Permissions

Owned by Denny Miller
Last updated: Jun 12, 2024
5 min read

 

The following configuration allows restrictions of Space admin functionality.

If you are looking for App access relating to Privileged User or Space Admin permissions, please see https://thepluginpeople.atlassian.net/wiki/x/AQBNAQE

Accessing the permissions schema

Navigate to the System admin configuration of CSUM-Cloud (Manage apps > configure) and select the ‘Permissions’ tab.

Please view ‘Permission restrictions’ below for a more detailed description of each permission.

image-20240531-151040.png

 

How are permissions applied?

The following checks are made to validate permissions:

  1. By default, the space admin permissions are applied when the logged in user accesses the Space Admin page.

  2. If the logged in user has User Permissions configured, any permitted operations will be granted to the logged in user.

  3. If the logged in user is a member of a group that has Group Permissions configured, any permitted operations will be granted to the logged in user.

It is recommended to use the default space admin permissions, or to apply permissions to a scoped group. Only in very rare situations will individual users require manual permission overrides.

 

Example 1

image-20240531-151323.png

If the default permissions have ‘create groups’ disabled, by default, create groups cannot be performed by all users.

If the create groups permission is granted to a user or group, this user (or all members of the permitted group) will then be allowed to perform the create groups operation.

 

Example 2

Members of this group will be allowed to perform ‘delete group’ operations.

If the user is also a part of this group, they will also be allowed to perform delete group operations. The disabled delete group permissions does not indicate the permission should be disabled.

(If the default space permissions had ‘delete groups’ permission enabled, all space admins would be permitted to perform the delete groups operation).

 

Permission disabled for a User, but they can still perform that operation?

It is important to understand that the permissions schema works on a grant authorization. This means that permissions enabled by default, or granted from a group permission schema will mean the user will have permission, even if explicitly disabled in their permission schema.

 

Space Admin Permissions

These are the default permission schema used for all accounts accessing the CSUM-Cloud space admin module.

If you wish to disable operations for all users, disable the permissions here. You can then select individual Groups or Users to permit the operations to a restricted set of accounts.

 

Group Permissions

These are the permission schemas applied to individual groups. Any members of these groups will be granted all permitted operations in addition to the default space admin permissions and User permission schemas matching the logged in User.

 

Group schema permission for deleted groups

If a group permission schema is configured for a group which has since been deleted, the configuration will persist in the app storage. This results in the following error when loading the permissions configuration:

If the group ID shown does not correlate to a valid user group on your site, this configuration can be removed.

 

User Permissions

These are the permission schemas applied to individual users. If the logged in user matches one of these schemas, they will be granted all permitted operations in addition to the default space admin permissions and Group permission schemas they are a member of.

 

User schema permission for deleted users

If a user permission schema is configured for an account which has since been deleted, the configuration will persist in the app storage. This results in the following error when loading the permissions configuration:

 

 

Permission restrictions

Create Group

When disabled, space admins will not be able to select the ‘create group’ option.

 

Rename Group

When disabled, space admins will not be able to select the ‘rename group’ option.

 

Delete Group

When disabled, space admins will not be able to select the ‘delete group’ option.

 

Add membership

When disabled, space admins will not be able to select the ‘add users’ option.

 

Note: If the top level ‘add members' permission is disabled, the inherited child permissions are also ignored. (You cannot add users or groups if add members is disabled).

 

Add users

When disabled, the user select from ‘add users’ option will be restricted.

 

Add groups

When disabled, the group select from ‘add users’ option will be restricted.

 

Remove Membership

When disabled, space admins will not be able to select the ‘remove users’ option.

 

Note: If the top level ‘remove members' permission is disabled, the inherited child permissions are also ignored. (You cannot remove users or groups if remove members is disabled).

 

Remove users

When disabled, the user select from ‘remove users’ option will be restricted.

 

Remove groups

When disabled, the group select from ‘remove users’ option will be restricted.