iObeya Administration Guide

Managing Permissions

Introduction

In the previous chapters, we have seen how to manage users and rooms on your platform. In this chapter, we will present each level of permission that can be managed, and how to grant permissions to users at each level.

../_images/104.png

As a platform administrator, you will learn how:

  • To manage global permissions for the platform (global access and administrative rights).
  • To manage permissions for a domain and for a room (for domain administrars also).
../_images/105.png

Permissions Reminder

The table below shows the different roles in iObeya and their tasks in iObeya.

Roles Tasks
Platform administrator Creates and deletes users and groups
Manages overall users permissions
Creates and deletes Domains
Manages platform announcements
Manages platform Help Links
Manages board backgrounds catalog
Manages platform tools (export/import rooms, settings, etc…)
Domain administrator Creates and deletes rooms in the domain
Archives rooms in the domain
Manages users permissions in the domain
Room administrator Creates and deletes boards in the managed room
Configures boards: creates and removes tools from the dock
Adds and removes users in the room
Sets permissions to users in the room
Locks boards
Room user Views boards
Uses board utilities
Modifies boards: create, update and delete elements
Room visitor Views boards
Uses board utilities

The table below shows the different roles in iObeya and the permissions they need to perform their tasks.

Roles Platform permissions Domain permissions Room permissions
Platform administrator Can use    
Administrate    
Users and Groups permissions    
Manage    
Domain administrator Can use Can use  
Users and Groups permissions (optionnal)  
Manage  
Room administrator Can use Can use Can use
Administrate
Users and Groups permissions
Edit
Room user Can use Can use Can use
Edit
Room visitor Can use Can use Can use

This table shows the different permissions in different contexts and what they allow to a user when granted.

Context Permission Description
Platform Can use Determines who can access the platform. It allows users to log onto the platform and to be added to a domain.
Administrate Manage add-ons, licenses, platform help links, announcements, importing/exporting of rooms, job scheduling, catalog of backgrounds, and logs.
User(s)/Group(s) and Permissions Manage platform users and groups: create, modify (see and edit permissions), and delete users and groups.
Manage Administrate platform domains: create, modify, and delete domains.
Domain Can use Determines who can access which rooms.
Administrate Allows domain administrators to set the global parameters of a domain, and the help links specific to this domain.
User(s)/Group(s) permissions Manage the permissions of a domain: add and remove the permissions of the domain users.
Manage

Manage the rooms of a domain: create, modify, and delete rooms within the domain.

Manage the room models of the domain.

Publish room as

model

Ability to publish a room as a model.

Note that a user with this permission must administrate the same room in order to publish a model of it.

Room Can use Ability to access the room and the boards it contains.
Administrate

Administrate the global parameters of the room.

Administrate the utilities of the room.

Modify the room (manage its own boards and shared boards).

Administrate the tool dock of the boards in the room.

Can initiate Guided navigation.

User(s)/Group permissions Manage the members of the team and their permissions.
Edit Board The user may use the available tools of the board and move/edit elements.

Permissions can be overridden depending on the administration level (in decreasing order: platform, domain, room). For a quick overview of the final permissions, use the See accumulated permissions tab.

You can find the same information for each level:

Platform level
Under GLOBAL PERMISSIONS section in the left-hand side menu.
Domain level
ROOM MANAGEMENTEdit permissions of the concerned domain ‣ Accumulated permissions tab.
Room level

ROOM MANAGEMENTRooms of the concerned domain ‣ Edit permissions of the concerned room ‣ Accumulated :guilabel:permissions tab.

../_images/119.png

Managing Global Permissions

Required permissions

Platform (Can use + User(s)/Group(s) permissions).

This part of the administration interface enables platform administrators to manage permissions at a platform level. Global permissions are used to manage platform administrators, or to remove the ability for a user to connect to iObeya.

With this permission profile, a platform administrator can easily manage users and group permissions on the platform.

Platform administrators have the ability to manage global permissions of users and groups from two different perspectives:

  • From the global permissions perspective.
  • From the user/group permissions perspective.

To manage permissions or users and groups from the global permissions perspective:

  1. Select Users & groups permissions under GLOBAL PERMISSIONS on the left-hand side menu.

  2. Switch between the Groups and Users tabs to manage the corresponding permissions.

    Refer to Permissions reminder.

    ../_images/106.png

To manage permissions or users and groups from the user/group permissions perspective:

  1. Select All users or All groups in the left-hand side menu of the administration interface.

  2. Move the cursor over the corresponding user (or group) and select Edit permissions.

  3. Select the Global permissions tab to manage global permissions of the user (or group).

  4. On the left-hand side menu, select Accumulated permissions under GLOBAL PERMISSIONS to get an overview of users’ global permissions.

    This will even show the permissions that users have inherited from the groups they belong to.

../_images/107.png

Tip

../_images/108.png

This icon means the permission comes from a group.

Managing Permissions for a Domain

Required permissions

  • Platform (Can use + Manage domain) to manage the permissions for every domain of the platform.
  • Platform (Can use) + Domain(s) (Can use + User(s)/Group(s) permissions) to manage the permissions for specific domain(s).
../_images/109.png

Adding a User or a Group to a Domain

  1. Select ROOM MANAGEMENT in the left-hand side menu of the administration interface, then select Domains.

  2. Move the cursor over the corresponding domain, then select Edit permissions.

  3. Select the tab Groups permissions or Individual users.

  4. Select Add new group or Add new user.

    A group/user search window appears.

  5. Use the search box to find a user or a group.

    Enter all or part of a name, then select Search to display the result of your query.

  6. Check the boxes of the group(s) or user(s) to be added to the domain.

  7. Select Add user(s).

../_images/110.png

Managing Permissions for a Domain

  1. Select ROOM MANAGEMENT in the left-hand side menu, then select Domains.

  2. Move the cursor over the corresponding domain, then select Edit permissions.

  3. Select the Groups permissions or Individual users tab.

  4. Select Edit permissions.

  5. Manage the permissions by checking/unchecking boxes.

    Refer to Permissions reminder.

  6. Select Save Changes.

    ../_images/111.png

You can also manage permissions for a domain directly from users or groups views:

  1. Select All users or All groups

  2. Move the cursor over the user or the group, then select Manage permissions.

  3. Select the Domain permissions tab.

    If the user or the group has the Can use right in global permissions, you can assign them permissions for a domain.

    ../_images/112.png
  4. Select Edit permissions.

  5. Manage the permissions by checking/unchecking boxes.

    Refer to Permissions reminder.

  6. Select Save changes.

Managing Permissions for a Room

Note

Required permissions

Platform (Can use) + Domain (Can use + Manage room).

../_images/113.png

Adding a User or a Group to a Room

  1. Select ROOM MANAGEMENT in the left-hand side menu of the administrator’s interface, then select Rooms.

  2. Move the cursor over the corresponding room, then select Edit permissions.

  3. Select the tab Groups permissions or Individual users.

  4. Select Add group or Add user.

    A group/user search window appears.

  5. Use the search box to find a user or a group.

    Enter all or part of a name, then select Search to display the result of your query.

  6. Check the boxes of the group(s) or user(s) to be added to the room.

  7. In the Grant permissions section, select the profile you want to assign to the selected user(s).

  8. Select Add group(s) or Add user(s).

../_images/114.png

Managing Permissions for a Room

Note

Required permissions: Platform (Can use) + Domain (Can use + Manage room).

Tip

Use the search bar as a filter. Enter values using period, semi-colon or slash to separate the values.

Use values of the same type. For example, a research using both email adresses and first names will not work.

  1. Click ROOM MANAGEMENTRooms in the left-hand side menu.

  2. Move the cursor over the corresponding room, then select Edit permissions.

  3. Click Groups permissions or Individual users tab.

  4. Click Edit permissions.

  5. Manage the permissions by checking/unchecking boxes.

    Refer to Permissions reminder.

  6. Select Save changes.

../_images/115.png

You can manage permissions for a room directly from users or groups views. To manage permissions for a domain from users or groups views:

  1. Select All users or All groups.

  2. Move the cursor over the user or the group, then select Manage permissions.

  3. Select the Room permissions tab.

    If the user or the group has the Can use right in global permissions, you can assign them permissions on a domain.

    ../_images/116.png
  4. Select Edit permissions.

  5. Manage the permissions by checking/unchecking boxes.

    Refer to Permissions reminder.

  6. Select Save changes.

    ../_images/117.png

Tracking Permission Changes

For security reasons, iObeya keeps a log of any change made to user permissions.

The prerequisites are as follows:

  • The system administrator has configured the path to Log4j.xml in the iobeya.xml context file for Tomcat.
  • The system administrator has placed the Log4j.xml file in the previously defined directory.

For each permission change, the UserAndGroup.log file will keep a record which begins with [PermissionManager], as shown in the log sample below:

15:28:27 INFO [PermissionManager] Delete Permission<MANAGE_CHILDREN> on GlobalPermission<0> by User<admin> on User<aadams>
15:28:30 INFO [PermissionManager] Add Permission<MANAGE_CHILDREN> on GlobalPermission<0> by User<admin> on User<aadams>
15:28:52 INFO [PermissionManager] Add Permission<READ> on Domain<0b6491b0-9ab4- 46e4-94c8-761cda6d1120> by User<admin> on User<aadams>
15:28:52 INFO [PermissionManager] Add Permission<ADMINISTRATION> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on User<aadams> 15:28:53 INFO [PermissionManager] Add Permission<EDIT> on Domain<0t6491b0-9ab4- 46e4-94c8-761cda6d1120> by User<admin> on User<aadams>
15:28:54 INFO [PermissionManager] Add Permission<PUBLISH_CHILDREN_AS_MODEL> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on User<aadams> 15:28:55 INFO [PermissionManager] Delete Permission<PUBLISH_CHILDREN_AS_MODEL> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on User<aadams> 15:29:05 INFO [PermissionManager] Delete Permission<ADMINISTRATION> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on Group<1> 15:29:06 INFO [PermissionManager] Add Permission<ADMINISTRATION> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on Group<1>