Adding Users and Setting Permissions
Specify includes a highly flexible Security module that allows a system administrator to add users, then limit their operations within, and access to, the various tables and tools within Specify. These essentially constitute the User Permissions.
To access the Security tool click System > System Setup > Security Tools. Security tools are only available to users in a Manager or Administrator group.
Users are added to Specify based on their Institutional Level and User Group.
Security can be turned on or turned off. An icon at the bottom right of the status bar alerts users as to the status of security.
Security is ON
Security is OFF
Specify mirrors the common levels of hierarchy within institutions. This hierarchy is viewed in an Institution Tree on the left side of the Security window.
- User Group
- User Group
Users are added at the Collection level only. The lowest level, collection, can access data within a specific collection (Wet Collection, Teaching Collection). Specify opens in a collection or at a collection level (in a multi-collection database), therefore, users added to only one collection cannot access other collections.
Users can belong to more than one collection.
Adding Institutional Levels
If the desired Institutional level is not present in the Institution Tree, it can be added in the System Configuration module by choosing System > Collection Setup > Configuration and following the instructions for Adding Institutional Levels.
Specify adds users within an existing user group. The groups are editable and can be established according to levels of access to data and tools within Specify per institution. Each group has a set of default privileges. Users entered into the group acquire the default privileges of that group. The user privileges can then be edited based on the exact privileges the individual user will require.
User groups also have their own system of levels:
The default permissions in Specify include:
- Guest users can view the data within a collection and use the WorkBench, but may not Upload data from the WorkBench into the Specify database.
- Limited Access users are granted full access to all data and tools except Backup and Restore, Schema Configuration, Resource Import/Export, Configuration, WorkBench Schema Configuration and Security.
- Full Access users are granted full access to all data and tools except Backup and Restore, Schema Configuration, Resource Import/Export, Configuration, WorkBench Schema Configuration and Security.
- Managers have full permissions to all data and tools within Specify.
Users can be added to different groups within different Collections. For example, user A could be added at a Managers level for collection A but at a Limited Access level in collection B.
An Administrator group also exists outside the Institutional Hierarchy. An Administrator is automatically given full access to all data and tools inside Specify. Administrators are the only users with access to the Backup and Restore, Schema Configuration, Resource Import/Export, Configuration, WorkBench Schema Configuration and Security tools. At this time an Administrator must also belong to a collection inside the Institutional Hierarchy for the purpose of opening Specify to a collection and creating an associated Agent in that collection. If Specify was originally configured by running the Specify Setup Wizard the original user was placed in both the Administrator group and Manager group in the collection that was created by the Wizard.
Buttons for adding and deleting users are found on the bottom left of the work space under the institution tree.
Click the desired group (within the desired collection), then click the Add an Existing User to Group button. A list of existing users will appear, choose the desired user from the list and click the OK button.
Click the desired group (within the desired collection), then click the Add a New User to the Group. The Specify User form will pop-up for user information to be entered.
- Name refers to the username the user will use to login to Specify. Once the username is saved it may not be edited.
- Password is the password the user will use to login to Specify. Passwords can be edited at a later date either in Security Tools or by choosing Help > Change Password. Users should choose strong passwords with varying characters and capitalization. A strength bar exists for judging the quality of the entered password.
- Password Strength offers checkboxes with the best suggestions for a strong password. The Password Minimum Length is the only password strength item that is enforced. The default length is eight (8) characters, but can be changed using the Institution form.
- Master Key refers to the encrypted Master username and password. Simply fill in all the information within the form and click the Generate New Key button. The key can not be created without the Name and Password information. The key is stored locally and will therefore need to be given to the user and entered by the user at the time of their first login to Specify.
Once the user information has been entered, a dialog will appear asking if you wish to search for an Agent or create a new Agent. All users in Specify must also be Agents within a collection. If you think a user may already exist as an Agent, click on the Search button. If you know the new user is not a current Agent in the database click the Create button.
If you chose to search for an agent, a form will appear entering search information.
If you chose to create an agent, a form will appear to add an agent.
Delete a User
Click on a User to delete them from the collection.
Delete User from Group will delete the user from the specified group only. The user will be deleted from within the Security tool, but their information will remain in the Agent table.
Setting User Permissions
Specify 6.0 grants default permissions to each User Group within Specify when security is turned on. These permissions are then passed down to each User within the Group. The permissions for the individual user can either be left unchanged and therefore remain exactly like the Group, or be edited for that user. When editing permissions for individual users permissions for tables and tools can be added, but not removed. In other words, permissions inherited from the Group can not be edited. To change these permissions the Group itself must be edited.
Permissions can be removed and added at the Group level, but keep in mind that Specify will update all the Users in the group with the changed permissions. Changing permissions for a Group will only affect that Group's collection.
Specify limits the Backup and Restore, Schema Configuration, Resource Import/Export, Configuration, WorkBench Schema Configuration and Security tools to Administrators only, but permissions for all other data and tools are configurable per Group and per User.
Click on a User or Group to view both their information and permissions in the work space. The permissions open in the bottom half of the work space and include a tab with three permission categories:
Tools refer to anything used to manipulate data within Specify. Click on a Tool in the list to display the permissions options. Configuration, Data Entry, Information Request, Interactions, Plugins, Record Sets, Reports, Security Tools, Simple Search, Statistics have these permissions:
- View allows a user to view data within a tool.
- Add allows a user to add a record within the context of the tool.
- Modify allows users to edit data within the context of the tool.
- Delete allows users to delete data within the context of the tool.
Backup and Restore, Query, Resource Import and Export, Schema Configuration, WorkBench and WorkBench Schema Configuration allow tools to be enabled only.
Tables refers to each of the tables in Specify. Permissions can be set for each individual table within the Specify schema. Click a Table in the list to display the options for the permissions:
- View allows a user to view table data.
- Add allows a user to add a record.
- Modify allows users to edit table data within a record.
- Delete allows users to delete table data within a record.
- Preferences lists the modules in the actual Preferences module. Each can be set for View, Add, Modify and Delete.
How Permissions affect the Specify Application
When Specify starts up, it checks the user permissions and loads various Specify tools accordingly. Therefore, users who are not given permission to use modules in Specify will not see the corresponding buttons that connect users to that module. For instance, users who are not given permission to view trees will not have a tree button on the task bar or have the ability to add the tree button in the user preferences tool.
Similarly, users who are not given permission to delete or add data will not see the add or delete buttons.
If a user has questions about their permissions they can view it by clicking System > System Setup > Security Summary.
It is extremely important to note that even though permissions are listed separately for each table and tool, many of these work in unison and should have similar settings. For instance, for a user to have access to a Collection Object form for data entry purposes the user will need to have View, Add and possibly Modify privileges for ALL the tables on the Collection Object form (Collection Object, Determinations, Collecting Event, Taxon, Preparations, Collection Object Attribute, Collectors and Collection Object Attachments) IN ADDITION to the Form tool itself. For instance, in this example if permission was not given for a user to Add or Modify the Preparations table, the user would not be provided with the (add) or (delete) button on the Preparations sub form within the Collection Object form. For this reason a good practice may be to set the same level of permissions for all the Tables within a tool with the same level of permissions being set for the Tool itself.
A good approach to setting permissions may be to decide what Tables and Tools a particular user should not have access to and then change the permissions accordingly.
Click System > System Setup > Show Security Summary to view a summary of your current security settings.