5 | | * go to Settings -> Users and permissions |
6 | | * the 'Basic management' tab has table views where you can directly edit stuff |
7 | | * MolgenisUser = the users |
8 | | * MolgenisGroup = user groups |
9 | | * MolgenisRoleGroupLink = assign roles to groups, and nest groups in groups (ie. biologist IS A bioinformatician) |
10 | | * Entities = list of db entities, forms, menus and plugins |
11 | | * MolgenisPermission = the permissions (read/write/own) of users and user groups on the Entities |
12 | | * the My permissions tab is a plugin where you can see your permissions (could be given to users, even anonymous) - and allows you to grant permissions for others on entities that you own |
| 5 | You can edit users and permissions by clicking the ''Settings'' tab in the main menu. Then go to ''Users and permissions''. Users, groups, entities and permissions that can be applied across them are all stored in the database and are exposed to the admin in this menu. |
| 6 | |
| 7 | === User management === |
| 8 | |
| 9 | The ''Basic management'' tab provides you with a number of subtabs where the appropriate settings can be adjusted. |
| 10 | * ''!MolgenisUser'': A list of all users which have (some degree of) access to the application. |
| 11 | * 'Admin' (super user) and 'anonymous' (not logged in) are always here. |
| 12 | * Passwords are MD5 hashed, and even when manually adding a new user here (instead of using ''Registration'') the password will be hashed upon saving. |
| 13 | * ''Entities'': All entities which can be assigned permissions to. Entities are: |
| 14 | * Database tables (ENTITY) |
| 15 | * Table views (FORM) |
| 16 | * Menu items (MENU) |
| 17 | * Plugins (PLUGIN) |
| 18 | * Note that if you want to give a user or group permission to edit records of a certain type, you must grant permissions on this ENTITY to be able to read/write, and on FORM in order to see these data in the user interface at all. If a plugin requires acccess to certain datatypes, you must both grant permissions on viewing the PLUGIN, as well as the required ENTITYs. |
| 19 | * ''!MolgenisPermission'': Here you apply the actual permissions. A ''role'' can be a user or a group. Then select the ''entity' you wish to add a permission on. Lastly, select the ''permission'': read, write or own. |
| 20 | |
| 21 | === Group management === |
| 22 | |
| 23 | Making users part of a group saves you from configuring permissions for each individual user. The user is automatically granted all permissions of the group it has been assigned to. |
| 24 | * ''!MolgenisGroup'': The groups you can put users in. '!AllUsers' and 'system' are always here. |
| 25 | * ''!MolgenisRoleGroupLink'': Here you can put users in groups, or groups inside other groups. |
| 26 | * By default, all users are part of the !AllUsers group. |
| 27 | * Admin and anonymous are also part of the special system group. |
| 28 | * Other users can be assigned to newly created groups. For example, the 'bio-user' of the demonstration system is part of the group 'biologist'. |
| 29 | * Groups can be put inside groups. You can use this to create new groups which inherit the permissions of an existing group, and are then given additional permissions. For example, the group 'bioinformatician' is part of the group 'biologist' in the demonstration system. This means a bioinformatician can do all the things a biologist can do, plus any additional permissions. |
| 30 | |
| 31 | === Sharing permissions === |
| 32 | |
| 33 | If a user (or group) has ''own'' permissions on some entity, this user can choose to share this entity by granting permissions to another user (or group). This is done in a special plugin in the ''My permissions'' tab. In xQTL, we choose not to let regular users have access to this functionality by default. Its true use comes into play in applications with ''row level'' permissions, which xQTL is (at the moment) not. In that case, a specific user can own an instance of an entity. For example, a biologist user called 'Peter' owns 'Peters_investigation', and can now share this investigation by giving read permissions to biologist user 'Kate'. |