1.877.833.1202

Effective Permissions Report

The Effective Permissions report allows system administrators to view the permissions of users in the system and modify permissions. The report can be filtered by user, the object type (library, archive or schema), library location, schema name, the origin of the role (group, library or inherent), and enabled and disabled users.

The following information is displayed in the effective permissions report:

Symbol Column Header Description
Cabinet level permissionsCabinet icon - Permissions at the cabinet level.
Folder level permissionsFolder icon - Permissions at the folder level.
Schema level permissionsSchema icon - Permissions at the schema level.
L - Library
A - Archive
S - Schema
  Full name First and last name of the user
  User login name The login name of the user including the unique ID number.
  Name Name of the cabinet, folder, or schema. Click on the link to change the permissions at this level
  Location The library location where the folder is located. This only contains a value when the object is a folder. The format of the location is the parent object’s name followed by the parent object’s ID. Multiple senior objects are separated by forward slash. Example, CabinetA (5) / DrawerB (1) / FolderGrpC (14).
  Membership type

Direct – The value is direct if the specific user, not group, is assigned directly to the object as a member or owner.

Indirect – For all other cases the value will be indirect. This includes the situation for inherent permissions such as system administrators.

If a user is directly assigned to an object and they are also indirectly assigned by a group, if both the highest implied role and highest assigned role match then the membership type is direct.

  Effective role

The resulting permission in that area:

Member – Used with schemas.

Owner – Owner of either a cabinet or folder.

Disabled user – The user is disabled in the system.

See Determining Effective Role for more information.

  Role origin

Library – The role is set at the cabinet or folder level.

Group – The role is set at the group.

Inherent – The role is inherent such as senior library or system administrator

See Role Origin for more information.

  Group Name of the group where the user has the highest level of permissions. If the role is Owner and the membership type is Direct there is no group. See Group for more information.

The Effective Permissions report can be run by a System Administrator. This log is never deleted or overwritten.

To view the effective permissions report

  1. Go to Administration Panel > Administration Reports > Effective Permissions.
  2. Use any of the following filters:
  • User Name – Select a user name from the list.
  • Object type – Select Library, Archive (library archive), or Schema.
  • Location – Click Select Location to select a specific area in the library.
  • Schema – Select a schema name from the list
  • Do not include disabled users – Select this option to leave any disabled users out of the report results. Only enabled users are shown.
  • Do not include enabled users – Select this option to leave any enabled users out of the report results. Only disabled users are shown.
  • Role origin – Select Group (role is from the group membership), Library (role is assigned at a folder or cabinet), or Inherent (role is inherent such as senior library or system administrator).
  1. Click Apply Filter. The number of results and the report are shown below. The number of rows that are displayed in the report view can be adjusted to show 15, 30, or 60 rows at a time. Click on the column to sort in ascending or descending order.
  2. To modify permissions at any level, click on the Name link. The properties for that level opens.
  3. Export as CSV.

Effective permissions report

Determining Effective Role

For library or archive objects the effective role is a combination of the groups they belong to and their library role assignments. The owner library role assignment is the effective role regardless of any other roles the user may have. When a user is directly assigned their effective role is the highest role they are assigned across all groups they are members of. When a user is assigned as part of one or more groups their effective role is the highest of their assigned groups taking into account advanced security reductions in role.

In the following table Library and Archive are synonymous.

Object

Role Assignment(s)

Effective Role

Schema

Any, user not disabled

Member

Schema

Organizer or lower and the user is disabled.

Disabled User

Library

Library admin or lower and the user is disabled.

Disabled User

Library

Any, user not disabled, assigned as owner

Owner

Library

Any, user not disabled, directly assigned, not modified

highest implied role

Library

Any, user not disabled, directly assigned, modified

modified role

Library

Any, user not disabled, indirectly assigned

highest assigned role

Determining the Highest Implied Role

The highest implied role is used when a user is assigned directly to a schema or library object. As there is no group assignment the user’s group memberships must be checked. The user’s effective role will be the highest role for all their group assignments.

For example, if the user is assigned to a group with the Organizer role and a second group with the Document Publisher role their highest role would be Organizer. Their effective role will be Organizer for any object they are directly assigned to.

There is a special implied role when a cabinet administrator owns the cabinet, but not a folder in the cabinet, nor is a member of a folder in the cabinet. This case is be treated as though the cabinet administrator is directly assigned as a member of the folder.

Determining a Modified Role

Modified roles are configured with the advanced security setting on a cabinet or folder. Modified roles are absolute. Regardless of the role normally assigned to the user or group the modified role can be any lower role. For example, this means that a group with a library administration role could be assigned to a cabinet as read only for that cabinet. System administrators and senior library administrators cannot have their roles modified.

Determining the Highest Assigned Role

The highest assigned role is used when a user is indirectly assigned to an object by membership in a group. Their effective role will the highest role of all groups they are members of that are assigned to the object. If the role of any group has been modified this must be taken into account when determining the highest role.

For example, assume a user is assigned as a member of GroupA (Organizer), GroupB (Document Publisher), and GroupC (Document Publisher). GroupA and GroupC have been assigned to Folder1. GroupA has a modified role to Publisher. The user’s highest assigned role for Folder1 would be Publisher.

 

Role Origin

The following table describes the role origin. In the table Library and Archive are synonymous.

Object

User or Group Role

Assignment

Role Origin

Schema

System administrator

None

Inherent

Schema

Senior library administrator

None

Inherent

Schema

Library administrator

None

Inherent

Schema

Cabinet administrator

None

Inherent

Schema

All other roles

Member

Group

Library

System administrator

None

Inherent

Library

Senior library administrator

None

Inherent

Library

System administrator

Owner

Library

Library

Senior library administrator

Owner

Library

Library

Library administrator

Owner

Library

Library

Cabinet administrator

Owner

Library

Library

Organizer

Owner

Library

Library

Publisher

Owner

Library

Library

All assignable roles[1], not modified

Member

Group

Library

All assignable roles, modified

Member

Library

[1] All assignable roles include Library administrators and lower roles.

Group

List of groups matching effective role taken from list of groups used to compute highest role. If the role is Owner and the membership type is Direct there is no group.

Example 1, user is a member of GroupA (Document Publisher), GroupB (Organizer), and GroupC (Document Publisher). User is directly a member of Folder1. The effective role is Organizer and the group is GroupB.

Example 2, same user as example 1. GroupB is a member of Folder2 with reduced role to Document Publisher. The effective role is Document Publisher and the group is GroupB.

Example 3, same user as example 1. GroupA and GroupC are members of Folder3. Effective role is Document Publisher and the groups are GroupA and GroupC.

Example 4, user is a member of GroupD (Cabinet administrator). GroupD is owner of Cabinet1. Effective role for user is Cabinet administrator and the group is GroupD.