User Group Management
From ResourceSpace Documentation Wiki
Adding and editing groups
Groups are managed via: Team Centre -> System Setup -> Group Management
Default user groups
The default user groups are:
- Administrators: everything (aimed at sysadmins)
- Resources Team: almost everything, except System Setup (aimed at
your internal resources team)
- Archive team: can edit resources in the 'waiting to be archived' and
'archived' states only.
- General Staff: search and download
- Restricted: nothing; they can only see resources they have been e-
mailed. Aimed at external users, i.e. print agencies etc.
The default user groups are:
- Administrators: everything (aimed at sysadmins)
- Resources Team: almost everything, except System Setup (aimed at
your internal resources team)
- Archive team: can edit resources in the 'waiting to be archived' and
'archived' states only.
- General Staff: search and download
- Restricted: nothing; they can only see resources they have been e-
mailed. Aimed at external users, i.e. print agencies etc.
Permissions
The permissions string set on a user group defines which functions users in that group will have access to.
Example permissions string:
r,s,a,t,e0
Note that case is important. Functionality to which access can be controlled is as follows:
Search
------
s Can search for resources
v Can view restricted (admin only) resources, also download 'confidential' resources
g Can download the higher resolution resources (anything above 'screen').
q Can make resource requests.
Fields
------
f* Can see all fields
f? Can see field with reference ? e.g. f1,f2,f3 (applies to editing, advanced search, and viewing resources).
Resource creation
-----------------
c Can create resources / upload files (Team Centre users; resources go directly into usable state)
d Can create resources / upload files (Normal users; resources go into 'pre-check' state.)
e? Can edit resources in specific archive state, e.g. e0, e1, e2
e0: Not archived (visible in a normal search)
e1: Waiting to be archived (hidden from searches)
e2: Archived (visible in archive searches only)
Further permissions govern access to user contributed resources.
e-2: User contributed, awaiting user submission
e-1: User contributed, awaiting team review
Normally the resource management team will have e0 and e1, and the archive team will have e1 and e2.
i Can manage archive resources
n Can tag resources using 'Speed Tagging' (must be enabled in config).
Themes / Collections
--------------------
h Can publish themes, and edit all collections
j* Can see all theme categories
j? Can see theme in category ? (e.g. jCars,jAnimals)
Administration
--------------
a Can access administration tree
t Can see the team centre home
r Can manage research requests
o Can manage content
m Can bulk-mail users
u Can manage users
Restrictive group permissions (allows isolated groups to be created)
-----
U (upper case) Can manage users in children groups to the user's group only
E (upper case) Can email resources to users in the user's own group, children groups and parent group only.
Overriding configuration options for a usergroup
The global configuration settings in include/config.php can be overridden on a usergroup basis using the 'Override config options' field when editing user groups in System Setup.
For example, to set that passwords should expire after 30 days for a certain group, set:
$password_expiry=30;
This will not affect other groups.
Search filtering
Each user group can have a 'search filter' set (via the user group options in System Setup), which is like some extra search terms that is always applied, e.g. a user in a user group with this filter set would only see resources from Albania:
country=Albania
You can add several fields and it performs an AND match
country=Albania;emotion=Happy
The user can only see happy photos from Albania. This is an extra permissions layer and for some scenarios is preferable to the standard method of setting the 'custom' access mode and managing user group access that way.
You can add OR matches using the pipe symbol:
country=Albania|Brazil
The user will see resources where the country is Albania OR Brazil.
AND and ORs can be combined and in this case the OR is performed first:
country=Albania|Brazil;emotion=Happy
The user will see resources where the country is Albania OR Brazil, AND the emotion is Happy.
Edit filtering
An edit filter can be set for the user group which works like search filter, but instead is used to determine if users in the group can edit resources based on the metadata in the resource.
The existing 'e0' (or e1, e2 etc.) permissions must be used first to open up edit access. The edit filter is then used to restrict access to specific resources.
The syntax is the same as for search filtering and full AND / OR logic is supported here too in the same way.
Note that for multilingual field options, the full i18n syntax string (e.g. ~en:Red~fr:Rouge) must be used here instead of a translated option.
Default Resource Metadata
The 'resource defaults' field works in the same way as the search filtering above, except that it sets the default metadata when the users in that group add new content. This can be used with search filtering to segment resources by usergroup; in the example above, if the user can only see photos from Albania, you could set the default resource metadata to:
country=Albania
... and the resources the user creates will automatically have the country set to Albania. This avoids the situation whereby the user creates resources that they can then not see.
If the selection field (country in this case) is hidden from the user the value will still be set. This is a good way to segment the resources completely and, if used with user group specific content and CSS themes can mean each user group the impression that they have their own separate ResourceSpace installation.
Parent / children groups
You can define relationships between groups, so for example group A can manage only those users in group B. This is done using the 'parent' field.
Adding the "U" permission to a group means that they can only manage users in children groups (they still need the 'u' in lower case which gives access to the user management area).
Group specific user interfaces
Customised user interfaces can be created specifically for a user group or groups, for example if you want to give one of the organisations that use your system their own look and feel, perhaps specific to their organisation.
On the user group record in System Setup you will see "Fixed Theme".
- If this is left blank, the user will be able to select their theme from the two standard themes (whitegry and greyblu) using the selector at the bottom of the screen, exactly as the system is normally. Any newly created themes will _not_ appear in the selector.
- If this is set to the name of a theme however (e.g. greyblu), the users in this group will only see this theme and cannot select another theme. The name of this theme could be a new theme, i.e. not one of the two standard themes normally available in the selector.
This allows you to "lock" certain user groups to a certain theme, allowing quite significant rebranding of the application depending on user group. As you can override existing elements using CSS the design could be radically different - i.e. it is not just the colouring that can be changed.
How to create your own themes
Themes have two parts:
- A CSS file in the "css" folder with the name "Col-xxxx.css" where xxxx is the name of your theme.
- A subfolder of the "gfx" folder. You will see the whitegry and greyblu folders in there. Copy one of these to a folder with your new theme name (you will probably want to copy greyblu). You can then change the appropriate CSS and images to style the new theme. The logo is conveniently part of the theme so you can set a custom logo for each group too.
Partitioning ResourceSpace
It is possible to use the above user group features in combination to effectively partition ResourceSpace so that each user group operates as if they have their own ResourceSpace system.
The process is as follows:
1) Create a new field, typically a dropdown, called "Customer" or similar. This will be used to partition your data. The short name should be 'customer'. Use the "f-" (f minus) permission to ensure that user groups other than the System Administrator group cannot edit this field; it should be hidden from view for other users.
2) For each client group, set a search filter (see above) so that they can only see the resources where this field has been set to the value appropriate for them, for example:
customer=client1
3) Also set the default field settings (see above), so the hidden customer field gets filled in automatically whenever they upload content.
customer=client1
The customer groups will now only see resources uploaded by those in their group.
Additionally, System Administrators can see the customer field so can upload resources then allocate them to a particular customer.
It is also possible to partition user management and allow customers to manage their own users as follows:
1) Instead of one user group per customer as above, create two - an administrator group and a staff level group.
2) Set the 'parent' option on the staff group to the group ID of the administrator group (do not be tempted to add parent settings to other groups such as making System Administrator a parent of anything, as it does not work this way).
3) Add the permissions "u,U,E" (first 'u' is lower case, the second is upper case) to the administrator group and "E" to the staff group.
The users in the administrator group can now edit those in the staff group. Both groups will not see any other users in the system.
User account requests / automatic user account creation
See Managing_Users#User_Account_Requests
