Before proceeding, make sure that you understand the institutional structure of Specify and have the proper permissions to make changes.
Please read Introducing the new Role-Based Access System in Specify 7 before configuring your institution’s policies and user accounts.
To access the new Security and Accounts panel, you must first navigate to the User Tools menu. You access this menu by clicking on your username in the navigation menu.
Now click on Security and Accounts.
If your account has permission, you will now see this panel on the left:
User Roles are a set of permission policies that apply to every user assigned that role. These roles are managed under each collection. A user assigned a role in one collection is not automatically assigned the same role in another.
allows you to create a new role from an existing role or create an entirely new one by clicking on New.
allows you to import a .json file of a user role(s).
If the name of the imported role or roles matches existing ones, it will prompt you to update your existing roles. If the name of the imported role is new you can add it to your role library.
allows you to export a .json of your user roles.
In this instance, I am viewing the Full Access role that was created in my database.
|Name||Name of the role||Full Access, Collection Admin, Student, Guest|
|Description||Brief text field to give usage or additional information associated with the name||This is our role for student data entry personnel|
Under the User Accounts separator, you will see the following Add button:
Clicking this will automatically open the Specify User query builder.
From here, you can configure a query and find exactly the user account you would like to add to the role:
Once I have selected every agent I would like to assign the role to, I can click Select to continue.
rmartin now belongs to the Full Access role in my selected collection. This can be done either from the User Role page or from the user account page.
Using the Policy Builder (seen below) admin users can build the role’s policies. Some policies that apply only at the institution-level are not present at the collection-level.
In this example, the role Limited Access has the following two permissions:
Querybuilder → All → Execute, Export, and Record Set creation permissions
Table → All Tables → Read, Create, and Update permissions. No ability to delete entries in all tables.
The Policy Builder can be visualized as either as a grid or in-line rows. You can switch the view by clicking on the button.
You can delete policies by clicking on the button on the left of each policy.
Clicking the button opens the new policy interface:
The All option allows you to assign blanket permissions to every table and function in Specify. This is generally not recommended, but it can allow you to quickly create a user with Read only permission.
The Table option allows you to choose a specific table to grant Read, Create, Update, or Delete permissions to the role.
The Tool option grants permission to the many Specify tools. This includes the Schema Config, Query Builder, Record Sets, App Resources, Pick Lists, and Sp Audit Log querying.
The System option grants access to collections.
The Report option grants the ability to execute reports.
The Export option grants the ability to execute a DwCA export.
The Permissions option allows users within the role to Read, Update, Create, Delete, or Copy From Library within the components of the Security and Accounts panel.
The Tree option grants the ability to Merge, Move, Synonymize, Desynonymize, or Repair all or a subset of selected trees.
The Querybuilder option grants the ability to Execute, Export, or Create a Record Set using the Query Builder.
The Workbench option grants the ability to Create, Update, Delete, Upload, Unupload, Validate, and Tranfer using the WorkBench.
The Preferences option grants the user permissions to edit protected preferences.
Warning: User preferences apply to current user only. No special permissions are required to edit most user preferences.
However, some user preferences are protected as enabling them can cause data loss or database corruption if you are not careful. Users can only enable such options if they have been given “Preferences → User → Edit Protected” policy
Examples of protected options are “Allow dismissing error messages”, and “No restrictions mode” in the WorkBench and Query Builder.
deletes the user role. If the role has been assigned users, you will see a warning. The users will not be deleted but they will lose the assigned role.
closes the current view. If you have made changes, this will become a red Cancel button.
allows you to export the role. This is downloaded as a .json file and can be imported in any collection or database under the user roles.
commits the changes to the database.
Important: To save a user role, you must ensure that every added policy has at least one checkbox activated. If you would like for the user to have no permissions in that table or function, make sure that no other policy grants that ability.
The Specify 7 permission system is additive. All users are implicitly denied all access. You can explicitly give some access. You can not explicitly deny access. Instead, to remove some access, either unassign the user from the policy that gave them that access (would affect this user only), or remove the policy from the role definition (would affect all users with that role).
Under every user is the set of User Permissions. This includes the username, password, collection access, agent, user roles, custom policies, and Specify 6 permissions.
Name is the username that the user will use when logging in to Specify.
opens the set password dialog.
generates a sign-up link for a new user using single sign on (SSO) if it is configured.
This will only be visible for administrators.
Checking Institution Admin gives absolute permission to everything in all collections. This should only be granted to trusted, admin level users.
You can also configure Institution-wide policies. This uses the same Policy Builder as the collection-level policy and User Role forms use. These policies will apply to all assigned collections.
Some policies are available on the institutional level only. Below is the list of institution-level permissions (these can only be applied to individual users, not inside of roles):
|Admin > User > Password||Update||Ability to change passwords|
|Admin > User > Agents||Update||Ability to reassign user account agent|
|Admin > User > Sp6 > Is Admin||Update||Ability to make a user an admin|
|Admin > User > Sp6 > Collection Access||Read||Grant Sp6 collection access|
|Admin > User > Sp6 > Collection Access||Update||Grant Sp6 collection update access|
|Admin > User > Invite Link||Create||Allow user to create an invite link|
|Admin > User > Oic Providers||Read||Allow user to read OpenID providers|
|Export > Feed||Force Update||Force an update of the RSS feed|
|Permissions > Library > Roles||Read||Allow a user to read user roles|
|Permissions > Library > Roles||Create||Allow a user to create a user role|
|Permissions > Library > Roles||Update||Allow a user to update a user role|
|Permissions > Library > Roles||Delete||Allow a user to delete a user role|
Under this separator, you have several elements. First, you have the pick list with all collections in the database:
Choosing a collection, making changes, then switching that collection does not lead to a loss of changes made in the first collection. The changes are there if you switch back to the previous collection, and can be saved permanently by pressing the Save button. Just because it is not visible does not mean it has been lost.
Under this, you will see the Enable Collection Access checkbox. This indicates whether the user has access to that collection or not.
The Agent query combobox allows you to select an agent in the database that corresponds to the user account.
You can check one or more user roles to assign to that user under the currently selected collection. The icon allows you to modify these roles.
For every user, you can specify individual policies that apply only to the current collection. This is not intended to be used in place of roles. These permissions are additive, only working to grant new permissions, not take away.
See Policy Builder for more information on how to build a policy.
You can click on this heading to expand the User’s Permission Profile. This is a read-only visualization of the user’s current permissions. At the top are all of the system tables and at the bottom you will see a collapsed Advanced Tables section. The Permission Profile is an outcome of combining all the policies from the roles the user is part of and the roles that are directly assigned to the user at the institutional and collection level. You can click on any checkbox to see exactly where the user obtained the permission.
Either to the right or below this visualization is the total system permission visual:
allows you to make the selected user an admin in Specify 6. Once the user has been made an admin, you can click Remove Admin to take this permission away.
allows you to select which collections the user has access to in Specify 6.
The User Group pick list allows you to choose the group from Specify 6 that your user falls into. The permissions for these groups are set in Specify 6’s security center.
Selecting your institution’s name from the panel on the left displays the institution name, all roles contained within, as well as user accounts defined in the institution.
This contains the list of role templates available at the Institution level. These can be created, exported, and importing under collections to be used across the database. These roles cannot be assigned to users directly, but are rather meant to be used as a template when creating roles on the collection level.
This lists every user in the institution.
Each admin user will have their role shown to the right of their name.
abentley (Specify 7 Admin) (Specify 6 Admin)
This indicates that abentley is an admin in both Specify 7 and 6.
This contains the list of roles available at the collection level. These can be created, exported for use in other collections, and roles can be imported under this collection.
Each user has their role in brackets to the right of their name.
abentley (Collection Admin)
This indicates abentley has the Collection Admin role assigned to that user.
rmartin (Full Access)
This indicates rmartin has the Full Access role assigned to that user.