Admin Visibility Rules

Last modified by karimpirani on 2014/07/03 15:48

Super Users, Domain Administrators and Organizational Unit Administrators all have different levels of visibility and authority as to what they can do in the Admin Console. This page outlines those rules.

 

Super Users

Super users are unconstrained users. They can see and do everything in the system.

In the system:

  • Only one role can contain the SUPER_USER permission; this role will be the SUPER_USER role, a system role. 
  • The SUPER_USER role cannot be modified (all system roles behave in this way).
  • The SUPER_USER role is maintained by Objective Arts. There will typically be only one Super User.
  • All non SUPER_USERs will not be able to see any SUPER_USER in any admin screen.
  • SUPER_USERs cannot be added as a responsibility of another user.

 

Administrators

Administrators are users who have access to at least one administration screen. There are two administrative levels: domain and organizational unit.

 

Domain Administrator

A domain administrator is governed by the permission DOMAIN_ADMINISTRATOR. Domain administrators will always see all data on any screen for which they have access.

 

Organizational Unit (OU) Administrator

An OU administrator is governed by the permission OU_ADMINISTRATOR. OU admins will only see data for the OUs (and all child OUs) for which they are responsible.

 

Order of Precedence

All users will be shown the greatest amount of data granted to them. A user can have as many of the admin permissions granted to them but the order of precedence is:

SUPER_USER > DOMAIN_ADMINISTRATOR > OU_ADMINISTRATOR > non-admins

 

Data Visibility in Modules

Here is the rule for data filtering on screens for each permission. Only the screen:sections below have specific rules regarding data visibility across the permission sets.

 

Admin Module

The main idea behind these filters is that users are only allowed to modify users/relationships below their level. (e.g. Domain admins cannot modify each other). Also, OU admins are bound to whatever OUs for which they are responsible.

 

The simple rule is: You cannot modify yourself, any of your roles, your responsibilities, or any users/roles at or above your level.

 

Superusers: 

  • Staff Screen:Staff List: All Superusers are not present.
  • Responsibilities Screen:Users Tab: All Superusers (including logged in) are not present.

Domain admins:

  • Roles Screen: Domain Admin role not present.
  • Staff Screen:Staff List: All Superusers and Domain Admins are not present.
  • Responsibilities Screen:Staff List: Superusers and Domain Admins are not present.
  • Responsibilities Screen:Users Tab:Staff List: Superusers and Domain Admins are not present.

OU admins:

  • Roles Screen: Domain Admin and all roles for the logged in user will not present. They probably shouldn't get access to this screen, however.
  • Staff Screen:Staff List: Superusers, Domain Admins and all users in any role of the logged in user will not show.
  • Staff Screen:Assigned Roles Tab: The Superuser role should not be present 
  • Responsibilities Screen:Staff List: Superusers, Domain Admins and other OU admins not in list. All other staff are shown.
  • Responsibilities Screen:Client Tab: Client List: Only clients placed at any OUs for which the logged in user is responsible will display. All other clients will not be shown.
  • Responsibilities Screen:Users Tab:User List: Superusers, Domain Admins and other OU admins not in list. All other staff are shown. 
  • Clients Screen:Organizational Placements: Allowed to Add/Remove Placements for any OUs for which they are responsible, for any client in the system.