Effective permissions report
The Effective Permissions report allows system administrators to view the permissions of users in the system and modify permissions. The report can be filtered by user, the object type (library, archive or schema), library location, schema name, the origin of the role (group, library or inherent), and enabled and disabled users.
The following information is displayed in the effective permissions report:
Symbol | Column Header | Description |
---|---|---|
Cabinet icon | - | Permissions at the cabinet level. |
Folder icon | - | Permissions at the folder level. |
Schema icon | - | Permissions at the schema level. |
L | - | Library |
A | - | Archive |
S | - | Schema |
Full name | First and last name of the user | |
User login name | The login name of the user including the unique ID number. | |
Name | Name of the cabinet, folder, or schema. Click on the link to change the permissions at this level | |
Location | The library location where the folder is located. This only contains a value when the object is a folder. The format of the location is the parent object’s name followed by the parent object’s ID. Multiple senior objects are separated by forward slash. Example, CabinetA (5) / DrawerB (1) / FolderGrpC (14). | |
Membership type |
Direct – The value is direct if the specific user, not group, is assigned directly to the object as a member or owner. Indirect – For all other cases the value will be indirect. This includes the situation for inherent permissions such as system administrators. If a user is directly assigned to an object and they are also indirectly assigned by a group, if both the highest implied role and highest assigned role match then the membership type is direct. |
|
Effective role |
The resulting permission in that area: Member – Used with schemas. Owner – Owner of either a cabinet or folder. Disabled user – The user is disabled in the system. <Role name> – The effective role of the user. If marked with an asterisk (*), this indicates that the user’s permissions are reduced at that level of the library or they are not the owner. For example, a user is assigned to a group with a library administration role and cabinet administration role but only the group with the cabinet administration role has access to that level of the library. See Determining Effective Role for more information. |
|
Role origin |
Library – The role is set at the cabinet or folder level. Group – The role is set at the group. Inherent – The role is inherent such as senior library or system administrator See Role Origin for more information. |
|
Group | Name of the group where the user has the highest level of permissions. If the role is Owner and the membership type is Direct there is no group. See Group for more information. |
The Effective Permissions report can be run by a System Administrator. This log is never deleted or overwritten.
To view the effective permissions report
- Go to Administration > Full Administration Menu > Administration Reports > Effective Permissions.
- Use any of the following filters:
- User Name – Select a user name from the list.
- Object type – Select Library, Archive (library archive), or Schema.
- Location – Click Select Location to select a specific area in the library.
- Schema – Select a schema name from the list
- Do not include disabled users – Select this option to leave any disabled users out of the report results. Only enabled users are shown.
- Do not include enabled users – Select this option to leave any enabled users out of the report results. Only disabled users are shown.
- Role origin – Select Group (role is from the group membership), Library (role is assigned at a folder or cabinet), or Inherent (role is inherent such as senior library or system administrator).
- Click Apply Filter. The number of results and the report are shown below. The number of rows that are displayed in the report view can be adjusted to show 15, 30, or 60 rows at a time. Click on the column to sort in ascending or descending order.
- To modify permissions at any level, click on the Name link. The properties for that level opens.
- Export as CSV.
Determining effective role
For library or archive objects the effective role is a combination of the groups they belong to and their library role assignments. The owner library role assignment is the effective role regardless of any other roles the user may have. When a user is directly assigned their effective role is the highest role they are assigned across all groups they are members of. When a user is assigned as part of one or more groups their effective role is the highest of their assigned groups taking into account advanced security reductions in role.
In the following table Library and Archive are synonymous.
Object |
Role Assignment(s) |
Effective Role |
Schema |
Any, user not disabled |
Member |
Schema |
Organizer or lower and the user is disabled. |
Disabled User |
Library |
Library admin or lower and the user is disabled. |
Disabled User |
Library |
Any, user not disabled, assigned as owner |
Owner |
Library |
Any, user not disabled, directly assigned, not modified |
highest implied role |
Library |
Any, user not disabled, directly assigned, modified |
modified role |
Library |
Any, user not disabled, indirectly assigned |
highest assigned role |
Determining the highest implied role
The highest implied role is used when a user is assigned directly to a schema or library object. As there is no group assignment the user’s group memberships must be checked. The user’s effective role will be the highest role for all their group assignments.
For example, if the user is assigned to a group with the Organizer role and a second group with the Document Publisher role their highest role would be Organizer. Their effective role will be Organizer for any object they are directly assigned to.
There is a special implied role when a cabinet administrator owns the cabinet, but not a folder in the cabinet, nor is a member of a folder in the cabinet. This case is be treated as though the cabinet administrator is directly assigned as a member of the folder.
If marked with an asterisk (*), this indicates that the user’s permissions are reduced at that level of the library or they are not the owner. For example, a user is assigned to a group with a library administration role and cabinet administration role but only the group with the cabinet administration role has access to that level of the library.
Determining a modified role
Modified roles are configured with the advanced security setting on a cabinet or folder. Modified roles are absolute. Regardless of the role normally assigned to the user or group the modified role can be any lower role. For example, this means that a group with a library administration role could be assigned to a cabinet as read only for that cabinet. System administrators and senior library administrators cannot have their roles modified.
Determining the highest assigned role
The highest assigned role is used when a user is indirectly assigned to an object by membership in a group. Their effective role will the highest role of all groups they are members of that are assigned to the object. If the role of any group has been modified this must be taken into account when determining the highest role.
For example, assume a user is assigned as a member of GroupA (Organizer), GroupB (Document Publisher), and GroupC (Document Publisher). GroupA and GroupC have been assigned to Folder1. GroupA has a modified role to Publisher. The user’s highest assigned role for Folder1 would be Publisher.
Role origin
The following table describes the role origin. In the table Library and Archive are synonymous.
Object |
User or Group Role |
Assignment |
Role Origin |
---|---|---|---|
Schema |
System administrator |
None |
Inherent |
Schema |
Senior library administrator |
None |
Inherent |
Schema |
Library administrator |
None |
Inherent |
Schema |
Cabinet administrator |
None |
Inherent |
Schema |
All other roles |
Member |
Group |
Library |
System administrator |
None |
Inherent |
Library |
Senior library administrator |
None |
Inherent |
Library |
System administrator |
Owner |
Library |
Library |
Senior library administrator |
Owner |
Library |
Library |
Library administrator |
Owner |
Library |
Library |
Cabinet administrator |
Owner |
Library |
Library |
Organizer |
Owner |
|
Library |
Publisher |
Owner |
Library |
Library |
All assignable roles[1], not modified |
Member |
Group |
Library |
All assignable roles, modified |
Member |
Library |
[1] All assignable roles include Library administrators and lower roles.
Group
List of groups matching effective role taken from list of groups used to compute highest role. If the role is Owner and the membership type is Direct there is no group.
Example 1, user is a member of GroupA (Document Publisher), GroupB (Organizer), and GroupC (Document Publisher). User is directly a member of Folder1. The effective role is Organizer and the group is GroupB.Example 2, same user as example 1. GroupB is a member of Folder2 with reduced role to Document Publisher. The effective role is Document Publisher and the group is GroupB.
Example 3, same user as example 1. GroupA and GroupC are members of Folder3. Effective role is Document Publisher and the groups are GroupA and GroupC.
Example 4, user is a member of GroupD (Cabinet administrator). GroupD is owner of Cabinet1. Effective role for user is Cabinet administrator and the group is GroupD.