Document toolboxDocument toolbox

User Permissions

Owned by Maciej Zabielski
Last updated: Mar 19, 2024

Since v4.4.0

Introduction

User permissions determine the actions users can perform within the system. They are integral to the access control system, which also encompasses Field Level Security (FLS) and Object Security.

Every operation or service that provides or updates data requires a specific permission.

Managing Permissions

Permissions can be managed by users who have been assigned the Manage System Permissions permission.

To manage permission assignments, navigate to system Administration → Users and Groups → User Permissions.

Permissions are organized into Permission Sets. The screenshot below shows a Security Administrator set comprising all Administrator permissions and several specific permissions such as Anonymize User.

Assignments can be made at any level, allowing specific users or groups to be assigned to individual permissions or entire sets.

When a user is assigned to a set, all permissions within the set are granted. It is recommended to use groups and organize them according to the specific needs of the organization.

Then, these groups can be assigned to as many permissions or sets as necessary. Subsequently, manage permissions by adding or removing users from such groups.

Evaluate user permissions

If a Security Administrator is uncertain about the permissions granted to a user, they can be checked by using the "check effective rights" button located on the user list.

This list includes direct assignments as well as all permissions granted via group membership or through permission sets inclusion (e.g. one set includes another set).

Permissions and functions

Permissions marked with  should be assigned with caution only to selected administrators.

Set

Permission

Description

Set

Permission

Description

Administrator

Access Basic Admin Operations

Access basic administrative operations and admin panel and manage:

  • events

  • search configuration

  • TOBIS (object identity) configuration

  • area calculation

  • attachments, icons, files

  • auto linking

  • field rules

  • dictionaries

  • dynamic labels

  • global layers

  • print and macro settings

  • access SLA reports

View Audit Trail

View object audit trail (object changes)

Advanced Archive Manager

Manage All Drafts

Ability to manage all drafts in the system

Publish Drafts to Master

Publish drafts to master archive

View All Drafts

View all drafts in the system (including the ones that are not shared with other users)

Revert Published Version

Ability to revert published version. This is a very powerful function that will remove history of changes and should be assigned with care.

View Versioning Audit

View versioning audit log

Set Version as Default

Ability to set selected version as default (version that is already in master archive / published)

Edit Master Archive Versions

Ability to edit versions published to master (e.g. change name)

Basic Archive Manager

Manage Own Drafts

Create and manage private drafts, including share / unshare

View Shared Drafts

Ability to view shared drafts

View Master Archive Versions

Ability to view Master archive (published) versions

Change Manager

Manage Change Requests

Ability to manage change requests (process)

Change Reporter

Report Change Requests

Ability to report (register new) change requests

Data Exchange Manager

View Data Exchange Audit

View "Data Exchange Activity" log

Data Exchange - Import

Ability to run data import functions

Data Exchange - Export

Ability to run data export functions

Security Administrator

View Object/System Diagnostics

Access to system diagnostic functions (bypass object security) System Diagnostic Reports

Manage System Permissions

Manage system / user permissions

Manage Object and Field level Security

Manage object security (assign Object Security) and Field Level Security (FLS) (assign security per field)

Anonymize User (GDPR)

Access to anonymize function for users.

Secure Erase Objects and Metadata

Access to "secure erase" function for objects and metadata.

Manage Security Settings

Manage general security settings like:

  • access tokens for integrations

This permission includes additionally:

  • view-realm

  • manage-authorization

  • manage-clients

  • manage-identity-providers

  • manage-realm

  • view-clients

  • view-identity-providers

View Object Audit

View object audit log (Object Activity Log).

Manage Users and Groups

Manage system users (basic user operations like add, edit, delete) and groups (add, edit, delete, edit members)

This permission includes additionally:

  • view-realm

  • manage-users

  • query-users

  • view-users

View User Activity Audit

View user activity audit log ("User activity & security" log)

System Administrator

Manage System Settings

Manage system settings like:

  •  

    • manage settings for plugins (e.g. area calculations, auto linking

    • Manage system object classes, perspectives and activate configurations

    • manage plugin events

    • manage file formats

    • manage layouts

    • manage system translations

    • manage map data sources

This permission includes additionally:

  • view-realm

  • manage-authorization

  • manage-clients

  • manage-identity-providers

  • manage-realm

  • view-clients

  • view-identity-providers

User

System User

Ability to log in and use the system basic operations (access objects, documents, search, print, etc)

Anonymous API

Access anonymous API

Manage Account