How do I manage a user's permissions?
Understanding Permissions
Note: Only admins can update user permissions.
User permission access can be managed individually with directly assigned permissions or in bulk with roles. The following article will walk you through how to manager user permissions.
For information on what each individual permission represents, check out this article.
Table of Contents
Managing Direct Permissions
Assign Direct Permissions to Individual Users
An individual user's permissions can be edited via that user's detail page. To open a user's detail page, first navigate to the Users Catalog page by clicking Settings button from the profile dropdown followed by the Users tab.
Then, find and select the user whose permissions you would like to edit.
From the user detail page, you will be able to enable or disable permissions individually or via the Assign/Unassign All buttons at each section header. Navigate through the permissions via scrolling, searching, or using the index. Click Save Changes to apply the edits to the user.
Note that certain permissions are dependent on other permissions. For instance, a user must be able to View an entity to be able to Edit it. These dependencies are enforced so if you enable an Edit permission on a user without the corresponding View permission, the View permission will be automatically enabled. Similarly, if a user has both View and Edit permissions and the View permission is removed, the corresponding Edit permissions will be removed.
Assign Direct Permissions in Bulk
Permissions can also be directly assigned to users in bulk. This workflow also starts on the Users Catalog page, which you can navigate to by clicking Settings button from the profile dropdown followed by the Users tab.
Note: Within the bulk editing interface, note the two options available for updating permissions: "Set Permissions" and "Add Permissions."
-
Set Permissions: Selecting this option will overwrite all existing user permissions with the specified ones. This is useful when you want a uniform set of permissions for the chosen users.
-
Add Permissions: Use this option if you want to retain individual user permissions while adding new specific ones. Each user will maintain their existing permissions, and only the newly specified permissions will be added.
Managing Permissions with Roles
Roles streamline user access control by allowing you to manage shared permission sets. See you to create roles in the article How do I create and manage roles? Once your roles have been created, return here.
Assign Roles to Individual Users
Roles can be assigned to users from the user detail page. You can navigate here just as you did when managing individual direct assignments. Apply one or more roles to the user via the Roles dropdown. Be sure to Save Changes.
A user will have access to the superset of directly assigned permissions and permissions inherited through roles. You can see the source of each permission directly in the permissions table.
Notice the button of permission settings that are inherited through roles is read-only. If you would like to remove a given direct assignment of a permission that is inherited through a role, you can do so by clicking the Manage direct assignments toggle at the top of the page. You can also remove the direct assignments in bulk by following the steps in the Remove Redundant Direct Permissions section of this article.
Assign Roles in Bulk
Roles can also be assigned to users in bulk from a Role's detail page. From there, open the Users tab to see which users have been added to a role in the Role Users section or find additional users to add in the All Users section.
Assign Roles via Find Candidates
The Find Candidates feature helps you migrate from managing user permissions directly to using roles instead. From Role detail page, click Find Candidates to identify users that have the permissions of the role directly assigned to them and could therefore be migrated to having the role instead.
Remove Redundant Direct Permissions
If a user has a specific permission directly assigned to them and inherited through a role, the user will maintain access to that permission even if the permission is removed from the role. To avoid this, we recommend removing the redundant user permission. We offer a workflow to remove these in bulk via the Roles catalog page. Select the roles for which you would like to clean up the directly assigned permissions of the associated users and select Clean Up Redundant Direct User Permissions from the dropdown at the bottom of the page.