Wiki source code of Permissions
Last modified by Sean Hetherington on 2021/09/09 20:55
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{layout}} | ||
| 2 | {{layout-section ac:type="two_right_sidebar"}} | ||
| 3 | {{layout-cell}} | ||
| 4 | The all-new, improved permissions system in iSymphony 3.1 allows administrators to control which users are able to perform actions in the system. | ||
| 5 | |||
| 6 | = Permissions Overview = | ||
| 7 | |||
| 8 | By default, the permissions system in iSymphony is disabled, allowing all users access to all actions in the panel. This can be changed with the toggle switch next to the page title. | ||
| 9 | |||
| 10 | Permissions can be defined independently by subject and type, and each permission has a policy and a list of exceptions. | ||
| 11 | |||
| 12 | //Permissions Toggle Switch// | ||
| 13 | |||
| 14 | [[image:attach:permissions_switch.png]] | ||
| 15 | |||
| 16 | == Permission Subjects == | ||
| 17 | |||
| 18 | Permission subjects in iSymphony are the users and user groups. When viewing the permissions configuration page in iSymphony, the available subjects are listed on the left side of the screen. When evaluating whether a user is allowed to perform an action in the panel, iSymphony may check multiple subjects: | ||
| 19 | |||
| 20 | 1. The user themselves; | ||
| 21 | 1. Any groups the user is a member of; | ||
| 22 | 1. The //All Users// group | ||
| 23 | |||
| 24 | The list above is checked in order to find the first permission that matches the correct type for the action. If no permission is found on one level, the next level is then checked. If multiple groups containing the user are found that define conflicting permissions for the same type, the result is permissive - the action is allowed. If no permission is found after checking the //All Users// group, the action is allowed. | ||
| 25 | {{/layout-cell}} | ||
| 26 | |||
| 27 | {{layout-cell}} | ||
| 28 | {{panel title="On this page:"}} | ||
| 29 | |||
| 30 | |||
| 31 | {{toc/}} | ||
| 32 | {{/panel}} | ||
| 33 | {{/layout-cell}} | ||
| 34 | {{/layout-section}} | ||
| 35 | |||
| 36 | {{layout-section ac:type="single"}} | ||
| 37 | {{layout-cell}} | ||
| 38 | == (% style="line-height: 1.5;" %)Permission Types(%%) == | ||
| 39 | |||
| 40 | The //type// of a permission determines what action it controls. When viewing the permissions configuration page in iSymphony, the available permission types are listed on the right side of the screen. Permissions can be controlled individually for each permission type. | ||
| 41 | |||
| 42 | === Permission Targets === | ||
| 43 | |||
| 44 | Most actions in iSymphony are performed on a target - on an extension, on another user, on a queue, etc. In the case of those actions, only targets of specific types are available to select in the exceptions list (see below). For example, it would not make sense to deny permission to 'Call a Parking Lot', and add a specific extension to the exceptions list for that permission. The targets available for selection in the exceptions list are defined by the permission type. | ||
| 45 | |||
| 46 | Some actions don't have a target, and those actions won't have an exception box in the permissions configuration page. For example, changing your own password is something that can't be done for another user, so it's a simple //Allow/Deny// select box. | ||
| 47 | |||
| 48 | == Permission Policy == | ||
| 49 | |||
| 50 | For each combination of subject and type, a general //policy// is defined. For the //All Users// group, only //Allow// or //Deny// can be set as the policy. For other groups or specific users, the policy can also be set to //Inherit//, in which case a permission defined higher in the hierarchy is used. The policy defines whether the subject is allowed to perform the action or not, unless the target appears in the exceptions list. | ||
| 51 | |||
| 52 | == Exceptions == | ||
| 53 | |||
| 54 | If you'd like to control actions on a finer grained level than just //Allow// and //Deny//, then you can specify exceptions to the policy. In this case, the general policy is reversed for those targets. If the policy for a permission is //Allow//, and the target is in the list of exceptions, then the action will be denied. If the policy for the permission is //Deny//, but the target is in the list of exceptions, then the action will be allowed. | ||
| 55 | |||
| 56 | === Owned Exception === | ||
| 57 | |||
| 58 | A special exception exists, called //Owned by User//. In some cases, a user "owns" some targets - for example, most users own one or more extensions. If the //Owned by User// exception appears in the list of exceptions, this has the same effect as if the owned targets each appeared individually. For example, if Albert owned extensions 1001 and 1010, and a permission is defined for Albert as //Deny// with //Owned by User// in the exceptions list, then Albert will still be able to perform that action on extensions 1001 and 1010. Note also that if a third extension is added to Albert, say, 1020, that Albert would automatically be allowed to perform that action on extension 1020 without having to update the permission settings. | ||
| 59 | |||
| 60 | = Editing permissions = | ||
| 61 | |||
| 62 | To edit the permissions in iSymphony, log in to the iSymphony administration interface and select **Users and Security**, then **Permissions** in the main administration menu. This will bring you to the permissions configuration page. | ||
| 63 | |||
| 64 | == Enabling or disabling permissions == | ||
| 65 | |||
| 66 | The permissions system in iSymphony can be enabled or disabled with the toggle switch on the permissions configuration page, next to the page title. If permissions are disabled, the permissions configuration page will be grayed out and unable to be edited. Additionally, all permission checks in the system will return allowed, so all users in the system will be allowed to perform all actions. | ||
| 67 | |||
| 68 | == Selecting a subject == | ||
| 69 | |||
| 70 | The first step to editing a permission is to select the subject that the permission should apply to. The available subjects appear on the left side of the screen. User groups appear at the top, and users appear below them. Click on the user group or user to select that subject for editing. | ||
| 71 | |||
| 72 | == Editing a single permission == | ||
| 73 | |||
| 74 | To edit a single permission for a specific type, locate the correct permission type on the right side of the screen after selecting the correct subject. The current policy and exceptions will be displayed next to the permission type. Hover your mouse over the current policy and a gray outline will appear. Click anywhere within the gray outline to enter editing mode for that permission. At this point, the current policy will change to a drop down list, and the list of exceptions will turn into an editable box. | ||
| 75 | |||
| 76 | === Editing the policy for the permission === | ||
| 77 | |||
| 78 | To edit the policy for the permission, simply click on the drop down box and select the new value. | ||
| 79 | |||
| 80 | === Editing the exceptions for the permission === | ||
| 81 | |||
| 82 | {{info}} | ||
| 83 | Not all permissions can have exceptions. See the Exceptions section above. Additionally, you are not able to specify exceptions for permissions that have a policy of //Inherit//. | ||
| 84 | {{/info}} | ||
| 85 | |||
| 86 | To edit the exceptions for the permission, click in the text box that appears to the right of the text //except//. A small dropdown will appear prompting you to begin typing the name of an exception to select it. After entering text, the drop down will populate with suggestions that match your typing. Click on a suggestion to add it to the list of exceptions. To remove an exception, click on the //x// that appears within the outline of that exception. | ||
| 87 | |||
| 88 | == Editing multiple permission types == | ||
| 89 | |||
| 90 | To edit multiple permission types at once, select the checkboxes the left of the permission. The rows for those exceptions will turn blue. Alternatively, select the //All// link at the top, next to the //Select~:// label. This will select all permission types. Similarly, the //None// link will deselect all permission types. Once the desired permission types are selected, click the drop down box in the top right of the page titled //Set selected to~:// and select an option. This will set the policy for each of the selected permission types to the selected value. The special //Owned Only// option will set all policies to //Deny// and add //Owned// to the list of exceptions for all permission types that are selected. | ||
| 91 | |||
| 92 | == Saving the changes == | ||
| 93 | |||
| 94 | Once changes have been made to the permissions for a subject, the //Save Permissions// button in the top right corner of the screen will become enabled. Click this button to save and apply the permissions. | ||
| 95 | |||
| 96 | = Glossary of Permissions = | ||
| 97 | |||
| 98 | For a list of permissions that are available in the system, and what they control, see the [[doc:List of Permissions]] page. | ||
| 99 | {{/layout-cell}} | ||
| 100 | {{/layout-section}} | ||
| 101 | {{/layout}} |