Overview of User Permissions
There are a number of factors which will determine what a user of Catalyst will be permitted to see and do in the system. In other words, these are the factors which determine their permissions.
This article is designed to provide an overview and guide you to the config area which may be required.
1. Account type
Every user must be given an account type. We have 5 different account types:
Super Admin - use carefully and infrequently. This account type gives a user access to everything. They have full permissions across the whole platform including delete. The following areas of the system can only be accessed by users with a super admin account type:
- Administration/ Users
- Administration/ Roles
- Administration/ Elements
- Administration/ Outbound mail setup
- System configuration/ Landing page
- System configuration/ Theme
Config Admin - the number of these users again will be fewer than others. This account type is designed to have a role whereby the user will have permission, for example, to create and/or edit task templates, sequences, object classes and configure single sign-on or authentication requirements. See Role below.
1-time completion - these users do not log in. They are able to complete tasks from links in email notifications. This account type is suitable for users who are rarely asked to complete a task. They simply have permission to complete tasks for which they are made the owner.
Internal - this account type is designed for users who are employees of your organisation and are responsible for processing records and completing tasks. They will no doubt be given additional permissions via object classes for records with which they interact.
External - conversely, this account type is designed for users who are not employees and who are unlikely to require any additional permissions. They will probably simply log in to a landing page and have a tasks list.
2. Role
As already indicated, a role or roles can be given to users with the account type Config admin.
A role has four sections in which permissions can be given to allow users to configure certain areas of the system which relate to data, processes and system setup.
The following screenshots show a role which will allow a Config admin user to create/edit sequences, task templates and object classes including the relational model. However, this role does not permit the user to configure any items in the Administration section of the system, and it does not permit the user to delete any configuration.
3. Object class permissions
Object class permissions are broken down into two types: Class permissions and Record permissions.
Class permissions has a default permission set given to the user who creates the Object class. Additional owners can be added by that user or a user with a Super admin account type. This permission set has all permissions enabled and cannot be changed.
Additional permission sets can be added to allow users or user groups interaction with the Object class itself, Object records within the class and Tasks available for the class. These permissions relate to all records and all tasks.
Record permissions - again, this has a default permission set with all permissions enabled for the Owner of the record. Additional permission sets can be added by Owners of the Object class. Additional permission sets can be assigned to users via the Record access tab in the side panel of an individual record.
Alternatively, record permissions sets can be assigned to individual users or to a group of users via the Record Access actor in the Sequencer.
Having checked "Configure record permission set assignment", select:
- The required permission set
- Whether you wish to Append assignees, Override assignees or Remove assignees
- Whether you wish to grant permission to individual users, to user groups or via a user field
- Having opted to grant the permission via user groups, select user group(s)
4. User group permissions
User groups are used to manage teams or subsets of people and easily reference multiple users in different areas of the system.
A User group has two configuration tabs which allow management of members and management of permissions for that User group. Find out more about user groups.