Permissions issues

[drba...@ucalgary.ca]

I would like to set up a user so that they have permission to edit a limited set of taxonomies. For example, they should be able to add or update, but not delete terms for the Subjects taxonomy. In addition, they should not be able to add, update, or delete terms for any other taxonomy. It seems to me that I should be able to override their permissions by taxonomy and set Create and Update for Subjects to Granted, and Delete to Deny; however, this doesn't work. I've tried changing the permissions for all terms to Deny, thinking that Inherit might be causing issues, but no luck. Of course, I can't set the permissions for all terms to Grant, because that grants them permissions to every term/taxonomy.

Am I misunderstanding the way permissions work in AtoM?

Damian Bauder

[Dan Gillean]

Hi Damian,

Your TestUser - what Group (if any, other than authenticated) is that user a part of? I'd like to try to recreate the conditions you describe locally and see how things work.

The current user interface for the permissions module is sub-optimal - it is not easy to see what permissions are being inherited - just that they are being inherited. Until fixing this becomes a priority for an institution willing to sponsor enhancements, we've tried to document the default permissions for each group here:

• https://www.accesstomemory.org/docs/2.2/user-manual/administer/edit-permissions/#default-permissions-by-user-role

My initial thoughts on how I would achieve the permissions settings you describe:

First, I would probably either edit the permissions for an existing Group (such as contributor, or even just "authenticated" - ie those who have user accounts but are not part of any group), or I would create a new custom group (e.g. Student, or Volunteer, or Intern, etc), so I could easily add other user accounts to the group in the future without having to recreate the custom permissions.

Then, I would explicitly deny Create, Edit, and Delete permissions for all taxonomies, and then add specific rules for the Subjects taxonomy, where I grant permissions to create and edit.

The other thing I would double check are the archival description permissions. Most of your volunteers will probably be managing subject access points via the archival description edit templates, rather than going to the subjects taxonomy and managing terms there. If this is the case, then it means you'll need to ensure your group has at least Create permissions for archival descriptions explicitly granted.

I will do some testing soon when I am able, based on the workflow I've described in theory above, and let you know if it works as expected.

Regards,

Dan Gillean, MAS, MLIS
AtoM Product Manager / Systems Analyst,
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

--
You received this message because you are subscribed to the Google Groups "ICA-AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To post to this group, send email to ica-ato...@googlegroups.com.
Visit this group at http://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/e99a038c-f478-43ec-b068-8ef772c3a565%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[drba...@ucalgary.ca]

Thanks, Dan, much appreciated. I'll try setting up some separate groups, as you suggest.

To answer your question, currently my TestUser account is set up only as "authenticated". I have also tried setting the account as "contributor" with the same results.

Damian

[drba...@ucalgary.ca]

So I set up TestGroup as shown:

And then added TestUser to the group, and reset the user permissions so that they now look like this:

Still no luck.

Damian

[Dan Gillean]

Hi Damian,

I have confirmed that there appears to be a bug with the permissions.

Here is how I created my permissions for a new group, called volunteers.

Archival description permissions:

​

Taxonomy permissions

​

I then created a new user, volunteer1, and added them to the Volunteers group. I did not customize volunteer1's permissions in any other way.

I found that it worked as expected for other taxonomies such as places - I could add existing place terms to a new description, but I could not create them or edit them or delete them.

For subjects however, the problem I encountered was in the create permissions - I should have been able to create new subject terms but I could not:

• If I added a new subject via the subject access points field in a description, then the save button no longer had any effect - I could not save the record until I removed the new term
• If I navigated to Browse > Subjects (or Manage > Taxonomies > Subjects) and clicked the "Add new" button, I was given a permission denied page.
  

This seems like a bug to me. Correspondingly, I have filed the following ticket in our issue tracking system:

• https://projects.artefactual.com/issues/8988

I was testing in AtoM 2.2. Does this reflect what you are seeing in 2.1? Are you encountering additional issues?

I can't guarantee that we will have a fix for this for the next public release (without sponsorship), but we'll sure try!

Regards,

Dan Gillean, MAS, MLIS
AtoM Product Manager / Systems Analyst,
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/09d702ce-2844-4bf3-8ea3-e7a2692a28d1%40googlegroups.com.

[drba...@ucalgary.ca]

Hi Dan,

I had to go check on editing an archival description. Yes, I can confirm that I am experiencing both of those behaviours when trying to create subject headings with the same permissions settings. I am using 2.1. We haven't noticed any additional issues related to permissions, no. Basically, the default groups and roles seem to be functioning fine--it's just when you try to get more complicated that things go sideways.

For the time being, I guess I'll have to give my users more all-or-nothing trust ;-)

Cheers,

Damian