Setting User Permissions


Any action that a user can perform in your site is governed by a permission. As you configure the User Types for your user accounts you can, and should, set permissions that allow the user to accomplish necessary tasks without giving them permission to access information that is outside of their purview or allowing them to take actions that could adversely affect the structure of your site and database.

The Permissions page is used to both view and modify the permissions for a particular User Type. It displays a list of actions along with the default and qualified permissions assigned to the subject User Type for that action.

Assigning Permissions

As you configure the permissions granted to a User Type, there are times when you can choose between granting blanket permissions for an action versus granting permission to perform an action only on the items selected (qualified permission). In the contributor permissions shown to the right, for example, the ModifyValue permission is only granted for fields with an Access Level of Approvals.

The Default Permission setting is used to specify the level of permission granted to the user for an action.

None - the action is prohibited to the user except when the action is invoked on an item selected in the Qualified Allowed column.

Allowed - the user has blanket permission to invoke the action whenever it is available.

If Owner - the user can only invoke the action on items that the user owns (e.g., the user's account record or a document or filter created by the user).

Permission Definitions

The table below lists all of the available permissions, the description each permission, and tips on the uses of the permission. Depending on the size of your organization and the number of users and documents, you may want to divide some of the administrative actions among your staff and assign user maintenance to staff member, the design and maintenance of each document to individual staff members, and designate one person to control the database's fields and filters. By compartmentalizing responsibilities you can prevent one person from making changes to a field, for example, that could adversely affect another document that uses the same field.

When referring to User Types in the Usage column, the names of the built-in types are used as are generic names such as staff, applicant, and reviewer that represent the user's role. You may, of course, choose to use any names you like for the User Types that you create.

The Permissions are on two tabs. Basic Settings and Advanced Settings. The basic settings display the permissions you are most likely to change for different user types. Advanced settings are listed that are usually restricted to Staff and other administrative user types. Below is a full list of the available permission settings with usage descriptions.

The superuser type should be configured with blanket permissions (Allowed) for all actions and is therefore not mentioned in the table.

See Setting State Permissions for permissions related to changing a document's state.

Action

Description

Qualifier

Usage

AddDocument

User can create new document(s)

Document

Usually restricted to applicants.

Superuser and staff should never have this permission.

AddEmail

User can add email definitions to the database

 

Usually restricted to administrative users.

DeleteEmail

User can delete email definitions

 

Usually restricted to administrative users.

ModifyEmail

User can modify email definitions

 

Usually restricted to administrative users.

AddField

User can add field definitions

Access Level

Usually restricted to administrative users and can further restrict those users to selected access levels.

DeleteField

User can delete field definitions

Access Level

Usually restricted to administrative users and can further restrict those users to selected access levels.

ModifyField

User can modify field definitions

Access Level

Usually restricted to administrative users and can further restrict those users to selected access levels.

ModifyValue

User can set field values

Access Level

Can be used to restrict editing permissions to the owner of the information. Users should only have modify permission for fields that they are to complete.

QueryValue

User can query (view) field values

Access Level

Can be used to conceal field values from users. If a user can view a form that contains fields whose values they cannot view, a random number of asterisks is displayed in the field rather than the value.

For instance, this is the setting that prevents applicants from viewing reviewers' scores.

AddFilter

User can add a filter

 

Usually restricted to administrative users. Users with this permission should also have QueryFilter, ModifyFilter, and DeleteFilter permissions.

AddFolder

User can add new filter folders

 

Grants users the ability to add folders on the Filters page. Users with this permission should also have DeleteFolder, AddFilter, QueryFilter, ModifyFilter, and DeleteFilter permissions.

If Owner restricts the user to adding sub-folders to their user folder.

Allowed enables the user to add top-level folders.

DeleteFilter

User can delete filters

 

Usually restricted to administrative users. If Owner only allows users to delete filters that they created.

DeleteFolder

User can delete filter folders

 

Usually restricted to users who have been granted AddFolder permission.

If Owner prevents the user from deleting folders they did not create.

ModifyFilter

User can modify filter definitions

 

Usually restricted to administrative users. If Owner only allows users to modify filters that they created.

QueryFilter

User can query filters and use filters to screen list views

 

Usually restricted to users who need to view different lists of database objects, such as reviewers and administrative users.

This permission is further qualified by QueryFolder - users will only be able to query filters that are contained in folders for which they also have query permission.

QueryFolder

User can query filter folders

Folder

Usually restricted to administrative users, reviewers, or other users who can work with filters.

Allowed grants query access to all filter folders.

Unqualified If Owner permission restricts the user to queries within their user folder.

If Owner and None can be qualified with permission to query individual top-level folders or sub-folders within a user's folder by selecting the folder names in the list provided.

ScreenOnFields

User can screen documents using fields as screeners

 

Usually restricted to administrative users, reviewers, or other users who can work with filters. This is another screening method that allows for more options than just the filters.

ModifyDefaults

User can modify form entry defaults

 

Usually restricted to administrative users.

QueryAdmin

User can access the Admin menu

 

Usually granted to all users to provide access to the user's account settings.

QueryFields

User can view the Field administration page

 

Usually restricted to administrative users.

QueryForms

User can view the Form administration page

 

Usually restricted to administrative users.

ViewDocuments

User can view the Documents menu and page

 

Must be available to users who need to work with lists of documents. Applicants who can only submit one application do not need this capability nor do Contributors since they do not work with lists.

ViewEmail

User can view email definitions

 

Usually restricted to administrative users.

AddContributor

User can add contributors using form entries

 

Usually restricted to applicants.

AddUser

User can add a user to the database

User Type

Giving the "any" type permission to add applicant documents allows applicants to register and create their own accounts.

DeleteUser

User can delete a user from the database

User Type

Usually reserved for administrative users.

Login

User can log in to the web site using an existing account

 

Can be used to allow or block users from the site as a group.

To block a certain type of contributor without blocking all contributors, clear the Target Form setting in the contributor field definition.

ModifyPreference

User can modify user preferences

 

Grant If Owner permission to users who can modify their preferences. Grant permission for selected user types to staff who can control accounts.

When a default filter is set for a user type that does not have this permission, there is no indication to the user that their list view is filtered. This behavior can be useful for user types that have limited access to documents or records. The users will be able to further screen list views and clear screens that they have applied without ever seeing the underlying default filter.

ModifyUser

User can modify the information contained in a record

User Type

Applicants should have permission to query their own records (If Owner).

Contributors, reviewers, and any other users who need to modify information in applicants' documents should be given permission for applicant records.

Administrative users should have permission to modify the records of users with lesser permissions. For example, a staff user should be able to modify the records of applicants, contributors, and reviewers but should not be able to modify the records of staff or superusers. For security reasons it's not a good idea to allow users to promote themselves to a user type with greater permissions.

QueryPreference

User can query user preferences

 

Grant If Owner permission to users who can view their preferences. Grant permission for selected user types to staff who can control accounts.

QueryUser

User can query user account records

User Type

Grant If Owner permission to users who can modify their account settings and/or preferences. Grant permission for selected user types to staff who can control accounts.


Also see:

Built-In User Types

Setting User Preferences

Setting State Permissions