[OPEN-ILS-GENERAL] [Evergreen-admin] FW: Group and User permissions

Chris Sharp csharp at georgialibraries.org
Tue Jan 13 15:30:39 EST 2015


Hi Jennifer,

> So, as I understand it, you can set group permissions and assign a bunch of
> people to that profile (group) and they all have certain rights to do
> certain things. 

Correct.

> I thought that maybe the user permissions were then
> available in case you might have one user or two in a group to ADD or DELETE
> certain permissions. Is that not the case? We might like to have maybe
> student workers all be “circulators” but one or two are given special
> permissions to work with cataloging or serials or such. Am I understanding
> this correctly?  If we wanted to assign a “circulator” special elevated user
> permission for updating item records, I should be able to go into their
> patron record, open the user permission editor and assign them
> update_item_record (or some such). Right?

Yes.  But I'll caution you that you might want to go ahead and designate permission groups that you think you'll need later.  For example, if you see that a group of "circulators" would always need the extra permissions, it makes more sense to just create a new permission profile and assign *that* to those users rather than assigning permissions singly, which is hard to track and inefficient.

> Well, the problem is that we are trying to do something like that for several
> different pre-assigned groups and it is not working. For the “volunteer”
> group for instance. I have assigned several users in our system to that
> profile, but one or two need modifications. When I go to that patron record,
> into the user permission editor, everything is greyed out and it won’t let
> me change anything. One or two permissions listed there I would like to
> remove (like Admin Toolbar! What? For volunteers?) or even change the level
> at which they have permission. Nope. No dice. 

You need to have the group application permission to be able to edit specific groups.  To do this, go to Admin -> Server Administration -> Permission Groups, select the group you want, then make sure the "Editing Permission" is set.  Note that you can create a new permission for this if you need to in Admin -> Server Administration -> Permissions (you'd need to reload the perm groups interface to see the change).  Then just make sure the user who is doing the editing has been assigned the "Editing Permission" for that group.  This is best done in the Permission Groups setup, for what it's worth.

> And where is that admin
> toolbar thing set anyway? Who gave volunteers that permission? It is not
> listed in the group permissions editor. (they can also see and edit the
> Library Settings!)

<adding in your second follow-up question here>

> Second, I have no problem with the defaults being assigned, but I would like
> to know what they are for each group so I can understand what other
> permissions need to be added. What I really want is I would REALLY like to
> remove some of them from individuals assigned to that group. So, for
> instance, I have a staff user that is assigned to a staff category of
> “volunteer”. All good. But then maybe one or two of the users in that
> volunteer category really should NOT be able to create, view, or update any
> user accounts. When I go into the user permission editor for those users, I
> CANNOT REMOVE THAT PERMISSION! I am appalled. Why is this? I get that maybe
> it is a default setting for that group of users, but in each user editor,
> shouldn’t I be able to remove it if I would like? But nothing I do will let
> me make this change. Is this a bug? Is this the way it is supposed to work?
> If not, how do I make it work the way I would like?

Permissions are inherited from higher up the tree, so that permission may be assigned at the "Circulator" or even the "Staff" or "Users" level.  You can remove it from the higher level of the hierarchy and re-assign it to specific child groups (e.g. "Circ 1", "Circ 2" or whatever).  That also means that permissions cannot be removed singly from the User Permission Editor.  You'd need to remove the perm from the permission group, then assign the desired permission at the desired level to specific users who need it.

One more thing to know is that if you do assign permissions to single users via the User Permission Editor, that setting will override anything set for that permission in the Permission Groups setup.\

> So, why can I change some user permissions for patrons (I am having no
> trouble with our “catalogers”), but others are all sort of fuzzed out and
> won’t let me add or delete anything in the user permission editor. I can
> check a box and click save but nothing happens. Do I have to start all over
> and just create all new groups first?? (and I AM the admin and logged in as
> such when trying all of this)

I would actually take that approach.  I know it probably sounds like a burden to re-do everything, but you'd probably only ever have to do it once and then occasionally tweak them at need.  Once the permission groups match your actual setup, you probably won't have to think about permissions anymore (speaking from experience here).


> For instance. When I assign a user to a “staff” account – does not matter
> what kind – it looks to me like several blanket types of permissions are
> automatically granted. Even if no group permission are assigned to that
> group, when I go to the user permission editor, there are several basic
> boxes checked. Such as “create_user” and “update_user”. However, when I
> assign a user to a “Patron” account, those permissions are NOT granted
> automatically. Why is this? What settings controls what default and blanket
> permissions are given to what types of users in the system?

See my comments about inheritance above.

Hope that's helpful.  Please reply back if you need more help!

Chris

-- 
Chris Sharp
PINES System Administrator
Georgia Public Library Service
1800 Century Place, Suite 150
Atlanta, Georgia 30345
(404) 235-7147
csharp at georgialibraries.org
http://pines.georgialibraries.org/


More information about the Open-ils-general mailing list