User Group Management
From ResourceSpace Documentation Wiki
Adding and editing groups
Groups are managed via: Team Centre -> System Setup -> Group Management
Default user groups
The default user groups are:
- Administrators: almost everything, except System Setup (aimed at
your internal resources team)
- Archive team: can edit resources in the 'waiting to be archived' and
'archived' states only.
- General Users: search and download
- Restricted: nothing; they can only see resources they have been e-mailed. Aimed at external users, i.e. print agencies etc.
There are four types of Restricted User: Payment Immediate, Payment Invoice, Requests Emailed, Requests Managed
- Super Admin: everything (aimed at sysadmins)
Permissions
The permissions string set on a user group defines which functions users in that group will have access to.
Example permissions string:
r,s,a,t,e0
Note that case is important. Functionality to which access can be controlled is as follows:
Search ------ s Can search for resources v Can view confidential (admin only) resources, also download 'restricted' resources g Without this permission, the users in the group will have 'restricted' access to any 'restricted/open' resources. q Can make resource requests. w Show watermarked previews/thumbnails ($watermark must be set in config.php prior to resource upload in order for watermarks to be created.)
Metadata Fields / Resource Types -------------------------------- f* Can see all fields f? Can see field with reference ? e.g. f1,f2,f3 (applies to editing, advanced search, and viewing resources). f-? Can not see the field with reference ? e.g. f*,f-3 means see all fields except field 3. F? DENY write access to the field. The field will not appear on edit or edit all. F* DENY write access to all fields. F-? ALLOW write access to the given field, used with F* to allow write access to specific fields only. T? DENY access to resources with the given resource type ID, also hide this resource type when editing/searching X? RESTRICT access to resources with the given resource type ID. X?_$ RESTRICT access to resources with the given resource type ID AND the given download size ID, for example X1_scr restricts access to the screen size download for photo resources.
Resource creation ----------------- c Can create resources / upload files (Team Centre users; resources go directly into usable state) d Can create resources / upload files (Normal users; resources go into 'pre-check' state.)
e? Can edit resources in specific archive state, e.g. e0, e1, e2 (includes deletion) e0: Not archived (visible in a normal search) e1: Waiting to be archived (hidden from searches) e2: Archived (visible in archive searches only) Normally the resource management team will have e0 and e1, and the archive team will have e1 and e2. Further permissions govern access to user contributed resources. e-2: User contributed, awaiting user submission e-1: User contributed, awaiting team review i Can manage archive resources n Can tag resources using 'Speed Tagging' (must be enabled in config).
Themes / Collections -------------------- b Supress bottom collections frame and all associated collections functionality (not advisable for administrator groups as collections make resource management much easier) h Can publish themes, and edit all collections j* Can see all theme categories j? Can see theme in category ? (e.g. jCars,jAnimals) J Can only search for resources that belong to themes (not advisable!)
Restrictive permissions ----------------------- p Can not change own password. Useful for shared user accounts. D Can not delete resources.
Administration -------------- a Can access administration tree t Can see the team centre home r Can manage research requests R Can manage resource requests / orders o Can manage content m Can bulk-mail users u Can manage users k Can manage keywords (add/remove keyword relationships and add/remove/rename checkbox/dropdown list options)
Restrictive group permissions (allows isolated groups to be created) ----- U (upper case) Can manage users in children groups to the user's group only E (upper case) Can email resources to users in the user's own group, children groups and parent group only. Also when using custom access, can only select groups from own group, children groups and parent group. For user list auto-completion (e.g. when e-mailing a resource) the user will only see uesrs from their own group, children groups and parent group.
Overriding configuration options for a usergroup
The global configuration settings in include/config.php can be overridden on a usergroup basis using the 'Override config options' field when editing user groups in System Setup.
For example, to set that passwords should expire after 30 days for a certain group, set:
$password_expiry=30;
This will not affect other groups.
Search filtering
Each user group can have a 'search filter' set (via the user group options in System Setup), which is like some extra search terms that is always applied, e.g. a user in a user group with this filter set would only see resources from Albania:
country=Albania
You can add several fields and it performs an AND match
country=Albania;emotion=Happy
The user can only see happy photos from Albania. This is an extra permissions layer and for some scenarios is preferable to the standard method of setting the 'custom' access mode and managing user group access that way.
You can add OR matches using the pipe symbol:
country=Albania|Brazil
The user will see resources where the country is Albania OR Brazil.
AND and ORs can be combined and in this case the OR is performed first:
country=Albania|Brazil;emotion=Happy
The user will see resources where the country is Albania OR Brazil, AND the emotion is Happy.
Edit filtering
An edit filter can be set for the user group which works like search filter, but instead is used to determine if users in the group can edit resources based on the metadata in the resource.
The existing 'e0' (or e1, e2 etc.) permissions must be used first to open up edit access. The edit filter is then used to restrict access to specific resources.
The syntax is the same as for search filtering and full AND / OR logic is supported here too in the same way.
Note that for multilingual field options, the full i18n syntax string (e.g. ~en:Red~fr:Rouge) must be used here instead of a translated option.
Default Resource Metadata
The 'resource defaults' field works in the same way as the search filtering above, except that it sets the default metadata when the users in that group add new content. This can be used with search filtering to segment resources by usergroup; in the example above, if the user can only see photos from Albania, you could set the default resource metadata to:
country=Albania
... and the resources the user creates will automatically have the country set to Albania. This avoids the situation whereby the user creates resources that they can then not see.
If the selection field (country in this case) is hidden from the user the value will still be set. This is a good way to segment the resources completely and, if used with user group specific content and CSS themes can mean each user group the impression that they have their own separate ResourceSpace installation.
Parent / children groups
You can define relationships between groups, so for example group A can manage only those users in group B. This is done using the 'parent' field.
Adding the "U" permission to a group means that they can only manage users in children groups (they still need the 'u' in lower case which gives access to the user management area).
Note that by adding users to the children groups they are in no way related to the parent group in terms of permissions/config - the options are set individually for each group.
The only thing that nesting groups inside another group does is to allow users of the parent group to edit users in the child group (if the appropriate permissions are set) - and/or restricting the visible users to the current/parent group.
Group specific user interfaces
Customised user interfaces can be created specifically for a user group or groups, for example if you want to give one of the organisations that use your system their own look and feel, perhaps specific to their organisation.
On the user group record in System Setup you will see "Fixed Theme".
- If this is left blank, the user will be able to select their theme from the two standard themes (whitegry and greyblu) using the selector at the bottom of the screen, exactly as the system is normally. Any newly created themes will _not_ appear in the selector.
- If this is set to the name of a theme however (e.g. greyblu), the users in this group will only see this theme and cannot select another theme. The name of this theme could be a new theme, i.e. not one of the two standard themes normally available in the selector.
This allows you to "lock" certain user groups to a certain theme, allowing quite significant rebranding of the application depending on user group. As you can override existing elements using CSS the design could be radically different - i.e. it is not just the colouring that can be changed.
How to create your own themes
Themes have two parts:
- A CSS file in the "css" folder with the name "Col-xxxx.css" where xxxx is the name of your theme.
- A subfolder of the "gfx" folder. You will see the whitegry and greyblu folders in there. Copy one of these to a folder with your new theme name (you will probably want to copy greyblu). You can then change the appropriate CSS and images to style the new theme. The logo is conveniently part of the theme so you can set a custom logo for each group too.
Partitioning ResourceSpace
It is possible to use the above user group features in combination to effectively partition ResourceSpace so that each user group operates as if they have their own ResourceSpace system.
Please find Configuring_for_Multiple_Client_use for a complete instruction on how to partition ResourceSpace.
User account requests / automatic user account creation
See Managing_Users#User_Account_Requests
