evergreen-admin:policies:usergroups
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
evergreen-admin:policies:usergroups [2007/07/13 13:14] – explanation of Group Application Permissions miker | evergreen-admin:policies:usergroups [2022/02/10 13:34] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | [[user-comments: | ||
+ | |||
+ | |||
+ | ==== User Groups and Group Permissions ==== | ||
+ | |||
+ | Here you will find a tree of the current User Groups that exists in the Open-ILS installation. | ||
+ | |||
+ | Permissions in Open-ILS are applied to a specific portion of the Library (Organizational Unit) Hierarchy based on the Home Library (home_ou) of the user in question. | ||
+ | |||
+ | The default permissions and groups supplied with Open-ILS should be sufficient to get you going, but it's a good idea to familiarize yourself with this admin interface. | ||
+ | |||
+ | * **NOTE** -- You __MUST__ select a Permission Depth (the "At Depth" column) in order to save edited permissions. | ||
+ | |||
+ | ---- | ||
+ | |||
+ | |||
+ | ==== Group Application Permissions ==== | ||
+ | |||
+ | Evergreen provides Group Application permissions in order to restrict which staff members have the ability to assign elevated permissions to a user, and which staff members have the ability to edit users in particular groups. | ||
+ | |||
+ | First, we will posit a group hierarchy: | ||
+ | < | ||
+ | User | ||
+ | Patron | ||
+ | Outreach | ||
+ | Trustee | ||
+ | Staff | ||
+ | Circ | ||
+ | Cat | ||
+ | Admin | ||
+ | Library Manager | ||
+ | Local Admin | ||
+ | Global Admin | ||
+ | </ | ||
+ | |||
+ | Take, for instance, the case of a volunteer circulation staff member who is responsible for registering and updating patron accounts. | ||
+ | |||
+ | First, we use the Permission Editor in the bootstrapping interface to create a set of permissions which we will use to restrict the use of specific groups. | ||
+ | |||
+ | * group.application.patron | ||
+ | * group.application.patron.trustee | ||
+ | * group.application.staff | ||
+ | * group.application.staff.circ | ||
+ | * group.application.staff.cat | ||
+ | * group.application.staff.admin | ||
+ | * group.application.staff.admin.lib_man | ||
+ | * group.application.staff.admin.local_admin | ||
+ | * group.application.staff.admin.global_admin | ||
+ | |||
+ | After creating these permissions we attach them to each group that needs to be treated in a special way, like this: | ||
+ | |||
+ | < | ||
+ | User | ||
+ | Patron == group.application.patron | ||
+ | Outreach | ||
+ | Trustee == group.application.patron.trustee | ||
+ | Staff == group.application.staff | ||
+ | Circ == group.application.staff.circ | ||
+ | Cat == group.application.staff.cat | ||
+ | Admin == group.application.staff.admin | ||
+ | Library Manager == group.application.staff.admin.lib_man | ||
+ | Local Admin == group.application.staff.admin.local_admin | ||
+ | Global Admin == group.application.staff.admin.global_admin | ||
+ | </ | ||
+ | |||
+ | At this point, only the admin account, or other accounts that have been given the **EVERYTHING** permission or marked as a **superuser**, | ||
+ | |||
+ | In this example we need to allow the circulation user to put other users into the **Patron** and **Outreach** groups, so we give the **Circ** group the **group.application.patron** permission. | ||
+ | |||
+ | In this way, each group can be protected from unauthorized edits and additions by managing which users have the right to edit users in, move users to, or register users with specific groups. | ||