Managing Permissions¶
Introduction¶
In the previous chapters, we have seen how to manage users and rooms on your platform. In this chapter, we will present each level of permission that can be managed, and how to grant permissions to users at each level.
As a platform administrator, you will learn how:
- To manage global permissions for the platform (global access and administrative rights).
- To manage permissions for a domain and for a room (for domain administrars also).
Permissions Reminder¶
The table below shows the different roles in iObeya and their tasks in iObeya.
Roles | Tasks |
---|---|
Platform administrator | Creates and deletes users and groups |
Manages overall users permissions | |
Creates and deletes Domains | |
Manages platform announcements | |
Manages platform Help Links | |
Manages board backgrounds catalog | |
Manages platform tools (export/import rooms, settings, etc…) | |
Domain administrator | Creates and deletes rooms in the domain |
Archives rooms in the domain | |
Manages users permissions in the domain | |
Room administrator | Creates and deletes boards in the managed room |
Configures boards: creates and removes tools from the dock | |
Adds and removes users in the room | |
Sets permissions to users in the room | |
Locks boards | |
Room user | Views boards |
Uses board utilities | |
Modifies boards: create, update and delete elements | |
Room visitor | Views boards |
Compare to a room user, a room visitor has some limited uses of board utilities. |
The table below shows the different roles in iObeya and the permissions they need to perform their tasks.
Roles | Platform permissions | Domain permissions | Room permissions |
---|---|---|---|
Platform administrator | Can use | ||
Administrate | |||
Users and Groups permissions | |||
Manage | |||
Domain administrator | Can use | Can use | |
Users and Groups permissions (optionnal) | |||
Manage | |||
Room administrator | Can use | Can use | Can use |
Administrate | |||
Users and Groups permissions | |||
Edit | |||
Room user | Can use | Can use | Can use |
Edit | |||
Room visitor | Can use | Can use | Can use |
This table shows the different permissions in different contexts and what they allow to a user when granted.
Context | Permission | Description |
---|---|---|
Platform | Can use | Determines who can access the platform. It allows users to log onto the platform and to be added to a domain. |
Administrate | Manage add-ons, licenses, platform help links, announcements, importing/exporting of rooms, job scheduling, catalog of backgrounds, and logs. | |
User(s)/Group(s) and Permissions | Manage platform users and groups: create, modify (see and edit permissions), and delete users and groups. | |
Manage | Administrate platform domains: create, modify, and delete domains. | |
Domain | Can use | Determines who can access which rooms. |
Administrate | Allows domain administrators to set the global parameters of a domain, and the help links specific to this domain. | |
User(s)/Group(s) permissions | Manage the permissions of a domain: add and remove the permissions of the domain users. | |
Manage | Manage the rooms of a domain: create, modify, and delete rooms within the domain. Manage the room models of the domain. |
|
Publish room as model |
Ability to publish a room as a model. Note that a user with this permission must administrate the same room in order to publish a model of it. |
|
Room | Can use | Ability to access the room and the boards it contains. |
Administrate | Administrate the global parameters of the room. Administrate the utilities of the room. Modify the room (manage its own boards and shared boards). Administrate the tool dock of the boards in the room. Can initiate Guided navigation. |
|
User(s)/Group permissions | Manage the members of the team and their permissions. | |
Edit Board | The user may use the available tools of the board and move/edit elements. |
Permissions can be overridden depending on the administration level (in decreasing order: platform, domain, room). For a quick overview of the final permissions, use the See accumulated permissions tab.
You can find the same information for each level:
- Platform level
- Under GLOBAL PERMISSIONS section in the left-hand side menu.
- Domain level
- ROOM MANAGEMENT ‣ Edit permissions of the concerned domain ‣ Accumulated permissions tab.
- Room level
ROOM MANAGEMENT ‣ Rooms of the concerned domain ‣ Edit permissions of the concerned room ‣ Accumulated :guilabel:permissions tab.
Managing Global Permissions¶
This part of the administration interface enables platform administrators to manage permissions at a platform level. Global permissions are used to manage platform administrators, or to remove the ability for a user to connect to iObeya.
With this permission profile, a platform administrator can easily manage users and group permissions on the platform.
Platform administrators have the ability to manage global permissions of users and groups from two different perspectives:
- From the global permissions perspective.
- From the user/group permissions perspective.
To manage permissions or users and groups from the global permissions perspective:
Select Users & groups permissions under GLOBAL PERMISSIONS on the left-hand side menu.
Switch between the Groups and Users tabs to manage the corresponding permissions.
Refer to Permissions reminder.
To manage permissions or users and groups from the user/group permissions perspective:
Select All users or All groups in the left-hand side menu of the administration interface.
Move the cursor over the corresponding user (or group) and select Edit permissions.
Select the Global permissions tab to manage global permissions of the user (or group).
On the left-hand side menu, select Accumulated permissions under GLOBAL PERMISSIONS to get an overview of users’ global permissions.
This will even show the permissions that users have inherited from the groups they belong to.
Astuce
This icon means the permission comes from a group.
Managing Permissions for a Domain¶
Adding a User or a Group to a Domain¶
Select ROOM MANAGEMENT in the left-hand side menu of the administration interface, then select Domains.
Move the cursor over the corresponding domain, then select Edit permissions.
Select the tab Groups permissions or Individual users.
Select Add new group or Add new user.
A group/user search window appears.
Use the search box to find a user or a group.
Enter all or part of a name, then select Search to display the result of your query.
Check the boxes of the group(s) or user(s) to be added to the domain.
Select Add user(s).
Managing Permissions for a Domain¶
Select ROOM MANAGEMENT in the left-hand side menu, then select Domains.
Move the cursor over the corresponding domain, then select Edit permissions.
Select the Groups permissions or Individual users tab.
Select Edit permissions.
Manage the permissions by checking/unchecking boxes.
Refer to Permissions reminder.
Select Save Changes.
You can also manage permissions for a domain directly from users or groups views:
Select All users or All groups
Move the cursor over the user or the group, then select Manage permissions.
Select the Domain permissions tab.
If the user or the group has the Can use right in global permissions, you can assign them permissions for a domain.
Select Edit permissions.
Manage the permissions by checking/unchecking boxes.
Refer to Permissions reminder.
Select Save changes.
Managing Permissions for a Room¶
Note
Required permissions
Platform (Can use) + Domain (Can use + Manage room).
Adding a User or a Group to a Room¶
Select ROOM MANAGEMENT in the left-hand side menu of the administrator’s interface, then select Rooms.
Move the cursor over the corresponding room, then select Edit permissions.
Select the tab Groups permissions or Individual users.
Select Add group or Add user.
A group/user search window appears.
Use the search box to find a user or a group.
Enter all or part of a name, then select Search to display the result of your query.
Check the boxes of the group(s) or user(s) to be added to the room.
In the Grant permissions section, select the profile you want to assign to the selected user(s).
Select Add group(s) or Add user(s).
Managing Permissions for a Room¶
Note
Required permissions: Platform (Can use) + Domain (Can use + Manage room).
Astuce
Use the search bar as a filter. Enter values using period, semi-colon or slash to separate the values.
Use values of the same type. For example, a research using both email adresses and first names will not work.
Click ROOM MANAGEMENT ‣ Rooms in the left-hand side menu.
Move the cursor over the corresponding room, then select Edit permissions.
Click Groups permissions or Individual users tab.
Click Edit permissions.
Manage the permissions by checking/unchecking boxes.
Refer to Permissions reminder.
Select Save changes.
You can manage permissions for a room directly from users or groups views. To manage permissions for a domain from users or groups views:
Select All users or All groups.
Move the cursor over the user or the group, then select Manage permissions.
Select the Room permissions tab.
If the user or the group has the Can use right in global permissions, you can assign them permissions on a domain.
Select Edit permissions.
Manage the permissions by checking/unchecking boxes.
Refer to Permissions reminder.
Select Save changes.
Tracking Permission Changes¶
For security reasons, iObeya keeps a log of any change made to user permissions.
The prerequisites are as follows:
- The system administrator has configured the path to
Log4j.xml
in theiobeya.xml
context file for Tomcat. - The system administrator has placed the
Log4j.xml
file in the previously defined directory.
For each permission change, the UserAndGroup.log
file will keep a
record which begins with [PermissionManager], as shown in the log sample
below:
15:28:27 INFO [PermissionManager] Delete Permission<MANAGE_CHILDREN> on GlobalPermission<0> by User<admin> on User<aadams>
15:28:30 INFO [PermissionManager] Add Permission<MANAGE_CHILDREN> on GlobalPermission<0> by User<admin> on User<aadams>
15:28:52 INFO [PermissionManager] Add Permission<READ> on Domain<0b6491b0-9ab4- 46e4-94c8-761cda6d1120> by User<admin> on User<aadams>
15:28:52 INFO [PermissionManager] Add Permission<ADMINISTRATION> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on User<aadams> 15:28:53 INFO [PermissionManager] Add Permission<EDIT> on Domain<0t6491b0-9ab4- 46e4-94c8-761cda6d1120> by User<admin> on User<aadams>
15:28:54 INFO [PermissionManager] Add Permission<PUBLISH_CHILDREN_AS_MODEL> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on User<aadams> 15:28:55 INFO [PermissionManager] Delete Permission<PUBLISH_CHILDREN_AS_MODEL> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on User<aadams> 15:29:05 INFO [PermissionManager] Delete Permission<ADMINISTRATION> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on Group<1> 15:29:06 INFO [PermissionManager] Add Permission<ADMINISTRATION> on Domain<0b6491b0-9ab4-46e4-94c8-761cda6d1120> by User<admin> on Group<1>
Voir aussi