Authorization
- Dinah Bolli
Concept
The primedocs authorization concept pursues the following goals:
Reduce administrative overhead
Ensuring that only user-relevant data is synchronized on the user's computer
Involving the specialist departments in the maintenance of snippets
Restricting the visibility of templates and snippets based on organizational and role affiliation
Support of Active Directory and Windows groups or Entra ID (formerly Azure Active Directory), respectively as well as Microsoft Graph’s possibilities.
The authorization concept is based on roles, users, user groups and objects. Roles and thus permissions are linked to the objects by AD groups, AD users, primedocs groups or primedocs users.
primedocs groups
primedocs groups and primedocs users are independent authorization classes.
A primedocs group can contain groups or users - this can be defined statically or made dynamic by a configuration. For dynamic groups, a configuration is stored which automatically assigns or removes a user from a group based on user information.
Permissions
Permission / Role | Sys admin | Org admin | User admin | Template admin | Campaign admin | Snippet admin | User |
|---|---|---|---|---|---|---|---|
Manage organizations | ☑ | ☑ | ☐ | ☐ | ☐ | ☐ | ☐ |
Manage logo | ☑ | ☑ | ☐ | ☐ | ☐ | ☐ | ☐ |
Manage templates | ☑ | ☐ | ☐ | ☑ | ☐ | ☐ | ☐ |
Modify templates and their permissions | ☑ | ☐ | ☐ | ☑ 1 | ☐ | ☐ | ☐ |
Manage users | ☑ | ☐ | ☑ | ☐ | ☐ | ☐ | ☐ |
Manage shared snippets | ☑ | ☐ | ☐ | ☑ | ☐ | ☑ | ☑ 2 |
Create template snippets | ☑ | ☐ | ☐ | ☑ | ☐ | ☐ | ☐ |
Manage fields | ☑ | ☐ | ☐ | ☑ | ☐ | ☐ | ☐ |
Manage campaigns | ☑ | ☐ | ☐ | ☐ | ☑ | ☐ | ☐ |
Manage signatures | ☑ | ☐ | ☐ | ☑ | ☐ | ☐ | ☐ |
Provided that the template administrator has an explicit modification right on the template.
Provided that the user has an explicit modification right on the snippet.
The following permissions are provided in primedocs:
User
"User" controls whether the respective user can log in to primedocs or not. This authorization is initially set by default.
Dev
"Dev" enables functions for developers that regular users don't need.
System administrator
This permission includes all other permissions from here to the right (i.e. "Org", "User", etc.). The system administrator can set permissions for users and user groups in primedocs desktop. Furthermore, they can manage all templates as well as organizations, snippets and users and their profiles in primedocs.
Organization administrator
This permission allows the administration of organizational units (OUs). If the user has this permission, they will see the "Organizational units" entry in the "Organization" tab in primedocs desktop and can create new OUs, modify existing ones (change logos, change addresses, etc.) and delete them.
User administrator
This permission allows the user to manage users and their profiles. If the user has this permission, they will see the "User / profile administration" entry in the "Organization" tab in primedocs desktop. There they can manage users and their profiles; create, edit and delete users/profiles as well as share profiles in the name of other users.
Template administrator
This permission enables the maintenance of templates:
The template administrator sees all templates and their permissions.
However, a user can only edit templates and their authorizations if they have the explicit right to make changes to the template.
The template administrator can also edit all designer snippets and create new ones. They have the right to make changes to the global document functions, the global configurations and translations and to all tags.
Campaign administrator
Campaign administrators can create, edit and delete email campaigns.
Snippet administrator
This authorization enables the administration of all shared text modules ("snippet"). In contrast to the template administrator, the snippet administrator does not require explicit editing rights to a snippet or snippet category: they can always edit all snippets.
NOTE
It is recommended to create one template group per office or per department. This makes it easier to limit the visibility of templates, which in return helps users in finding the template they need.
Permissions for snippets
In primedocs there are Shared snippets, Template snippets as well as Private snippets. Only snippets for which the user has read access will be synchronized to the OneOffixx Client.
Shared snippets
Read access is allowed for a snippet or a snippet group if
the user has read access to the element itself and all parent snippet groups,
it is the root element "Shared snippets"
the user has write access via one parent snippet group
the user is a snippet administrator
or the user is system administrator.
Write access is allowed for a snippet or snippet group if the user
has write permissions to the element or one parent snippet group
and the top-level element is visible with write access, i.e. the user must also have read access for this element
or they are snippet/system administrator.
NOTE
Note that an element without explicit permissions inherits all permissions from the parent group and therefore has no influence. Conversely, this means that as soon as explicitly defined, it is no longer inherited from above.
Only snippet/system administrators can create elements at the top level.
It is not possible to make a snippet group visible if the parent group is not visible as well. For such a case, simply restructuring into further subfolders may help:
Example
Group Management
├─ Personnel
├─ Snippet A
├─ Snippet B
└─ Snippet CA person is now to be authorized to the Personnel group, but not to see the modules in the management group itself. To do this, another group is created and the snippets are moved into it:
Group Management
├─ Personnel
└─ More
├─ Snippet A
├─ Snippet B
└─ Snippet CNow the person can simply have the read access for "Further" revoked.
Template snippets
Read access is granted to all users, i.e. the text modules are made available to all users for document generation. However, they are only displayed to system/text module administrators.
Write access is only granted the system and snippet administrators.
Private snippets
Read access and Write access is only granted the corresponding user. System and snippet administrators do not have access for privacy reasons.
Assigning permissions in the dashboard
Open the Admin Dashboard in the browser.
Go to the Security tab.
Authorize individual users
Select the user to be authorized or search using the Search Query text field.
(1) Place a tick in the row of the user and the column of the correct permission(s).
(2) Click on save in the corresponding line.
Alternative: Authorize Windows Groups
Select the windows groups tab.
(1) Search for an existing AD group in the "New User Group" field and add it by clicking on +Create User Group.
(2) Assign the required authorizations to the added Windows group.
(3) Click on save in the corresponding line.
PrimeSoft AG, Bahnhofstrasse 4, 8360 Eschlikon, Switzerland