A brief explanation of how user permissions work:
A user belongs to one or more groups.
Each group contains a list of “permission” checkboxes that grant specific permissions to its group members.
These user permissions only apply to Organizations that this group can “see”. What does that mean?
The first permission checkbox in the permission list is “View All Organizations”, selected by default. This permission allows the group to see EVERYTHING, hence members of this group are granted this group’s permissions for all organizations in the application.
Outside of the “Advanced” permissions display, there is an “Organizations” screen display. If the “View All Organizations” permission checkbox is disabled, the “Organizations” screen can then be used to cherry pick exactly which individual organizations CAN be viewed by this group. You can specify each individual organization or you can choose the “Cascade” option that allows you to specify an entire organization branch – meaning the organization, any existing organizations nested beneath, and - most importantly - any future organizations that will be created beneath.
These are the steps for creating a security “Group”:
- Click the Settings (Gear Icon) at the extreme lower left corner of your screen.
- On the Settings pane, click the “Groups” link.
- On the center “Groups” pane, click the “+ Add” link at the top of the screen.
- In the right “New Group” pane, enter details for the new group:
- A name for the group.
- Specify the Group Type – Power Users, Communication Users, or Viewers. These group types correlate with licensing. Power User license seats are the most expensive and offer the highest level of user permissions. Power Users can create/edit scorecards, create dashboards, etc. Communication Users can update data values and task statuses.
- Click the “Advanced” button to grant the exact permission attributions for this group. Click “Done” to close the display. Take note that higher level “Group Types” offer more permission checkbox options. You, as a user, only have the ability to grant the permissions that you yourself have access to. Also, note that certain permissions are unchecked by default as they should not be granted unless absolutely necessary:
- The “Server Administration” permission allows for sensitive abilities such as the ability to delete database connections.
- The “Administer All Groups” permission is necessary but can be somewhat confusing. As this permission gives members the ability to add themselves to other groups, members will automatically inherit permissions not only from this group, but also from all other groups – even groups that they are not presently members of.
- Click the “Organizations” button to select the specific organizations that this group can view. Permissions of this group will be granted to group members only for the organizations which this group can view. This screen is entirely unnecessary if the group has the “View All Organizations” permission checked (which is the default). The “Cascade” option allows this this group to view an organization and all organizations situated beneath – so essentially, an organization hierarchy branch. The primary benefit is that users will automatically have access to future organizations that will be created within this branch. Click “Done” to close the display.
- Now, or at a later time, you may choose to add users to the Members and/or Admins lists. Users assigned to the “Admins” list will (1) utilize a Power Users license seat and (2) have the ability to assign other users as members to this group. Think of Admins as “Local Administrators” for this particular group, but not for other groups.
- Click “Save” to finalize the group creation.