Copyright © 2019 EarthSoft, Inc • Modified: 18 Feb 2019
The permissions grid is used to display and modify the permissions that a user or role has within EQuIS. The permissions grid is available on the User Profile screen, where users may view their own permissions. If a user is viewing his/her own profile, then some items may not be visible or may be read-only. If an administrator is viewing (or editing) the profile of a user, then all items will be visible.
By default, the permissions grid initially shows the Object Type/Creator permissions of the user or role. These permissions are the most powerful because they apply to all objects within the object type. Permissions granted to the object type apply to all current and future objects of that type. For example, if a user is granted viewer permission on the Dashboards Object Type, the user will have viewer permissions for every dashboard that already exists, and every dashboard that is created in the future.
Permissions for individual object types can be assigned by selecting the View/set permissions on drop-down menu.
Object Types/Creator – Select this option to view/set permissions on all objects by type (including creator permission).
Dashboards – Select this option to view/set permissions on existing dashboards.
Facilities – Select this option to view/set permissions on existing facilities.
Files/Documents – Select this option to view/set permissions on existing files/documents.
Modules – Select this option to view/set permissions on existing modules (i.e., forms).
Reports – Select this option to view/set permissions on existing reports.
Widgets Types – Select this option to view/set permissions on existing widget types.
Note that the Groups and Folders object type is not available for selection in the permissions grid. The EDD object type permissions can be granted by selecting the Object Types/Creator in the drop-down and granting permission on EDDs.
Once an object type has been selected from the drop-down menu, permissions can be applied for specific objects. Use the Name Search Box to limit the list of possible objects, which can be quite numerous. Enter a search term (one or more characters) that will be used to search the objects. Only objects will be displayed that contain the search term within the main attributes (e.g., title, remark, etc.). Press the keyboard <ENTER> key or click the Search button (just to the right of the Search box) to search for objects. Only objects will be displayed that match both the Search and the View/set permissions. In the example below, the View/set permissions has been set to Facilities and the search is looking for a facility name that starts with "g".
The grid columns display each object and the permissions on that object as described below.
Object Icon – The first column on the permissions grid displays the icon appropriate to the given object. This column is for display purposes only and may not be changed. The icons include: Dashboards, Facilities , Files , Reports , and Widgets .
Name – The name column displays the name of the object. If the object is a dashboard, the name is also a hyperlink that will open that dashboard. Click the column header to sort by name (click again to reverse sort).
Permission Types – The permission types are displayed in the grid from left to right in order of permission precedence: Owner Grant, Owner Deny, Editor Grant, Editor Deny, Viewer Grant, Viewer Deny, Creator Grant, and Creator Deny. A "deny" always denies everything to the left (higher permissions); whereas a "grant" always grants everything to the right (lower permissions). A user can be assigned multiple permission types. If a user is both granted and denied the same permission, the deny takes precedence (i.e., the permission will be denied). To make an object completely inaccessible to a user, assign the Viewer Deny permission, which will also deny Editor and Owner permissions.
The following examples illustrate how permissions operate:
• A user is granted Editor permissions. That user automatically has Viewer permissions but NOT Owner permissions.
•A user is denied Editor permissions. That user is automatically denied Owner permissions but this does not prevent granting Viewer permissions.
•A user has been denied Viewer permission to a particular facility (object). This means that the user can never Own, Edit, or View the denied facility—regardless of permissions granted or inherited separately.
•A user has been granted Editor permission on dashboards (as an object type). The Editor permission on dashboards as an object type gives the user permission to edit all existing and future dashboards. However, one dashboard serves a particular purpose and must not be edited. Therefore, the user may be denied Editor permission but granted Viewer permission on that particular dashboard. The user may not edit that dashboard, but may still view the dashboard because the "deny" of Editor permission does not prevent the "grant" of Viewer permission.
If the permission grant or deny column is populated, the user has specifically been assigned that permission to the given object or object type. If a permission does not apply to an object type, the cell is gray.
Permissions can be assigned by clicking on the cell representing the intersection of the permission type and the given object or object type. Permissions can be toggled on and off. Removing a permission (by toggling that permission column to off) for a specific object means that the user is not granted permission to that object, however, the user is not prevented from inheriting that permission from elsewhere. Click the column header to set/unset the given permission for all objects currently visible in the grid. Clicking the column header does not toggle the permission for items not visible on the grid (e.g., on other pages).
Effective Permissions for User or Role – This column displays the effective permissions that the user (or role) has on the given object or object type, based on all existing permissions as granted to the user and/or role(s) of which the user is a member. Permissions might be (1) explicitly granted or denied, (2) inherited from a role, or (3) inherited from an object type. Note that the Effective Permission column for Object Types does not reflect other existing permissions explicitly granted on Objects of the same type. See also the Effective Permissions section below.
Some examples of effective permission include:
•If a user is granted Owner permission on the Facilities Object Type, then each individual facility will display an effective permission of Owner as inherited from the Facility Object Type permission.
•If a user is granted Viewer permission on the Dashboards Object Type, and denied Viewer permission on one specific dashboard, that dashboard will display no effective permissions (i.e., the user does not have permission to that dashboard), but all other dashboards will have an effective permission of Viewer.
•If a user has no permission on the Reports Object Type and is granted Editor permission on five base reports, the Reports Object Type effective permissions column is empty. The Editor effective permissions are shown separately for each report Object.
Object Permissions Report – This icon is a download link to the object Permissions Report, which lists users and roles along with the permissions that have been granted or denied to them on the given object or object type, including effective permissions.
Paging Controls – The bottom of the permissions grid contains controls for displaying a limited number of items at a time (i.e., paging). All of the paging controls are specific to the currently selected object type and search term.
•Arrows – Use the left/right arrows to navigate through pages.
•Go to Page List – Select a specific page to navigate directly to that page.
•Rows per Page – Change the number of items to be displayed per page.
•Count of Pages and Total Items – This control indicates the total number of items available in the permissions grid, how many pages to display the items, and which page is currently selected.
Administrators (or object owners) may click on the effective permissions column to view a list of all explicit permissions contributing to the effective permission for that particular user and object/object type. For example, a user is granted viewer permission to a specific facility, but the effective permission is still empty for that facility. Permission may have been denied because user membership in a role has denied permission to that facility. Examining all the applicable permission provides an understanding of how the effective permission is being generated.
After clicking on the effective permissions column, a new window opens with a grid that lists the applicable permissions. Each row represents a separate explicit permission. The bottom row in the grid is the effective permission for that particular user and object/object type.
The grid columns display each explicit permission applicable to the given effective permissions as follows:
•Permission Type Icon – The first column displays an icon indicating the permission that is explicitly granted or denied to the user or a role.
•User/Role – This column identifies the name of the user or role to which the permission was granted or denied.
•Object Icon – The icon in this column indicates the type of object where the permission applies.
•Object – This column identifies the name of the object to which the permission applies. If the name is in italics, then it indicates an Object Type (instead of an individual Object).
•Granted By – This column indicates the name of the user that granted (or denied) the permission. The name ".system" represents the application itself.
The effective permissions for a report now automatically respect facility permissions. More details are available here.