.. _`roles and permissions`: Roles and Permissions ===================== .. contents:: Table of Contents When working with sensitive data, protecting that data and making sure users will only see that they need to see is very important. To accommodate this, INDICA features a Roles and Permissions system. With this system, it is possible to define custom roles and assign permissions to those roles. This gives complete control over what a user can and cannot do, while still keeping it maintainable and scalable. Introduction to Roles and Permissions ------------------------------------- General information ******************* Roles and Permissions are a part of the Admin portal. This means that *only* administrators (or anyone with the corresponding role, if assigned by an administrator) can change the setup of roles and permissions. Users with the Admin role are unlimited in their actions. However, every action an administrator takes is logged for audit purposes. Logged actions cannot be changed by any administrator. Changing the setup of roles and permissions can (by default) only be done by Administrators. However, changing the roles and permissions is a permission in itself, meaning it can be assigned to other roles if desired. Roles ***** A role can be assigned to a user or a group of users. These roles have permissions assigned to them. A user can have multiple roles, and roles can have multiple permissions. Roles can be mapped to AD groups, more information about mapping can be found in the section :ref:`mapping-ad-groups`. The following roles are configured by default: .. thumbnail:: /media/img/admin/rolesAndPermissions/rolesOverview.png :title: Overview of Roles page with the default roles * Admin | Typically assigned to administrators. | Administrators can see and do anything on the system. | They have unlimited access to all cases and all settings. | Administrators are responsible for setting up and maintaining the INDICA Appliance. * Case Admin | This role is intended for Case Administrators. | They have elevated roles over managers, meaning they can manage users and cases on an appliance, | but do not have access to the system settings that administrators do. * Manage | This role is intended for Case Managers. | Case managers can see and change settings to the cases they are assigned on. | They are responsible for case settings like workflows, tags, data sources, etc. * Advanced User | The "Advanced User" role is for trained and experienced users. | This role gives more information and features on the Search page. * Basic User | The "Basic User" role is for new users with limited rights. | This role gives access to a limited Search page with only basic functionality. * System Api | Internal system user. Is only used for INDICA's inner workings. | Changing or assigning this role is not needed. .. note:: Roles are system-wide. This means that when a role is edited, the permissions of that role will apply to all cases that use this role. If this behavior is not desired, it is possible to create roles for a specific Case and use those roles for that Case. This allows administrators to have Case-specific roles (and permissions). Permissions *********** A permission is something a user can see or do in the system. This can be assigning a tag, viewing document content, changing settings, etc. These permissions are attached to a role, and roles are attached to users (or AD groups, see :ref:`mapping-ad-groups`). New permissions cannot be created by the administrator or any other user. This is because permissions are defined in the sourcecode of the INDICA Appliance. New permissions will be included in future releases of INDICA. If you're an existing customer, they can also be requested. Contact INDICA for more details. .. thumbnail:: /media/img/admin/rolesAndPermissions/permissionsOverview.png :title: Overview of Permissions page. Only shows a subset of all permissions. For a full list of all permissions, their description and which roles have which permission, please refer to the `Default permissions matrix`_. .. note:: Permissions cannot be deleted. They can be edited, but only the display name and the description can be changed. Configuring Roles ----------------- Adding a new role ***************** A new role can be created by clicking the "+ New Role" button on the "Roles" setup page. The following screen will open: .. thumbnail:: /media/img/admin/rolesAndPermissions/addNewRole.png :title: Form for adding a new role In this form, the following information is required: * Name/Code | Cannot be filled in by the user, will be generated based on the Display Name. * Display Name | Name of the role, for example "Basic User with advanced querying and filtering". * Description | Description of this role, so they can be distinguished. * Permissions | Check the boxes for the required permissions. .. note:: In this example, the new role is an extention of an already existing role. This means that if this new role is assigned to a user alongside the already existing role, the permissions of both roles will be combined. This makes it unnecessary to select all permissions while setting up this new role. The best course of action will be to select the extra permissions and assign both roles to the user(s). However, it is also possible to add the permissions of the "Basic User" role to this role as well, and only assign this role to the user(s). Once all information is entered, it will look like the following image: .. thumbnail:: /media/img/admin/rolesAndPermissions/addNewRoleFilledIn.png :title: Form for adding a new role, filled in Once done, click "Save" to save your new role. It should now be displayed in the overview. This role can now be assigned to user(s). Editing an existing role ************************ To edit an existing role, click the "Edit" option. The following page will be displayed: .. thumbnail:: /media/img/admin/rolesAndPermissions/editExisingRole.png :title: Form for editing an existing role Simply make the edits needed, and click "Save" to save the changes. .. note:: The system will immediately recognise the changes and assign the changed permissions to the users that have this role assigned. In some situations it may be necessary to sign out and sign back in for the changes to take effect. Deleting an existing role ************************* To delete an existing role, click the "Delete" option. A confirmation prompt will open, asking you if you're sure you want to delete this record. Click "OK" to delete this role. .. note:: Deleting a role that is assigned to user(s) may have implications on the permissions of the user(s). It is advised to deattach the role before deleting it. Default permissions matrix --------------------------- This table shows the Authorisation Matrix of the default roles and permissions. .. role:: raw-html(raw) :format: html .. tabularcolumns:: |p{2cm}|p{5cm}|p{2cm}| .. csv-table:: Permission Matrix :file: /media/csv/defaultPermissionMatrix.csv :header-rows: 1 :class: longtable :widths: 25 55 20 :align: left