Difference between revisions of "Edit permissions"

Main Page > User manual > UM-7 Administer ICA-AtoM > UM-7.2 1.0.9 Edit user permissions in ICA-AtoM 1.0.9

When refining user permissions, it is often useful to start with the group to which the user belongs. You can refine permissions for the group, then add users to the group, all of whom will inherit the modified permissions. To lean how to refine user permissions, follow the steps in scenario 1, below. Then try some more of the scenarios listed at the bottom of this page, all of which relate to the user created in scenario 1.

Scenario 1: In a multi-repository system, add a user who can create, update and publish archival descriptions belonging to one institution only.

1. 

   Fig.1. Default permissions for Contributor group in show screen
   In the main menu bar, go to admin > groups > contributor. Click on Archival description permissions. Your screen will show the default "grant" permissions for the Contributor group - i.e. it shows you everything the user is permitted to do (see fig.1).
   • Note that the Contributor group inherits some of its settings from its parent group, Authenticated (which is all users who have successfully logged-in).
2. 

   Fig.2. Default permissions for Contributor group in edit screen
   Click Edit. In the edit screen, you will get a better sense of the group's permission settings (see fig.2) . The Contributor has the following permissions:
   • Read: Grant (inherited from Authenticated group)
   • Create: Grant
   • Update: Grant
   • Delete: Deny (inherited from Authenticated group)
   • View draft: Grant
   • Publish: Deny (inherited from Authenticated group)
   • Access master digital object: Grant
   • Access reference digital object: Grant (inherited from Authenticated group).

In other words, any user belonging to the Contributor group automatically has the ability to read, create and update descriptions, view draft descriptions and access digital objects. The user cannot delete or publish descriptions. In our scenario, we would like to create a user who can create and update descriptions belonging only to a particular institution and who in addition can publish archival descriptions belonging to the institution.

1. 

   Fig.3. Modified permissions for Contributor group in edit screen
   In order to restrict permissions to descriptions of a particular institution, we need to first deny the permissions across the board, and then add them back for the specified institution. We will do the blanket denial in the Contributor group edit screen, and later add a user with permissions granted for a particular institution. To deny the permissions in the Contributor group, open the edit screen and select Deny for the Create and Update permissions (See fig.3).
2. 

   Fig.4. Modified permissions for Contributor group in show screen
   Save the group. Your show screen should like the screen in fig.4.
3. 

   Fig.5 Add a new user
   Go to admin > users and add a new user as in fig. 5. Be sure to add the user to the Contributor group.
4. 

   Fig.6
   Click on Archival description permissions. You will see the permissions that are specified in the Contributor group, as in Fig.6.
5. 

   Fig.7 Select an archival repository
   Open the edit screen and click on the blue ""Permissions by archival institution" link and then the "Add archival institution" link. Select the archival institution as in fig.7.
6. 

   Fig.8 Add institution-specific permissions
   You will now be able to add permissions specific to descriptions belonging to this archival institution. For Create, Update and Publish, select Grant as in fig.8.
7. 

   Fig.9 user view screen showing modified user permissions
   Save the record. The screen should show the modified permissions as in fig.9. To test your permissions, try logging out and logging back in as the user you created. You should be able to create, edit and publish descriptions belonging to the specified institution only, and you should not be able to delete any descriptions.

Scenario 2: Add the ability to delete the archival descriptions of the specified institution.
Steps: Remember that a user in the Contributor group does not automatically have the ability to delete any records. To add the ability to delete archival descriptions belonging to the archival institution the user can currently edit and update, go to admin > users > Gene Roddenberry > Archival description permissions >, click Edit and, for the specified institution, change the Delete permission to Grant.

Scenario 3: Add the ability for the user to translate to a specified language.
There are two ways to grant translate permissions:

• Make the user a translator by adding him to the Translator group (the same way that you made Gene Roddenberry a Contributor). This means that he will be able to translate to any language.
• Instead of making the user a translator, which would allow him to translate to any language, add a language to which a user can translate. This means that he will be able to translate only to the specified language. In this scenario, we will add the ability of the user to translate to French.

Steps: Go to admin > users > Gene Roddenberry > Profile. Click edit, then click on the blue "Access control" link. In allowed languages for translation, select French. The user will now be able to translate from any source language to French. Note that the list of languages is derived from the languages added in the settings menu. See UM-7.4.5 Add or remove a language. Note also that you can add more languages from this list as needed.

Scenario 4: Remove the ability to create and update authority records.

• Permissions for authority records can be refined in some of the same ways they can be refined for archival descriptions. In a multi-repository setting it may be desirable to prevent users from creating and/or updating authority records, because one authority record may be linked to archival descriptions belonging to more than one archival institution.
• Note that users belonging to the Contributor group automatically inherit the ability to create and update authority records.

Steps: Go to admin > users > Gene Roddenberry. Instead of clicking on Archival description permissions, click on Authority record permissions. Click Edit. Under All authority records, next to Create and Update, select Deny, then save the record.

Scenario 5: Remove the ability to view and download digital master objects.

• Note that users belonging to the Contributor group automatically inherit the ability to view and download master digital objects.

Steps: Go to admin > users > Gene Roddenberry. Click on Archival description permissions. Click Edit. Next to Access Master click Deny. Save the record. This will allow the user to view thumbnail and reference display copies of digital objects, but not to view or download the master objects. Note that if you do not wish to have any users belonging to the Contributor group viewing or downloading masters digital objects, deny permission for this activity at the level of the group - i.e. go to admin > groups > Contributor and make the change at that level instead of the level of the individual user.