6 +49,7 @@ image::permission_groups/permission_groups_add_child.png[Add child permission gr
50
49
image::permission_groups/permission_groups_add_child_save.png[Save permission group details]
51
50
+
52
51
52
+
53
53
=== Editing Permission Group Details ===
54
54
55
55
To edit the details of a permission group:
@@ -64,6 +64,7 @@ image::permission_groups/permission_groups_edit.png[Edit permission group detail
64
64
image::permission_groups/permission_groups_add_child_save.png[Save edits to permission group details]
image::permission_groups/permission_groups_confirm_delete.png[Confirm deletion of permission group]
79
80
+
80
81
82
+
81
83
=== Permissions ===
82
84
83
85
* CREATE_PERM
84
86
* DELETE_PERM
85
87
* UPDATE_PERM
86
88
89
+
87
90
== Group Permissions ==
88
91
89
92
The *Group Permissions* tab shows the list of permissions assigned to each group. Along with the permission code/name (ex: COPY_CHECKIN), you will see the following columns:
@@ -120,30 +123,28 @@ image::permission_groups/permission_groups_clear_filter.png[Clear Group Permissi
120
123
To add a permission to a permission group:
121
124
122
125
. Select the name of the permission group in the tree.
123
-
+
124
-
image::permission_groups/Image: permission_groups_tree.png[Permission groups tree]
125
-
+
126
126
. In the right pane, click on the *Group Permissions* tab.
. In the *New Permission* field, start typing the name (code) of the permission you want to add and choose the permission from the dropdown list. If the permission is already assigned to the group, it will not show up in the dropdown menu.
. Choose the *Depth* from the dropdown list, and click the checkbox for *Grantable* if you would like to grant users in the permission group the ability to assign this permission to other permission groups.
. Click *Create*. The new permission will now appear in the permissions list.
143
143
+
144
144
image::permission_groups/permission_groups_create.png[Create new permission group mapping]
145
145
+
146
146
147
+
147
148
As of 3.11, you can add more than one permission at the same time. To add multiple permissions, complete steps 4 and 5 above to add additional permissions. If you would like to remove any permission from the mapping list, click *Remove*.
148
149
149
150
image::permission_groups/permission_groups_new_remove.png[Remove new permission]
@@ -152,6 +153,7 @@ Once all the permissions you would like to add are shown in the mapping window,
152
153
153
154
image::permission_groups/permission_groups_create_multiple.png[Create multiple new permission group mappings]
154
155
156
+
155
157
=== Removing Permissions from a Permission Group ===
156
158
157
159
To remove a permission from a permission group:
@@ -168,6 +170,7 @@ image::permission_groups/permission_groups_apply_changes.png[Apply changes to pe
168
170
image::permission_groups/permission_groups_apply_changes_bottom.png[Apply changes button at bottom of screen]
169
171
+
170
172
173
+
171
174
=== Editing a Permission within a Permission Group ===
172
175
173
176
To edit the depth and grantability of a permission:
@@ -184,14 +187,14 @@ image::permission_groups/permission_groups_apply_changes.png[Apply changes to pe
184
187
185
188
You can edit and delete multiple permissions at a time. For example, you can select the *Delete?* checkbox on multiple rows and change the depth and grantability for multiple permissions. Once you select *Apply Changes*, all updates will be made.
186
189
187
-
188
190
=== Permissions ===
189
191
190
192
* ASSIGN_GROUP_PERM
191
193
* UPDATE_GROUP_PERM
192
194
* REMOVE_GROUP_PERM
193
195
* VIEW_PERMISSION
194
196
197
+
195
198
== Depth and Grantability ==
196
199
197
200
=== Depth ===
@@ -200,20 +203,21 @@ Evergreen permissions are set to a certain depth, or scoped, meaning that bounda
200
203
201
204
In stock Evergreen, there are four depths:
202
205
203
-
. Consortium (0): the permission applies to the staff member at any location in the consortium.
204
-
. System (1): the permission applies to any location within the library system at which the staff member works.
205
-
. Branch (2): the permission applies to the individual library at which the staff member works.
206
-
. Sub-library or Bookmobile (3): the permission applies to the individual sub-library or bookmobile at which the staff member works.
206
+
. _Consortium (0)_: the permission applies to the staff member at any location in the consortium.
207
+
. _System (1)_: the permission applies to any location within the library system at which the staff member works.
208
+
. _Branch (2)_: the permission applies to the individual library at which the staff member works.
209
+
. _Sub-library or Bookmobile (3)_: the permission applies to the individual sub-library or bookmobile at which the staff member works.
207
210
208
211
Where the staff member works is primarily determined by which working location(s) are assigned to their account and the location of the workstation they use to log in to the staff client.
209
212
210
213
If a user has a permission at more than one depth (because they have per-user permissions or are assigned a secondary permission group), the depth that gives them the broadest access wins. For example, if the Staff profile has CREATE_BILL assigned at the branch depth (2), and the Circulation Administrator group has CREATE_BILL assigned at the System depth (1), the System depth will win. Users assigned to the Circulation Administrator group will be able to create bills at the system level. If a group has the same permission inherited by a parent group and specifically assigned to the child group, the permission parameters that override are designated by an enclosed exclamation mark symbol in the Permissions Group interface.
Some functions are set to only work at the consortium level. This is generally noted in the fieldmapper within the permacrud section using the global_required=“true” tag next to each permission listed. For example, many of the permissions used to manage the Server Administration interfaces, such as ADMIN_ORG_UNIT_SETTING_TYPE and ADMIN_SMS_CARRIER, are global_required=“true”, so those permissions only function if the depth is set to 0. Here is how this looks in the fieldmapper:
215
218
216
-
image::permission_groups/permission_groups_global_required.png[Global required permission in fieldmapper]
219
+
Some functions are set to only work at the consortium level. This is generally noted in the fieldmapper within the permacrud section using the global_required=“true” tag next to each permission listed. For example, many of the permissions used to manage the Server Administration interfaces, such as ADMIN_ORG_UNIT_SETTING_TYPE and ADMIN_SMS_CARRIER, are global_required=“true”, so those permissions only function if the depth is set to 0.
220
+
217
221
218
222
=== Grantability ===
219
223
@@ -227,6 +231,7 @@ There is no way to override a permissions grant; i.e., if a permission is assign
227
231
Staff users may be assigned the same permission at different levels, whether through their inherited group and main group or through their main group and secondary group(s). Having permissions at different depths and grantability may cause conflicts when performing functions in Evergreen, so it is important to know which permission assignment will override the other, and assign group permissions accordingly.
228
232
229
233
When checking a user’s permission, the system looks at the following:
234
+
230
235
* Does this user have the permission?
231
236
* At what depth does the user have the permission?
232
237
** The depth is looked in ascending order (from 0 to 3), so the broadest depth wins.
@@ -240,25 +245,28 @@ The permission attributes that “win” will be reflected in that user’s perm
240
245
Here are a couple examples:
241
246
242
247
*Example 1*
248
+
243
249
A staff member assigned to the Global Administrator group has the VIEW_ORG_SETTINGS permission assigned locally. The permission is also inherited through the Staff parent permission group.
244
250
245
251
* Staff: Depth = 1 (System), Grantable = false
246
252
* Global Administrator: Depth = 0 (Consortium), Grantable = true
247
253
248
-
Outcome: Because the Global Administrator permission is set at 0 depth, this permission overrides the other. The staff member will be able to see all org settings for the consortium, and will also be able to grant that permission to another user (if they don’t already have it assigned to them, and if their account can be edited).
254
+
*Outcome*: Because the Global Administrator permission is set at 0 depth, this permission overrides the other. The staff member will be able to see all org settings for the consortium, and will also be able to grant that permission to another user (if they don’t already have it assigned to them, and if their account can be edited).
249
255
250
256
*Example 2*
257
+
251
258
A staff member has Cataloger as their main permission group and Local Administrator as their secondary group. They have two instances of the CREATE_COPY_NOTE permission at the following levels:
252
259
253
260
* Cataloger: Depth=1 (System), Grantable = false
254
261
* Local Administrator: Depth=1 (System), Grantable = true
255
262
256
-
Outcome: The permissions are assigned at the same depth, so the system will look at the grantability next. True overrides false, so the staff member will be able to create item notes for items owned by their system, and will be able to grant that permission to another user (if they don’t already have it assigned to them, and if their account can be edited).
263
+
*Outcome*: The permissions are assigned at the same depth, so the system will look at the grantability next. True overrides false, so the staff member will be able to create item notes for items owned by their system, and will be able to grant that permission to another user (if they don’t already have it assigned to them, and if their account can be edited).
257
264
258
265
*Example 3*
266
+
259
267
A staff member has Local Administrator as their main permission group and Acquisitions as their secondary group. This means that the staff member has the DELETE_COPY permission from both groups, at the following levels.
260
268
261
269
* Local Administrator: Depth=1 (System), Grantable = true
Outcome: Because the Aquisitions permission is assigned at 0 depth, this permission overrides the other. The staff member will be able to delete items owned by any library in the consortium, but they will not be able to grant this permission to other staff members.
272
+
*Outcome*: Because the Aquisitions permission is assigned at 0 depth, this permission overrides the other. The staff member will be able to delete items owned by any library in the consortium, but they will not be able to grant this permission to other staff members.
0 commit comments