Managing groups

This topic describes how to set up and manage groups.

Setting up groups

Users who can log onto a server configuration can be organized into groups. Creating and using groups simplifies the task of managing security on a project, because each group can be assigned a set of privileges that apply to all the users in that group, rather than setting privileges on a user-by-user basis.

The status bar on the User Manager dialog box displays the number of users in the selected group who have access to the server configuration, the number of users connected to the server configuration, and the number of users logged on. The number of users connected to the server configuration and the number of logged on users differ when individual users log on more than once.

These operations can be performed only when the server is running.

Back to top

Adding a group

  1. Open the Server Administration tool and select the server configuration.
  2. Click the Accounts bar and then click GUID-E1CAFC1E-1F2D-4F4F-9B3B-A87E82C747D2-low.gif (User Manager). The User Manager tab opens.
  3. Select a group from the Groups tree.

    Note: We recommend that, initially, you select the All Users group when adding a new group. Subsequent groups can be added to any group listed under the All Users group. Avoid adding new groups to the administrative and management group. If a user is a member of a child group, it is also implicitly a member of the parent group—even if the member’s name does not appear in the list when you select the parent group. You must select the Show Users in All Descendant Groups check box to see the complete list of members for a selected group that has child groups.

  4. Click New Group. The New Group Properties dialog box appears.
  5. Type the group name in the Name field.
  6. Type a description of the group in the Description field.

  7. Select the Privileges tab.The privileges selected on the Privileges tab can override any Access Rights that have been previously set for any user in the privileged group. However, the privileges are not a substitute for Access Rights. If you have not set up Access Rights, you have no security system.

    The privileges set on the Privileges tab apply to all objects in all projects in a server configuration. For example, if you give a group the Delete Item privilege, any user in that group can delete any project, view, folder, child folder, or item from the server configuration, regardless of what the Access Rights are for deleting these items.

  8. Set privileges as appropriate.
  9. Click OK. The new group appears in the Groups list.

Back to top

Changing the parent of a group

  1. Open the Server Administration tool and select the server configuration.
  2. Click the Accounts bar and then click GUID-E1CAFC1E-1F2D-4F4F-9B3B-A87E82C747D2-low.gif (User Manager). The User Manager tab opens.
  3. Select a group from the Groups tree.
  4. Right-click and select Change Parent Group from the context menu. The Change Parent Group dialog box appears.
  5. Select a new parent group, then click OK.
  6. Click OK.

Back to top

Determining the members of a group

  1. Open the Server Administration tool and select the server configuration.
  2. Click the Accounts bar and then click GUID-E1CAFC1E-1F2D-4F4F-9B3B-A87E82C747D2-low.gif (User Manager). The User Manager tab opens.
  3. Select a group from the Groups tree.
  4. Select the Show Users in All Descendant Groups check box to also display the implicit members of the group in the Users list.

Back to top

Removing an empty group

  1. Open the Server Administration tool and select the server configuration.
  2. Click the Accounts bar and then click GUID-E1CAFC1E-1F2D-4F4F-9B3B-A87E82C747D2-low.gif (User Manager). The User Manager tab opens.
  3. Select a group from the Groups tree.
  4. Right-click and select Delete. The system displays the following message: 
    Do you want to delete group groupname?

  5. Click Yes.

    • If the group is empty, it is removed from the Groups list.
    • If the group contains users, the system displays the following message: 
      The group you want to delete contains user accounts. Please delete these user accounts or move them to another group prior to deleting a group.
  6. Click OK. Then either delete the users in this group or move them to another group.

Back to top

Group privileges

The privileges assigned to a group may allow members of that group to access objects and perform operations that they are otherwise not allowed to do. In other words, privileges override the access rights settings.

If you select User Manager from the Server Administration tool, you will notice that the server configuration comes with some default groups: All Users, Administrators, System Managers, and Security Administrators. The default user named Administrator belongs to both the Administrators and the Security Administrators groups. By default, the Administrators group has all group privileges. Also by default, other groups have none of these privileges.

All members of a group have the same privileges on every project managed by this server configuration. The privileges apply to all levels equally: projects, views, folders, and items within folders. If users belong to more than one group, they have the maximum amount of privileges, regardless of which group provides them with those privileges.

Generic item rights

This table describes the generic item rights used with groups.

Access right Description
See object and its properties

See all projects, views, folders, items, and their properties. This privilege overrides the similarly named access right found in the Generic Object Rights in the Access Rights dialog boxes.

Modify object properties

Modify the properties of any projects, views, folders, or items. This privilege overrides the similarly named access right found in the Generic Object Rights in the Access Rights dialog boxes.

Delete object

Delete any projects, views, folders, or items. This privilege overrides the similarly named access right found in the Generic Object Rights in the Access Rights dialog boxes.

Purge object (delete permanently)

This privilege is not supported at this time.

Change object access right

Change access rights for any projects, views, folders, or items. This privilege overrides the similarly named access right found in the Generic Object Rights in the Access Rights dialog boxes.

Create object and place it in a container

Create new objects and put them in containers. When this privilege is set, the group can add new views to a project, new folders to a view, and new folders and items to a folder. This privilege overrides the similarly named access right found in the Generic Object Rights in the Access Rights dialogs. It does not override the server-level access right that allows users to create projects.

Grant all specific class-level rights for all classes of objects

Perform any operation not covered by the preceding privileges. For example, this privilege allows group members to check out files, break locks, perform linking operations, and perform labeling operations. This privilege overrides some of the access rights found in the Generic Object Container Rights and all of the access rights in the <item>-specific Rights in the Access Rights dialog.

Back to top

Configuring group privileges

The privileges assigned to a group may allow members of that group to access objects and perform operations that they are otherwise not allowed to do. In other words, privileges override the access rights settings.

In the User Manager dialog box, you will notice that the server configuration comes with some default groups (All Users, Administrators, System Managers, and Security Administrators). The default user named Administrator belongs to both the Administrator and the Security Administrators groups. By default, the Administrator group has all group privileges. Also by default, the other groups have none of these privileges. All members of a group have the same privileges on every project managed by the this server configuration. The privileges apply to all levels equally— projects, views, folders, and items within folders. If users belong to more than one group, they have the maximum amount of privileges, regardless of which group provides them with those privileges.

Note: You can modify privileges in the User Manager dialog box only on running server configurations.

  1. Open the Server Administration tool and select the server configuration.
  2. Click the Accounts bar and then click GUID-E1CAFC1E-1F2D-4F4F-9B3B-A87E82C747D2-low.gif (User Manager). The User Manager tab opens.
  3. Add or select a group in the User Manager dialog box.
  4. Add users to the group, if necessary.
  5. Right-click the name of a group in the Groups tree and choose Properties . The Group Properties dialog box opens.
  6. Select the Privileges tab.
  7. Check or clear the check boxes to grant privileges to the group or take them away.
  8. Click OK.

Back to top

Overriding group privileges

As an administrator, you can override group privileges by setting the option for the server configuration in its System Policy dialog box. Use these options with caution, because they change the steps used by the Server to check every user (including administrators) for access to all objects in the repository. If you ignore privileges, only access rights determine who can and cannot perform operations on objects in the repository.

Note: You can modify this option only on running server configurations.

  1. Open the Server Administration tool and select the server configuration.
  2. Click the Accounts bar and then click GUID-E1CAFC1E-1F2D-4F4F-9B3B-A87E82C747D2-low.gif (System Policy). The System Policy tab opens.
  3. Select the Access Rights tab.
  4. Check or clear Ignore Group Privileges. When cleared, the server configuration checks for privileges.
  5. Click OK.

Back to top