Permission required:Global role: Manage users & groups
SD Elements allows system administrators to easily organize a collection of users into a logical group that can be treated as a single entity when assigning permissions, such as the ability to add or delete projects. The resulting permissions will be the combination of that user's specific permissions plus any permissions that the user will inherit from being a member of the group.
Groups can also be added to projects and be assigned certain project permissions. The permission assigned to the group is also assigned to all of its members.
The following examples illustrate how SD Elements permissions work in the context of users and groups.
Example 1: Individual Users
In this example, the three users Alfie, Brock, and Cody are each assigned a user role of "User", but have no access to the project in the application.
While providing access to several users of this project could be done easily, adding a group of tens or hundreds of users to multiple projects would become a very time-consuming task.
To treat Alfie, Brock, and Cody as a single entity, we create a group called "ORG-DIVISION-TEAM1" and assign it a role of "User".
Now, giving Alfie, Brock, and Cody access to "PROJECT A" is as simple as defining a "Project Role" for the "ORG-DIVISION-TEAM1" group.
The same concept applies for users as individuals: the "Project Role" selected will be inherited by the members of the group.
Example 2: Inherited Groups
A group can therefore contain individuals, but it can also contain other groups! A common scenario is one where you have a particular business line, and within that business line you have specific business units, and in those units you might also have specific teams who all need varying access levels to a particular project.
Since permissions are inherited, it is helpful to think of your organization hierarchy as an upside down tree. In this tree, each branch/node represents a group and each member of the group inherits the role defined by the group. Furthermore, each member of a group also belongs to the groups below it. Access limitation is achieved by controlling the membership of the group; as such, the more groups an entity (individual or group) is assigned to, the more access that entity will inherit.
We'll re-use Alfie, Brock, and Cody who all belong to the "ORG-DIVISION-TEAM1" group from Example 1. But we'll also introduce the project leads, Dominic and Emily, who belong to the “ORG-DIVISION” group. Dominic and Emily supervise other sister groups such as the one Alfie, Brock, and Cody belong too. The correct way to configure these groups would be to add the "ORG-DIVISION" group as a member of the "ORG-DIVISION-TEAM1" group.
Therefore, Dominic and Emily will inherit all the project permissions that Alfie, Brock, and Cody have been assigned to. But Alfie, Brock, and Cody will not be inheriting anything from the "ORG-DIVISION" group.
To further emphasize the relationship between hierarchy and permissions inheritance through group membership, we introduce Felix! Felix is at the top of the organizational tree. As such we'll put him into a group by himself called "ORG". If the "ORG" group is added to the "ORG-DIVISION" group, Felix will inherit all the permissions Dominic and Emily have, in addition to all the permissions Alfie, Brock, and Cody have. In exactly the same as the previous example where the "ORG-DIVISION-TEAM1" group is not inheriting anything from the "ORG-DIVISION" group, in this example the "ORG-DIVISION" group (and by extension the "ORG-DIVISION-TEAM1" group) is not inheriting anything from the "ORG" group.
In the previous examples, we have illustrated how three (3) different layers of hierarchy can be represented using groups and what permissions a user at each layer will receive based on the membership of their group. A user will always receive the highest permission possible through all their memberships; whether through groups or being directly assigned to a project.
Creating a Group
From the menu bar category select "User Management", followed by "Groups".
From the Groups page, select the "Add New Group" button.
Similar to creating a user, a group takes a name, description and role. As stated above, the role determines the permissions that all members of the group will inherit. You can select the users and groups to be added to the group by entering the name in the "Members" field. This will provide a drop-down list of users and groups that match the name you entered. When adding groups to your group, be aware that you're adding every member of that group to this one, including those in groups added to that group.
Deleting a Group / Removing a User from a Group
A user that is removed from a group loses any permissions and roles they were granted from their membership in that group. They will still have the permissions that were granted from other sources (other group memberships and/or their user role).