Wiki source code of Admin Visibility Rules
Version 1.1 by karimpirani on 2014/06/20 09:19
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | Super Users, Domain Administrators and Organizational Unit Administrators all have different levels of visibility as to what they can do in the Admin Console. |
| 2 | |||
| 3 | This page outlines those rules. | ||
| 4 | |||
| 5 | |||
| 6 | |||
| 7 | = Super Users = | ||
| 8 | |||
| 9 | Super users are unconstrained users. They can see and do everything in the system. | ||
| 10 | |||
| 11 | In the SMR system: | ||
| 12 | |||
| 13 | * Only one role can contain the SUPER_USER permission; this role will be the SUPER_USER role, a system role. | ||
| 14 | * The SUPER_USER role cannot be modified (all system roles behave in this way). | ||
| 15 | * The SUPER_USER role is maintained by Objective Arts. There will typically be only one Super User. | ||
| 16 | * All non SUPER_USERs will not be able to see any SUPER_USER in any admin screen. | ||
| 17 | * SUPER_USERs cannot be added as a responsibility of another user. | ||
| 18 | |||
| 19 | |||
| 20 | |||
| 21 | = Administrators = | ||
| 22 | |||
| 23 | Administrators are users who have access to at least one administration screen. There are two administrative levels: domain and organizational unit. | ||
| 24 | |||
| 25 | |||
| 26 | |||
| 27 | === Domain Administrator === | ||
| 28 | |||
| 29 | A domain administrator is governed by the permission DOMAIN_ADMINISTRATOR. Domain administrators will always see **all data** on any screen for which they have access. | ||
| 30 | |||
| 31 | |||
| 32 | |||
| 33 | === Organizational Unit (OU) Administrator === | ||
| 34 | |||
| 35 | An OU administrator is governed by the permission OU_ADMINISTRATOR. OU admins will only see data for the OUs (and all child OUs) for which they are **responsible**. | ||
| 36 | |||
| 37 | |||
| 38 | |||
| 39 | = Order of Precedence = | ||
| 40 | |||
| 41 | All users will be shown the greatest amount of data granted to them. A user can have as many of the admin permissions granted to them but the order of precedence is: | ||
| 42 | |||
| 43 | SUPER_USER > DOMAIN_ADMINISTRATOR > OU_ADMINISTRATOR > non-admins | ||
| 44 | |||
| 45 | |||
| 46 | |||
| 47 | = Data Visibility in Modules = | ||
| 48 | |||
| 49 | Here is the rule for data filtering on screens for each permission. Only the screen:sections below have specific rules regarding data visibility across the permission sets. | ||
| 50 | |||
| 51 | |||
| 52 | |||
| 53 | === Admin Module === | ||
| 54 | |||
| 55 | The main idea behind these filters is that users are only allowed to modify users/relationships below their level. (e.g. Domain admins cannot modify each other). Also, OU admins are bound to whatever OUs for which they are responsible. | ||
| 56 | |||
| 57 | |||
| 58 | |||
| 59 | === **//The simple rule is//**: You cannot modify yourself, any of your roles, your responsibilities, or any users/roles at or above your level. === | ||
| 60 | |||
| 61 | |||
| 62 | |||
| 63 | Superusers: | ||
| 64 | |||
| 65 | * //Staff Screen:Staff List: //All Superusers are not present. | ||
| 66 | * //Responsibilities Screen:Users Tab~:// All Superusers (including logged in) are not present. | ||
| 67 | |||
| 68 | Domain admins: | ||
| 69 | |||
| 70 | * //Roles Screen~:// Domain Admin role not present. | ||
| 71 | * //Staff Screen:Staff List~:// All Superusers and Domain Admins are not present. | ||
| 72 | * //Responsibilities Screen:S//taff List: Superusers and Domain Admins are not present. | ||
| 73 | * //Responsibilities Screen:Users Tab:Staff List~:// Superusers and Domain Admins are not present. | ||
| 74 | |||
| 75 | OU admins: | ||
| 76 | |||
| 77 | * //Roles Screen~:// Domain Admin and all roles for the logged in user will not present. They probably shouldn't get access to this screen, however. | ||
| 78 | * //Staff Screen:Staff List~:// Superusers, Domain Admins and all users in any role of the logged in user will not show. | ||
| 79 | * //Staff Screen:Assigned Roles Tab//: The Superuser role should not be present | ||
| 80 | * //Responsibilities Screen:Staff List~:// Superusers, Domain Admins and other OU admins not in list. All other staff are shown. | ||
| 81 | * //Responsibilities Screen:Client Tab: Client List~:// Only clients placed at any OUs for which the logged in user is responsible will display. All other clients will not be shown. | ||
| 82 | * //Responsibilities Screen:Users Tab:User List~:// Superusers, Domain Admins and other OU admins not in list. All other staff are shown. | ||
| 83 | * //Clients Screen:Organizational Placements//: Allowed to Add/Remove Placements for any OUs for which they are responsible, for any client in the system. |