Difference between revisions of "Edit permissions"

From ICA-AtoM
Jump to navigation Jump to search
 
(116 intermediate revisions by 5 users not shown)
Line 1: Line 1:
[[Main Page]] > [[User manual]] > [[UM-7|UM-7 Administer ICA-AtoM]] > UM-7.2 1.0.9 Edit user permissions in ICA-AtoM 1.0.9
+
[[Main Page]] > [[User manual]] > [[Administer]] > Edit permissions
  
 +
<div class="note">
 +
* You should have two or more archival institutions in your system, with several hierarchical descriptions attached and some digital objects uploaded, in order to fully test the scenarios on this page
 +
* You can only modify the user's settings if you are logged in as an administrator. After completing the steps in each scenario, log out and log back in as the user you've been creating and modifying in order to see the results of your modifications
 +
</div>
  
This section describes how to add, edit, and delete user accounts in your ICA-AtoM application.
+
== Scenario one: Allow the public to view and download master digital objects ==
  
 +
<div class="note">
  
==Add a new user==
+
The default permissions in '''ICA-AtoM''' prevent the public ("anonymous" group) from viewing or download master digital objects (e.g. original TIFF images, original video files, original audio files).  By default the public ''can'' view the "reference" representation (e.g. derivative JPEG image, derivative flash video or audio file via in-browser flash player) and thumbnail version of any digital object.
  
[[Image:0_show_screen.png|500px|right|thumb|Default permissions for contributor group]]
+
</div>
  
When refining user permissions, it is often useful to start with the group to which the user belongs. You can refine permissions for the group, then add users to the group, all of whom will inherit the modified permissions.
+
[[Image:Allow access to master representation.png|300px|right|thumb|Fig.3 View permissions by repository.]]
  
Scenario: In a multi-repository system, add a user who can create, update and publish archival descriptions belonging to one institution only.
+
This will allow the public to view or download the master objects in addition to viewing the thumbnail and reference display copies of digital objects.
  
1. In the main menu bar, go to admin > groups > contributor. Click on Archival description permissions. Your screen will show the default permissions for the contributor group.
+
# Click Admin > Groups > Anonymous in the administrator's menu  
 +
# Click the "Archival description permissions" tab
 +
# Click "Edit"
 +
# Under ''All Archival description > Access master'' click the "Grant" radio button
 +
# Click "Save"
  
5. Enter the user's name.
+
<br style="clear:both" />
  
 +
== Scenario two: In a multi-repository system, add a user who can create, update, edit, delete and publish archival descriptions belonging to one archival institution only (or whatever preferences the Administrator wants to set for the User) ==
 +
<div class=clear fix>
 +
<ol>
  
6. Enter the user's email address; the email address (rather than the user name) is used when logging in.
+
[[Image:singlerep_user01.png|300px|right|thumb|Fig.1. Leave group field blank. User automatically becomes an authenticated user.]]
 +
<li> When refining user permissions you can begin by creating a User, but do not assign them to a unique User group. Leave this blank and it will automatically assign the User to the parent group of authenticated (which is all users who have successfully logged-in)(See fig.1)</li>
 +
<br style="clear:both" />
 +
[[Image:singlerep_user02.png|300px|right|thumb|Fig.2.View User permissions screen]]
 +
<li>
 +
In order to restrict permissions to descriptions of a particular institution, we need to go to Admin menu > Users. Select the User you want to restrict to specific repository permissions.(See fig.2)</li>
 +
<br style="clear:both" />
 +
[[Image:singlerep_user03.png|300px|right|thumb|Fig.3 View permissions by repository.]]
 +
<li>Select information object permissions. Click Edit. Select Permissions by Repository and click Add Repository. Select Repository name from list. Click on Submit.(See fig.3)</li>
 +
<br style="clear:both" />
 +
[[Image:singlerep_user04.png|300px|right|thumb|Fig.4]]
 +
<li>Click on the circles to Grant Permissions to read, create, update, delete, view draft, publish, access master and access reference.(See fig.4)</li>
 +
<br style="clear:both" />
 +
[[Image:singlerep_user05.png|300px|right|thumb|Fig.5 View permissions for User]]
 +
<li>Click on Save.The Administrator can now view the User and their permissions in relation to a specific Repository.(See fig.5)</li>
 +
<br style="clear:both" />
 +
<li>To test your permissions, try logging out and logging back in as the user you created. You should be able to create, edit, delete and publish descriptions belonging to the specified institution only.If you want this User to have permissions to create, update and delete Authority Records and create, update and delete Taxonomies you must "grant" those as well.The default for authenticated group does not grant those permissions.</li>
  
 +
</ol>
 +
</div>
  
7. Enter the user's default [[password]]. Note that users can later change their own [[password]] (see [[UM-2.6|UM-2.6 Change password]]).
+
== Scenario three: Add user to the contributor group as an alternative approach ==
  
 +
<div class="note">
  
8. Select the appropriate [[user role]]. The [[user role]] determines the user's [[Access privilege|access privileges]].
+
When refining user permissions, it is often useful to start with the group to which the user belongs. You can refine permissions for the group, then add users to the group, all of whom will inherit the modified permissions. Any permission that has not been "granted" by the current group (e.g., contributor, editor) or its parent group (authenticated) is considered "denied" by default. In other words the default for the system is to deny permission unless a rule explicitly grants it.
  
*For more on [[User role|user roles]], see [[UM-2.3|UM-2.3 User roles]].
+
</div>
*Note that you can add multiple [[User role|user roles]] to an account; for example, a user may need both [[editor]] and [[translator]] [[Access privilege|access privileges]].
 
*To remove a [[user role]] from a saved [[user account]], click the [[delete icon]] next to it in the list above the data entry [[field]].
 
*You can create new user roles by adding new groups. See [[UM-7.2#Add_and_edit_groups|Add and edit groups]], below.
 
*You can refine user permissions in the groups and permissions [[information area]]: see [[UM-7.2#Refine_user_permissions|Refine user permissions]], below.
 
  
 +
In the main menu bar, go to admin > groups > contributor. Click on Archival description permissions in the grey menu above the title bar. Your screen will show the default "Grant" permissions for the contributor group - i.e. it shows you everything the user is permitted to do. The contributor group inherits some of its settings from its parent group, authenticated (which is all users who have successfully logged-in).
  
9. Click the [[create button]] to register the new [[user account]].
+
Click Edit. In the edit screen, you will get a better sense of the group's permission settings. The contributor has the following permissions:
 +
* Read: Grant (inherited from authenticated group)
 +
* Create: Grant
 +
* Update: Grant
 +
* Delete: Deny (default deny)
 +
* View draft: Grant
 +
* Publish: Deny (default deny)
 +
* Access master digital object: Grant
 +
* Access reference digital object: Grant (inherited from authenticated group).
  
 +
In other words, any user belonging to the contributor group automatically has been ''granted'' the ability to read, create and update descriptions, view draft descriptions, and access digital objects. However, the user has been ''denied'' the ability to delete or publish descriptions.
  
10. ICA-AtoM creates the new account and routes you to the [[view screen]] (View user profile).
 
  
<br />
+
</div>
  
==Refine user permissions==
+
== Scenario four: Remove the ability to create and update authority records ==
 +
</div class="note">
 +
Permissions for authority records can be refined in some of the same ways they can be refined for archival descriptions. In a multi-repository setting it may be desirable to prevent users from creating and/or updating authority records, because one authority record may be linked to archival descriptions belonging to more than one archival institution.
  
[[Image:UM-7.2_1.png|500px|right|thumb|Refine user permissions]]
 
  
ICA-AtoM allows an administrator to refine user permissions. For example, if the software is being used for as a [[multi-repository system]], you can restrict the ability of a user to create, update and delete records for only one [[archival institution]].
+
</div>
  
The following example shows how to permit a user to update [[archival description|archival descriptions]] belonging to only one [[archival institution]].
+
== Scenario five: Add the ability to translate to a specified language ==
  
 +
<div class="note">
 +
There are two ways to grant translate permissions to non-administrators:
  
1. In the user [[edit screen]], open the groups and permissions [[information area]].
+
* Make the user a translator by adding them to the translator group (the same way that you added a user to the contributor group). This means that they will be able to translate to any language.
 +
* Instead of making the user a translator, which would allow them to translate to any language, add a language to which a user can translate. This means that they will be able to translate only to the specified language, and only those archival descriptions and authority records they are allowed to update. In this scenario, we will add the ability of the user to translate to Dutch.
  
 +
</div>
  
2. In the ''action'' [[drop-down menu]] under ''Add a new permission (archival descriptions)'', select "update".
+
Go to admin > users > "UserName". You should be in looking at the View user profile screen; if not, click Profile (to the left of Archival description permissions). Click Edit, then click on the blue "Access control" link. In allowed languages for translation, select Dutch. Click Save. The user will now be able to translate from any source language to Dutch. Note that the list of languages is derived from the languages added in the settings menu. See [[add/remove languages]]. Note also that you can add more languages from this list as needed.
 +
</div>
  
 +
== Scenario six: Remove the ability to view and download master digital objects ==
  
3. Under ''grant/deny'' select "deny".
+
<div class="note">
  
 +
Users belonging to the contributor group automatically inherit the ability to view and download master digital objects.
  
4. Save the record, then re-open the [[edit screen]].
+
</div>
  
 +
Go to admin > users > "UserName". Click on Archival description permissions. Click Edit. Under ''All archival descriptions'' next to Access master click Deny. Save the record. This will allow the user to view thumbnail and reference display copies of digital objects, but not to view or download the master objects. Note that if you do not wish to have any users belonging to the Contributor group viewing or downloading masters digital objects, deny permission for this activity at the level of the group - i.e. go to admin > groups > contributor and make the change at that level instead of the level of the individual user.
  
5. In the ''action'' [[drop-down menu]] under ''Add a new permission (archival descriptions)'', select "update".
+
== Scenario seven: Add ability to create, update, and delete subject terms ==
  
 +
<div class="note">
  
6. Under ''grant/deny'' select "deny" select "grant"
+
Users belonging to the contributor group do not automatically inherit the ability to create, update, and delete taxonomy terms. You can change these permissions for either the contributor group or an individual user. In this case, we will add the ability to create, update and delete subject terms to our individual user.
  
 +
</div>
  
7. Under ''repository'' type the first few letters of an [[archival institution]] and then select the institution from the drop-down menu.
+
Go to admin > users > "UserName". Click on Taxonomy permissions (next to Authority record permissions). Click Edit. Click the blue link "Permissions by taxonomy", then click "Add taxonomy". Select Subjects as the taxonomy name from the auto-complete list. Next to Create, Update and Delete select Grant, then save the record. The user should now be able to create, update and delete subject terms but not other kinds of taxonomy terms.
  
  
8. Save the record.
+
[[Category:User manual]]
  
 
+
__NOTOC__
The result is that the user is denied the right to update any [[archival description|archival descriptions]] EXCEPT those from the [[archival institution]] that was selected in step 7. Repeat these steps as often as needed until you have refined the user permissions to the desired extent.
 
 
 
Please note that this feature is at a relatively early stage of development in ICA-AtoM 1.0.8. Future versions will allow for adding multiple permissions without having to save the record after each change, and will also allow permissions to be refined for [[authority record|authority records]], [[archival institution|archival institutions]] and other types of records and activities.
 
 
 
<br />
 
 
 
==Add and edit groups==
 
 
 
[[Image:UM-7.2_2.png|500px|right|thumb|Edit screen for a group]]
 
 
 
[[Image:UM-7.2_3.png|500px|right|thumb|The saved group now appears as a selectable user role in the user edit screen]]
 
 
 
If there is a group of users for whom there need to be identical specific, refined permissions, the [[administrator]] may wish to create a group and add users to it, rather than using an existing group (i.e. [[user role]]) and refining the permissions for each user. For example, an archives may have a group of volunteers which it wishes to provide specific, limited permissions that are different from those of other users.
 
 
 
1. Click the ''admin > users'' tab.
 
 
 
 
 
2. In ''users/groups'' click on ''groups'' if it is not already underlined.
 
 
 
 
 
3. Click ''add new'' in the [[column header]].
 
 
 
 
 
4. ICA-AtoM routes you to a blank [[edit screen]].
 
 
 
 
 
5. Enter the name of the group.
 
 
 
 
 
6. Provide a description of what the group is for.
 
 
 
 
 
7. By default, the group will have no permissions and the [[administrator]] needs to create them. See [[UM-7.2#Refine_user_permissions|Refine user permissions]], above. Note that there is no [[view screen]] for groups and saving the record takes the user back the the groups [[list screen]].
 
 
 
 
 
8. Once a group is saved, it becomes a [[user role]] and can be selected in as the [[user role]] in a user account [[edit screen]]. You can add as many users to a group as required.
 

Latest revision as of 11:26, 10 July 2013

Please note that ICA-AtoM is no longer actively supported by Artefactual Systems.
Visit https://www.accesstomemory.org for information about AtoM, the currently supported version.

Main Page > User manual > Administer > Edit permissions

  • You should have two or more archival institutions in your system, with several hierarchical descriptions attached and some digital objects uploaded, in order to fully test the scenarios on this page
  • You can only modify the user's settings if you are logged in as an administrator. After completing the steps in each scenario, log out and log back in as the user you've been creating and modifying in order to see the results of your modifications

Scenario one: Allow the public to view and download master digital objects

The default permissions in ICA-AtoM prevent the public ("anonymous" group) from viewing or download master digital objects (e.g. original TIFF images, original video files, original audio files). By default the public can view the "reference" representation (e.g. derivative JPEG image, derivative flash video or audio file via in-browser flash player) and thumbnail version of any digital object.

Fig.3 View permissions by repository.

This will allow the public to view or download the master objects in addition to viewing the thumbnail and reference display copies of digital objects.

  1. Click Admin > Groups > Anonymous in the administrator's menu
  2. Click the "Archival description permissions" tab
  3. Click "Edit"
  4. Under All Archival description > Access master click the "Grant" radio button
  5. Click "Save"


Scenario two: In a multi-repository system, add a user who can create, update, edit, delete and publish archival descriptions belonging to one archival institution only (or whatever preferences the Administrator wants to set for the User)

    Fig.1. Leave group field blank. User automatically becomes an authenticated user.
  1. When refining user permissions you can begin by creating a User, but do not assign them to a unique User group. Leave this blank and it will automatically assign the User to the parent group of authenticated (which is all users who have successfully logged-in)(See fig.1)

  2. Fig.2.View User permissions screen
  3. In order to restrict permissions to descriptions of a particular institution, we need to go to Admin menu > Users. Select the User you want to restrict to specific repository permissions.(See fig.2)

  4. Fig.3 View permissions by repository.
  5. Select information object permissions. Click Edit. Select Permissions by Repository and click Add Repository. Select Repository name from list. Click on Submit.(See fig.3)

  6. Fig.4
  7. Click on the circles to Grant Permissions to read, create, update, delete, view draft, publish, access master and access reference.(See fig.4)

  8. Fig.5 View permissions for User
  9. Click on Save.The Administrator can now view the User and their permissions in relation to a specific Repository.(See fig.5)

  10. To test your permissions, try logging out and logging back in as the user you created. You should be able to create, edit, delete and publish descriptions belonging to the specified institution only.If you want this User to have permissions to create, update and delete Authority Records and create, update and delete Taxonomies you must "grant" those as well.The default for authenticated group does not grant those permissions.

Scenario three: Add user to the contributor group as an alternative approach

When refining user permissions, it is often useful to start with the group to which the user belongs. You can refine permissions for the group, then add users to the group, all of whom will inherit the modified permissions. Any permission that has not been "granted" by the current group (e.g., contributor, editor) or its parent group (authenticated) is considered "denied" by default. In other words the default for the system is to deny permission unless a rule explicitly grants it.

In the main menu bar, go to admin > groups > contributor. Click on Archival description permissions in the grey menu above the title bar. Your screen will show the default "Grant" permissions for the contributor group - i.e. it shows you everything the user is permitted to do. The contributor group inherits some of its settings from its parent group, authenticated (which is all users who have successfully logged-in).

Click Edit. In the edit screen, you will get a better sense of the group's permission settings. The contributor has the following permissions:

  • Read: Grant (inherited from authenticated group)
  • Create: Grant
  • Update: Grant
  • Delete: Deny (default deny)
  • View draft: Grant
  • Publish: Deny (default deny)
  • Access master digital object: Grant
  • Access reference digital object: Grant (inherited from authenticated group).

In other words, any user belonging to the contributor group automatically has been granted the ability to read, create and update descriptions, view draft descriptions, and access digital objects. However, the user has been denied the ability to delete or publish descriptions.


Scenario four: Remove the ability to create and update authority records

Permissions for authority records can be refined in some of the same ways they can be refined for archival descriptions. In a multi-repository setting it may be desirable to prevent users from creating and/or updating authority records, because one authority record may be linked to archival descriptions belonging to more than one archival institution.


Scenario five: Add the ability to translate to a specified language

There are two ways to grant translate permissions to non-administrators:

  • Make the user a translator by adding them to the translator group (the same way that you added a user to the contributor group). This means that they will be able to translate to any language.
  • Instead of making the user a translator, which would allow them to translate to any language, add a language to which a user can translate. This means that they will be able to translate only to the specified language, and only those archival descriptions and authority records they are allowed to update. In this scenario, we will add the ability of the user to translate to Dutch.

Go to admin > users > "UserName". You should be in looking at the View user profile screen; if not, click Profile (to the left of Archival description permissions). Click Edit, then click on the blue "Access control" link. In allowed languages for translation, select Dutch. Click Save. The user will now be able to translate from any source language to Dutch. Note that the list of languages is derived from the languages added in the settings menu. See add/remove languages. Note also that you can add more languages from this list as needed.

Scenario six: Remove the ability to view and download master digital objects

Users belonging to the contributor group automatically inherit the ability to view and download master digital objects.

Go to admin > users > "UserName". Click on Archival description permissions. Click Edit. Under All archival descriptions next to Access master click Deny. Save the record. This will allow the user to view thumbnail and reference display copies of digital objects, but not to view or download the master objects. Note that if you do not wish to have any users belonging to the Contributor group viewing or downloading masters digital objects, deny permission for this activity at the level of the group - i.e. go to admin > groups > contributor and make the change at that level instead of the level of the individual user.

Scenario seven: Add ability to create, update, and delete subject terms

Users belonging to the contributor group do not automatically inherit the ability to create, update, and delete taxonomy terms. You can change these permissions for either the contributor group or an individual user. In this case, we will add the ability to create, update and delete subject terms to our individual user.

Go to admin > users > "UserName". Click on Taxonomy permissions (next to Authority record permissions). Click Edit. Click the blue link "Permissions by taxonomy", then click "Add taxonomy". Select Subjects as the taxonomy name from the auto-complete list. Next to Create, Update and Delete select Grant, then save the record. The user should now be able to create, update and delete subject terms but not other kinds of taxonomy terms.