Today, I’m going to introduce the new role-based access
system and specify 7.7.
This release implements a new role-based access system for
granting privileges to user accounts to access specify components data tables
tools and Fields.
This new security system provides flexibility for an institution to Align
data security oversight and policies with specify
functions to reflect institutional preferences for our curators collection
managers researchers students guests and
other kinds of users process collections data.
and specify 6 we Define these user classes administrators managers
full access limited access
Well, this is adequate for many collections. We’ve received requests for
more granular Security Options.
Before introduce our new system. Let me first Define the terminology. We’ll be
using going forward.
First we have policies which our abilities granted to a
roller user that permits making a specific action.
Then we have roles which are group of policies that can be assigned
to multiple users.
These are available at a collection level and are specific to each collection.
Finally we have permissions.
Which we say when referring to the combined outcome of all the signed roles
and policies applied to a user.
In this update. We are introducing the concepts of institution administrator
and collection administrator in addition
to several template roles.
This system reflects the varied responsibilities and activities
of specify users.
Security and accounts panel can accommodate a variety of institutional security
models for collections data from small collections with
one or few trusted users to the largest institutions with multiple collections.
How an institution uses the permission system in specify Seven’s
role-based system will widely vary?
For pre-existing users creating the specify 6 installing specify
7.7 will copy those user account types into the
correct user Legacy class types as roles and
Customize access Privileges and specify 6 will not
be translated in this conversion.
The aim is when you update from specify 7.6.1 to specify 7.7.
All users will have the same access as they
did before the update.
Specify 7.7 will not pick up customized access settings and
specify 6 and they will need to be recreated with rolls and policies in
specify 7 if the two applications are going to be used concurrently
on the same database.
roles and policies granted and specify seven will not be reflected in specify 6
the institution administrator is assigned at the institution level.
It is not technically a role as it exists as a checkbox
at the institution level for a user.
In our model institution admins have
the ability to do anything.
IAS are granted every permission possible. They can create modify and
delete data in every table and specify.
These permissions include institutional administrator abilities. These can
be granted individually to any user by the Ia
This list of permissions includes creating user accounts managing collection
setup and configuration setting default values of
various kinds defining roles in their permissions assigning roles
to users assigning an agent to user accounts changing
passwords setting up external authentication and
IAS are the super users at the institutional database platform
Collection admins are different.
They oversee security issues user accounts collection level
policies and permissions for their collection.
They can create new roles with custom sets of permissions for their collection create policy
exceptions to Grant additional privileges to a user within
that collection. In addition to the Privileges granted by the user’s role
For institutions currently operating specify 6.8.1 or
7.6.1 with existing databases the installation
of specify 7.7.0 will automatically
read and install existing user accounts in the new access
Just to describe before this is where the Legacy rules come in.
A key concept of account security and specify 7.7 is
that permissions are additive.
And the absence of any assigned roles or additional institution or
collection level policies a user who has granted access to
a collection would have no privileges to do anything or see any data in
All user permissions must be granted through roles apply to a user
account or by specifying a special access policies.
Once a permission is granted to a user there is no counteracting deny
or withdrawal action.
A granted permission cannot be nullified for user directly.
To revoke a granted permission. It must be removed from the role of the policy that
Or a new role of fewer privileges might be substituted and assigned
to the user account.
Individual accounts can have custom policies granted to
them under a collection as well.
Policies provide access to the same set of permissions as
roles that they are a separate mechanism for adding special privileges
for that particular user.
They are additive to the permissions granted by the user’s roles.
There are institution level policies assigned under the institution and
collection level policies that can be assigned under collection.
We expect user-specific policies to be used sparingly as
a rule should satisfy user permission profile requirements in
most cases The Only Exception is administrative policies that
must be granted to a user individually under the institution level.
If you’d like to see more in-depth and comprehensive documentation on all
the different features and specify seven and six you can check out our
specified Community form at discourse to specify software.org.
Here we have member discussions ask for your feedback and you’re
able to give feature requests and ask questions.
You’ll be able to access all of our webinars help casts.
And more helpful resources that are only available to members.
You can see in depth documentation on our single sign on security and
accounts panel here.
Now, let’s take a look at specify.
Let’s first start by going to the security and accounts panel.
Just found under the user tools menu, which can be accessed by clicking on your username and
the navigation menu.
Underneath the administrative tools section. You’ll see at the very bottom the security and
So now this is the new security and accounts panel.
Before we proceed it is important to remember the scope of
the security panel.
Your security configuration applies to the entire database including
every Division and collection contained within.
Users create at any level will be present within all
of the institution.
Roles created at the institution level exist only as templates, which
can be used as the basis for a role in a collection.
Roles created at a collection level will only exist within that collection.
In this panel, it can select either the institution here
or any of the collections from within the database.
First I’m going to select the name of the institution in this
case the University of Kansas biodiversity Institute.
You will see a panel appear on the right of the sidebar showing a
library of roles as well as every user account to find inside of
Now, let’s create a new account.
First we need to give our new account a username.
And then now we have to set a password.
Alternatively, we can create an invite link if we have single sign-on
configured at our Institution.
Under this institution subheading here. We have the institution admin checkbox.
This would Grant access to all tools tables functions and permissions and
Under the custom institution level policies we’re able to add any of
the policies. We can build through roles and through collection level specific
or we can even add admin privileges which include
the ability to
change user passwords reassign user agents customize specify
six permissions create invite
links and view the open endpoint providers.
Next we have the collection level subheading.
This allows us to choose a collection from the list of options.
Beneath the collection chosen, you will see a list of assigned user roles.
The users assigned agent collection level
policies and a read-only list of permissions summarizing all
permissions granted by the roles and individual policies.
Currently that’s not visible since we haven’t created the user yet
or assigned any policies to them.
Let’s enable access to our first collection.
So we’ll go to the voucher collection here.
and enable access
from here we need to assign the user and agent.
Now we can use our query combo box to find the agents within our
Keep in mind that the agent assigned to
the user is going to be the same between all collections within this database.
Now I can select a variety of roles. We’ve established at the collection level.
These are collection-specific. So when I select another collection from
the pick list, the entire section will change showing the newly
selected collection security configuration instead.
So as you can see, these are the roles that we have present at the voucher collection.
If we go to the teaching collection.
They’re going to be different options.
You’re able to click the pencil next to any of these roles to open them
up and view their configuration as well as
make changes if necessary.
When a collection is not selected you will not see its configuration. However, it
remains present in the database and will persist when saved
so if I select
inspect audit log print reports
and read only Legacy as the options for this user in
the voucher collection.
when I switch to the teaching collection
It will show different menus, but the changes I made here will
Now we can see the custom collection level policies applied to this
user under the voucher collection. Currently. We only have
specify 7 collection access as an individual policy, but the
assigned user roles will all come by and with these policies
to give us our total permissions View.
Now we’ll see our specify 6 permissions here. We’ll be
able to assign a user group to this user. So if I’d like
to have this user be full access.
And now I can save our new user.
Can now set our specify 6 permissions here so we can set our
So from here, we’ll be able to select the collection access for
this user and will now be able to see.
our collection level read only permission policy
So now we can see this is the culmination of our institution level
policies our collection-specific policies and the
we can see all of
the read create update and delete policies
for these tables as well as the access to all the different tools within
So if I’d like to know why this user is the ability to execute reports we
can click on that checkbox here.
And you’ll see this menu expanded they’ll show you which role granted
And what the resource is?
If there was an individual policy it would appear in this list here.
If this user has multiple roles or policies granted
a permission, you’ll be able to see all of them in one print out.
We can see that this user has read access to the
appraisal table due to the read-only Legacy role
and the print reports role.
The bottom here we can even expand and see the advanced tables.
This is especially helpful. When you’re looking at things like these workbench permissions to
see whether the user has the ability to view or edit or modify
things in the workbench.
It is important to understand that this is a read-only view of the amalgamation of
the permissions signed by every policy enroll.
If you wish to remove a specific permission, you will need to modify the
rules applied or create a new role that has your desired policies removed.
Keep in mind that modifying a role will affect all users assigned
to it. Now that we’ve created a new user. Let’s look
at some roll templates.
Under the institution. We can view create and Export
these for use in all collections.
Here we have the institution library of rural templates.
These the temples that you can use to create your own roles within each individual
Roles are a group of policies that can be applied to a user. They are unique
to each collection.
We’ve created a variety of templates for use in your collection
these create a subset of policies that allow you to easily Grant
abilities to users within the database.
These can be used to create new roles of the collection level so
they can be assigned to users.
When defining a new role it can be based on an existing role a
role template from the institution level or created from scratch.
These roles can be imported and exported between any specified
If you wish to make temporary modifications to an existing role,
you can reimport your exported roles and over at your
changes. This makes it extremely easy to back up your configuration.
So let’s open up a role and see what they contain.
First you’ll notice that each roll has a name description and
a role permissions policy view when establishing a role
the best practices to give it a name that best describes what policies will grant
The description is meant to be used as usage notes that describe what this
group of policies is meant to do and/or who it is for.
You can see the name create data sets.
The description allowing creating new data sets in
the workbench without the ability to upload them.
And then some notes about who the user is and what they be
able to do.
Now we can see this roll, which is the edit forms in global preferences one.
which grants full access to the resource editor which
allows editing form definitions and Global security preferences as
well as all the app resources and specify
the tool is the app resources tool then it has
the ability to read create update and delete.
Then this roll template the edit tax on tree would give
full access to the tax on tree.
And even a warning to say that it will be shared between collections.
And you can see the permission policies here. So we have the
tree policy and grants the ability to edit the
Which includes the merging moving synonymizing
As well as access to read create and update delete on
the taxon and all of its adjacent tables the attribute citation
tree definition tree definition item and
You can see that this role does not Grant the ability to create or delete tree
definitions or tree definition items.
Now we have the inspect audit log roll template.
Which allows you to run the query Builder and
query on the audit log table?
So it only gives the ability to execute a
query and read the output of the audit
Security admin roll template allows you to create a role that
grants full access to security settings within a collection.
This includes all permissions to reading updating creating deleting
As well as all the updates to read create update and delete specify users
in a collection.
Now I’d like to show the collections view here.
I’m going to select the KU Phish voucher collection.
I’m going to create a new user role.
From here, you can see that I could select one from our institution level here
from the roll template Library.
I could select an existing role under the observation teaching tissue
or current collection the voucher collection.
Which let’s say I click on export data. You’ll see
that it populates it here. We’re now under the
voucher collection. I could save this.
And then now we’d have the export data collection user role available
to be assigned to users here.
But first I’d like to create a new role so I could show you
how the process works and show you all the options inside of it.
Such as create a new one.
I’d like to build a role that grants the ability to
run queries and create record sets.
So we’re going to call this specify queries.
users assign this role
Will have the ability to create queries.
and create and view record sets.
First I’d like to just run through all the different abilities that you
can add through policies here and then we’ll create this role.
So we can do all which is not recommended because
this actually gives access for all of these options to
everything within specify.
We have table which allows you to select a table
from it within specify and this can be any table in
the entire database or you can select all tables and
then Grant access to read create updater. Delete all of
This is quite commonly used as the read-only role
where you can create a user who can read data from every table,
but can’t edit Creator update.
Then we have the tool here.
Which then will allow you to configure access to all
Give the ability to access the schema configurator.
the query Builder
and the specify audit log
since we’re here, we’re going to configure access to the query Builder and
Grant this user the ability to read create update
items within this query Builder here
So far, our role has granted Whoever has this assigned to
it the ability to read from all tables and
read create update and delete all items in
the query Builder.
Now we’ll go to system here. And this just allows
you to have collection access. So any
user that has this role assigned will have collection access.
This is most often redundant since the user that’s
going to be present in this collection is already had this granted to the checkbox when
creating the user account or when modifying the user
Now if we go to report here, this will
grant the ability to execute your reports and labels.
Now we can go to export which then would allow
you to export your Darwin core.
If you add an Institutional policy to the user, you can also allow
it to push an update to your RSS feed. So aggregators can
pick it up.
Then we have permissions here.
This allows a user to read update create
delete or copy from library and if the permissions
the ability to read the list of admins
the ability to read the user policies or update them.
To configure read or update the user roles.
And read create update delete or copy from library all of
the roles at this security level here.
This configures all the permissions to the panel. We’re currently in.
And then we have tree here. You can get the ability to edit any
of the trees within specify.
Which that includes merging moving synonymizing decent anonymizing
and repairing them.
Keep in mind you’ll have to have one of these checkboxes checked to be
able to save the role. So if you’d like them not to have permissions to
any of these options, you’ll just have to remove it from here and
ensure that the desired permissions are going to be
aligned with the output of all of the individual user
policies and roles.
Now we can select the query Builder here and this
will give you the ability to execute export or create
record sets from queries.
So because this is going to be our specified queries role. I’m going
to want to Grant the ability to execute export and create
Now we can go to workbench.
This will allow you to create update delete upload rollback validate
or transfer data sets from the workbench.
And then finally preferences where you can enable any user
assign this role the ability to edit protected preferences.
Now the only thing I’m missing from this role here is the
ability to read create and update.
So let’s go back here.
And select record sets from our tool options.
Now I’d like whoever users assign this role to have the ability to
read create update and delete record sets.
So now we’ve created our own role.
This role allows the user’s assigned
to it to read all tables.
Read create update or delete items in the query Builder.
Execute export and create record sets from the queries.
And read create update and delete record sets in this collection.
So now we’ll say
now we can see that the specified queries user role is available
under the voucher collection.
And now we can go to our demo user account. We’ve created.
Assign the specify queries role.
and click save
after we’ve saved the user permissions profile view will
And we can see that.
Our role has granted read access to all tables here with
our specified queries role.
And then we can find the ability to execute reports.
You can see that was from the user roles.
We can find our query Builder permissions here.
Which show that we have the abilities execute queries based on
both the inspect audit log.
And the specify queries role.
And the ability to create a record set can be derived from
the read-only Legacy and the specify queries role.
and even the ability to
Create a record set is all from
our new role. We’ve created.
Now, let’s log into our demo user account. We just created.
Now we’ve made it to the specify homepage.
If we try to go to data entry to create something we can because we
only have read access to all the tables and specify.
If we go to the tree viewer here and view the taxonomy.
We can see that we can view the tree since we have permission to.
but if we’d like to
edit the ranks.
We will be unable to save any changes. We
make due to our permissions.
We can’t edit merge or do any actions on the tree items. We can create
a queries since we do have permission to create queries.
And we can view the records as we have read-only access to all
So you’ll be able to see a read-only form for this user?
If we click on the eye here when there’s a query gumbo box.
It’ll pull up the parent record. It’s being referenced.
Now if we go to record sets, you can see that we can still create
But if it comes to the workbench, we are unable
to make one since we don’t have permission or any access to create
workbench data sets.
We are however able to create queries.
From any of the tables that are approved here.
So if we go to collection objects
We can structure a query.
You can even put the day edited.
And the determinations, let’s see.
Now we have access to read all of this data.
If we click on one of these items to view it.
You’ll get to see the read-only form that will only allow us to see exactly what
we were allowed to.
And since we do have permission to run a report.
We’re able to still.
Run our reports here.
And I can even export create a CSV.
Create a record set.
And now I’ll still be able to view.
Create edit and update this record set, but I
can’t modify the data that’s on the underlying collection object table.
So that’s just one example of what you can do with this permission system.
It’s extremely granular and you can create the most concise specific
kinds of user roles or user
permissions for everyone in your database. Now, we can see on our
new specify user account that we have several role selected.
Only one individual collection policy which is access to
And at the moment no institution level policies applied to this user.
If we were to apply any of these permissions these would
apply to the entire Institution.
We believed as best practiced at a variety of roles that can be easily applied
to users instead of Monolithic ones.
This grants for institution a greater degree of control.
Changes to a role will affect all users who have been assigned
You would like to give a user privileges to only view your database and
execute queries that can be a single role.
If that user is trusted, you can give them an additional role that
permits creating the modifying queries.
These options allow you to Grant and remove specific batches of permissions quickly
So that is our new security and accounts panel. Thank you so much
If you have any questions members can always send us an email at support specify
software.org or post on our specify Community form.
I’d like to show today some of our documentation here on our discourse.
We’ve got introducing the rural-based access system, which
you can read through which will go more into the
conceptual levels of why we structure it the way we have
as well as more verbose details about how the system
works and operates.
Then we have our single sign-on support documentation.
Which will walk you through some of the basics of how to configure your open Authentication?
a basics of how the user interface appears
and a link so you can reach out to us. If you’re part of the specified cloud service so
we can help you set up your SSO.
Then we have full written documentation on a security
and accounts panel explaining every feature.
how to set them up how to import export and configure your
roles as well as every option
This will be very helpful if you’re building roles in your new to it.
And it’s a great jumping off point after you’ve watched this video.
We even have the specify 6 specify 7 feature
comparison for those who are looking to move from specify 6 to 7.
And documentation on how to navigate and access all
the different tools and new features and specify seven.
If you have any more questions or need some help just send us an email to email@example.com.