Permissions and prohibitions for functions and tools
evels of rights assignment
Authorizations and prohibitions for functions and tools can be assigned on several levels of the edu-sharing system.
The permissions for the use of tools and functions are inherited "from top to bottom" in edu-sharing.
Prohibitions always override permissions. This means that permissions revoked on a "top" level can not be added at a "lower" level.
It is therefore advisable to become more restrictive when assigning rights from "top to bottom".
The "Global authorizations" form the top level of the rights assignment.
They can be used to assign a basic set of authorizations for the system.
Prohibitions set here apply to all users and groups of the instance. Permissions granted here can be "overruled" below the global level.
Below the "Global permissions", permissions and prohibitions can be assigned for:
- Organizations,
- groups,
- individual users
The allocation of all these rights is carried out in the edu-sharing user administration.
If the use of a function is permitted at the organizational level, subordinate groups or individual members of the organization can be deprived of this right by setting a corresponding prohibition.
If a tool right is revoked at the organization level, this right cannot be added to subordinate groups or individual members of the organization by assigning corresponding rights "below", since the authorizations are inherited and prohibitions always override permissions.
Assigning and changing authorizations
Allocation of "Global Authorizations
Open the user administration. Click the "Global permissions" button in the upper right corner.
The screen for assigning permissions opens.
- Names / descriptions of tool rights
- Buttons to allow the corresponding function - Not set global permissions work like a prohibition, but - unlike explicit prohibitions on the organizational, group and user level - can be overruled by an explicit permission.
- Current status of permissions for the selected organization/group/user.
Make the desired changes by checking the "Allow" box. The permission is assigned in real time and the status is updated.
Allocation of authorizations for organizations, groups and users
Open the user administration.
Open the context menu for the entry of the corresponding organization, group or user. Select the "Permissions" option.
The mask for assigning tool rights opens.
- Names / descriptions of tool rights
- Buttons for allowing and disallowing the corresponding function
- Current status of the authorizations for the selected organization/group/user.
Leave the mouse pointer motionless over the corresponding status for a short time to get more information about the status (such as inherited permissions and prohibitions).
Make the desired changes by checking Allow or Prohibit. The permission is granted in real time and the status is updated.
Please note the interaction of the permissions across the three levels: Organization, Group and User.
A pupil is a member of the organisation "Coolschool", which has the right to grant licences for content. By means of inheritance of permissions, this user as an organizational member has the right to use the license editor.
This right can be "overruled" by the administrator on the group level as well as on the user level.
If only this user is to be deprived of the right to grant a license, it is advisable to restrict the user's authorizations accordingly. The other members of the organization thus remain unaffected by the change of rights.
If all students of the organization are to be prohibited from using the License Editor, the administrator can group them in a "student group" within the organization in order to prohibit all group members from using the License Editor (see left drawing).
The prohibition is inherited "downwards" by all users and cannot be overruled there, as prohibitions always overrule permissions.
If a user is a member of two groups of which one group allows the use of a function, but the other group forbids the use of a function, he cannot use the function, since prohibitions always override permissions.
It is therefore not unusual for users with numerous group memberships to have limited rights (see right drawing).
schematic representation of the inheritance of authorizations
List of tool permissions
Permissions and prohibitions can be configured for the following functions and tools at the global, organizational, group and user level:
"Sharing" permissions
- The permission to release materials / open the form to invite users and groups
- permission to release materials to the stream
- The permission to create links to materials / create "sharing-links".
- permission to release materials in shared folders
- Search and Invite users outside the organization / Users from organizations in which I am not a member can be found when sharing
- Search and invite users outside the organization in shared folders
- Searching and finding users outside the organisation without entering the entire user ID / For areas with high data protection requirements (e.g. schools), edu-sharing can be configured in such a way that when searching for users, a complete identifier (e.g. e-mail address) must be entered in the Sharing dialog before it is displayed as a result in the search field. This tool permission allows you to bypass this restriction.
- The authorization to display the release history
"Licensing & Publishing" permissions
- The permission to share materials with all users / Allows the use of the appropriate button in the mask to invite users
- Use license dialog
"File management" permissions
- Workspace access / activates or deactivates the workspace as a usable tool in edu-sharing - If the workspace is deactivated, logged-in users are forwarded to the search.
- Show sources like e.g. Youtube in the search / Tabs of corresponding connected sources are shown or hidden in the search.
"File management"Permissions
- Access to secure area (safe)
- The authorization to release materials in the safe
- The authorization to release materials in shared folders in the safe
- Search and invite users outside the organization in the safe
- Search and invite users outside the organization in shared folders in the safe
"Collections" Permissions
- Create editorial collections
- Create curriculum collections
- Pinned collections and manage pinned collections
"Repositories & Remote Sources" Permissions
Here you configure which content sources are available in the search environment. The permission for the repository "local" should ALWAYS be allowed.
Function "Create custom authorizations"
This function is only available if "Global permissions" are set
A separate authorization can be created
This can be used, for example, to modify metadata set fields
See Metadata Sets (Search, Rendering, Input Masks).