Konzept
The primedocs authorization concept pursues the following goals:
Reduce administrative overhead
Ensuring that only user-relevant data is synchronized on the user's computer
Involving the specialist departments in the maintenance of snippets
Restricting the visibility of templates and snippets based on organizational and role affiliation
Support of Active Directory and Windows groups
The authorization concept is based on roles, users, user groups and objects. Roles and thus permissions are linked to the objects by AD groups, AD users, primedocs groups or primedocs users.
primedocs groups
primedocs groups and primedocs users are independent authorization classes.
A primedocs group can contain groups or users - this can be defined statically or made dynamic by a configuration. For dynamic groups, a configuration is stored which automatically assigns or removes a user from a group based on user information.
Roles
Permission / Role | Sys admin | Org admin | User admin | Template admin | Campaign admin | Snippet admin | User |
|---|---|---|---|---|---|---|---|
Manage organizations | ☑ | ☑ | ☐ | ☐ | ☐ | ☐ | ☐ |
Manage logo | ☑ | ☑ | ☐ | ☐ | ☐ | ☐ | ☐ |
Manage templates | ☑ | ☐ | ☐ | ☑ | ☐ | ☐ | ☐ |
Modify templates and their permissions | ☑ | ☐ | ☐ | ☑ 1 | ☐ | ☐ | ☐ |
Manage users | ☑ | ☐ | ☑ | ☐ | ☐ | ☐ | ☐ |
Manage shared snippets | ☑ | ☐ | ☐ | ☑ | ☐ | ☑ | ☑ 2 |
Create template snippets | ☑ | ☐ | ☐ | ☑ | ☐ | ☐ | ☐ |
Manage fields | ☑ | ☐ | ☐ | ☑ | ☐ | ☐ | ☐ |
Manage campaigns | ☑ | ☐ | ☐ | ☐ | ☑ | ☐ | ☐ |
Manage signatures | ☑ | ☐ | ☐ | ☑ | ☐ | ☐ | ☐ |
Provided that the template administrator has an explicit modification right on the template.
Provided that the user has an explicit modification right on the snippet.
The following roles are provided in primedocs:
System administrator
Highest authorization. System administrators can assign roles for users and groups. In addition, they can edit all templates (including those to which the user does not have explicit modification rights) and manage organizations, snippets, users and fields.
Organization administrator
Permission to modify all organizational units (create, delete, insert logos, change addresses, etc.).
User administrator
Permission to administrate all users and profiles: this is useful for all those who provide support for the OneOffixx environment.
Template administrator
Permission to edit and create templates: Template administrators see all templates and their permissions. However, templates can only be edited if the user has the explicit modification right on the template or template group. This also applies to the respective permissions of the templates.
Template administrators can also edit all template snippets and create new ones. They have a right to change the global document functions, the global configurations and translations as well as all tags.
Campaign administrator
Permission to edit and create campaigns.
Snippet administrator
Permission to edit and create shared snippets: snippet administrators do not need explicit modification rights on the snippets. They can always edit all snippets.
NOTE
It is recommended to create one template group per office or per department. This makes it easier to limit the visibility of templates, which in return helps users in finding the template they need.
Permissions for snippets
In primedocs there are Shared snippets, Template snippets as well as Private snippets. Only snippets for which the user has read access will be synchronized to the OneOffixx Client.
Shared snippets
Lesezugriff wird für einen Textbaustein oder eine Textbausteingruppe zugelassen, wenn
der Benutzer Lesezugriff auf dem Element selber und allen übergeordneten Textbausteingruppen hat,
es sich um das Stammelement "Gemeinsame Textbausteine" handelt,
er Schreibzugriff durch eine übergeordnete Textbausteingruppe besitzt,
er Textbausteinadminstrator ist,
oder Systemadministrator ist.
Schreibzugriff wird für einen Textbaustein oder eine Textbausteingruppe zugelassen, wenn der Benutzer
Schreibrechte auf dem Element oder einer übergeordneten Textbausteingruppe hat
und dabei das oberste Element mit Schreibrechten sichtbar ist, d. h. der Benutzer muss für dieses auch Leserechte besitzen.
oder Textbaustein-/Systemadministrator ist.
Zu beachten ist dabei, dass ein Element ohne explizite Berechtigungen alle von der übergeordneten Gruppe erbt und daher keinen Einfluss hat.
Auf der obersten Ebene kann nur ein Textbaustein- oder Systemadministrator Elemente erstellen.
Read access is allowed for a snippet or a snippet group if
the user has read access to the element itself and all parent snippet groups,
it is the root element "Shared snippets"
the user has write access via one parent snippet group
the user is a snippet administrator
or the user is system administrator.
Write access is allowed for a snippet or snippet group if the user
has write permissions to the element or one parent snippet group
and the top-level element is visible with write access, i.e. the user must also have read access for this element
or they are snippet/system administrator.
Note that an element without explicit permissions inherits all permissions from the parent group and therefore has no influence.
Only snippet/system adminostrators can create elements at the top level.
NOTE
Es ist nicht möglich, eine Textbausteingruppe sichtbar zu machen, wenn die übergeordnete Gruppe nicht auch sichtbar ist. Für einen solchen Fall hilft die einfache Umstrukturierung in weitere Unterordner weiter.
Beispiel
Gruppe Management ├─ Personal ├─ Textbaustein A ├─ Textbaustein B └─ Textbaustein C
Eine Person soll jetzt auf die Gruppe Personal berechtigt werden, aber nicht die Bausteine in der Gruppe Management selbst sehen. Dazu wird eine weitere Gruppe erstellt und die Textbausteine darin einsortiert:
Gruppe Management ├─ Personal └─ Weiteres ├─ Textbaustein A ├─ Textbaustein B └─ Textbaustein C
Jetzt kann der Person einfach das Leserecht für "Weiteres" entzogen werden.
Vorlagen-Textbausteine
Lesezugriff haben alle Benutzer, d.h. die Textbausteine werden für die Dokumentgenerierung allen Benutzern zur Verfügung gestellt. Sie werden jedoch nur System-/Textbausteinadministratoren angezeigt.
Schreibzugriff haben nur System-/Textbausteinadministratoren.
Private-Textbausteine
Lesezugriff und Schreibzugriff hat nur der entsprechende Benutzer. Auch System-/Textbausteinadministratoren haben aus Datenschutzgründen keinen Zugriff.