Webinar: Specify 7 Security & Accounts

Related Documentation

Security & Accounts Panel

Single Sign On (SSO) Support

Institutional Levels in Specify

Transcript (Auto-generated)

Today, I’m going to introduce the new role-based access

system and specify 7.7.

This release implements a new role-based access system for

granting privileges to user accounts to access specify components data tables

tools and Fields.

This new security system provides flexibility for an institution to Align

data security oversight and policies with specify

functions to reflect institutional preferences for our curators collection

managers researchers students guests and

other kinds of users process collections data.

and specify 6 we Define these user classes administrators managers

full access limited access

and guest

Well, this is adequate for many collections. We’ve received requests for

more granular Security Options.

Before introduce our new system. Let me first Define the terminology. We’ll be

using going forward.

First we have policies which our abilities granted to a

roller user that permits making a specific action.

Then we have roles which are group of policies that can be assigned

to multiple users.

These are available at a collection level and are specific to each collection.

Finally we have permissions.

Which we say when referring to the combined outcome of all the signed roles

and policies applied to a user.

In this update. We are introducing the concepts of institution administrator

and collection administrator in addition

to several template roles.

This system reflects the varied responsibilities and activities

of specify users.

Security and accounts panel can accommodate a variety of institutional security

models for collections data from small collections with

one or few trusted users to the largest institutions with multiple collections.

How an institution uses the permission system in specify Seven’s

role-based system will widely vary?

For pre-existing users creating the specify 6 installing specify

7.7 will copy those user account types into the

correct user Legacy class types as roles and

specify 7.7.

Customize access Privileges and specify 6 will not

be translated in this conversion.

The aim is when you update from specify 7.6.1 to specify 7.7.

All users will have the same access as they

did before the update.

Specify 7.7 will not pick up customized access settings and

specify 6 and they will need to be recreated with rolls and policies in

specify 7 if the two applications are going to be used concurrently

on the same database.

roles and policies granted and specify seven will not be reflected in specify 6

the institution administrator is assigned at the institution level.

It is not technically a role as it exists as a checkbox

at the institution level for a user.

In our model institution admins have

the ability to do anything.

IAS are granted every permission possible. They can create modify and

delete data in every table and specify.

These permissions include institutional administrator abilities. These can

be granted individually to any user by the Ia

as well.

This list of permissions includes creating user accounts managing collection

setup and configuration setting default values of

various kinds defining roles in their permissions assigning roles

to users assigning an agent to user accounts changing

passwords setting up external authentication and


IAS are the super users at the institutional database platform


Collection admins are different.

They oversee security issues user accounts collection level

policies and permissions for their collection.

They can create new roles with custom sets of permissions for their collection create policy

exceptions to Grant additional privileges to a user within

that collection. In addition to the Privileges granted by the user’s role


For institutions currently operating specify 6.8.1 or

7.6.1 with existing databases the installation

of specify 7.7.0 will automatically

read and install existing user accounts in the new access


Just to describe before this is where the Legacy rules come in.

A key concept of account security and specify 7.7 is

that permissions are additive.

And the absence of any assigned roles or additional institution or

collection level policies a user who has granted access to

a collection would have no privileges to do anything or see any data in


All user permissions must be granted through roles apply to a user

account or by specifying a special access policies.

Once a permission is granted to a user there is no counteracting deny

or withdrawal action.

A granted permission cannot be nullified for user directly.

To revoke a granted permission. It must be removed from the role of the policy that

granted it.

Or a new role of fewer privileges might be substituted and assigned

to the user account.

Individual accounts can have custom policies granted to

them under a collection as well.

Policies provide access to the same set of permissions as

roles that they are a separate mechanism for adding special privileges

for that particular user.

They are additive to the permissions granted by the user’s roles.

There are institution level policies assigned under the institution and

collection level policies that can be assigned under collection.

We expect user-specific policies to be used sparingly as

a rule should satisfy user permission profile requirements in

most cases The Only Exception is administrative policies that

must be granted to a user individually under the institution level.

If you’d like to see more in-depth and comprehensive documentation on all

the different features and specify seven and six you can check out our

specified Community form at discourse to specify software.org.

Here we have member discussions ask for your feedback and you’re

able to give feature requests and ask questions.

You’ll be able to access all of our webinars help casts.

And more helpful resources that are only available to members.

You can see in depth documentation on our single sign on security and

accounts panel here.

Now, let’s take a look at specify.

Let’s first start by going to the security and accounts panel.

Just found under the user tools menu, which can be accessed by clicking on your username and

the navigation menu.

Underneath the administrative tools section. You’ll see at the very bottom the security and

accounts button.

So now this is the new security and accounts panel.

Before we proceed it is important to remember the scope of

the security panel.

Your security configuration applies to the entire database including

every Division and collection contained within.

Users create at any level will be present within all

of the institution.

Roles created at the institution level exist only as templates, which

can be used as the basis for a role in a collection.

Roles created at a collection level will only exist within that collection.

In this panel, it can select either the institution here

or any of the collections from within the database.

First I’m going to select the name of the institution in this

case the University of Kansas biodiversity Institute.

You will see a panel appear on the right of the sidebar showing a

library of roles as well as every user account to find inside of

the institution.

Now, let’s create a new account.

First we need to give our new account a username.

And then now we have to set a password.

Alternatively, we can create an invite link if we have single sign-on

configured at our Institution.

Under this institution subheading here. We have the institution admin checkbox.

This would Grant access to all tools tables functions and permissions and


Under the custom institution level policies we’re able to add any of

the policies. We can build through roles and through collection level specific


or we can even add admin privileges which include

the ability to

change user passwords reassign user agents customize specify

six permissions create invite

links and view the open endpoint providers.

Next we have the collection level subheading.

This allows us to choose a collection from the list of options.

Beneath the collection chosen, you will see a list of assigned user roles.

The users assigned agent collection level

policies and a read-only list of permissions summarizing all

permissions granted by the roles and individual policies.

Currently that’s not visible since we haven’t created the user yet

or assigned any policies to them.

Let’s enable access to our first collection.

So we’ll go to the voucher collection here.

and enable access

from here we need to assign the user and agent.

Now we can use our query combo box to find the agents within our


Keep in mind that the agent assigned to

the user is going to be the same between all collections within this database.

Now I can select a variety of roles. We’ve established at the collection level.

These are collection-specific. So when I select another collection from

the pick list, the entire section will change showing the newly

selected collection security configuration instead.

So as you can see, these are the roles that we have present at the voucher collection.

If we go to the teaching collection.

They’re going to be different options.

You’re able to click the pencil next to any of these roles to open them

up and view their configuration as well as

make changes if necessary.

When a collection is not selected you will not see its configuration. However, it

remains present in the database and will persist when saved

so if I select

inspect audit log print reports

and read only Legacy as the options for this user in

the voucher collection.

when I switch to the teaching collection

It will show different menus, but the changes I made here will


Now we can see the custom collection level policies applied to this

user under the voucher collection. Currently. We only have

specify 7 collection access as an individual policy, but the

assigned user roles will all come by and with these policies

to give us our total permissions View.

Now we’ll see our specify 6 permissions here. We’ll be

able to assign a user group to this user. So if I’d like

to have this user be full access.

And now I can save our new user.

Can now set our specify 6 permissions here so we can set our


So from here, we’ll be able to select the collection access for

this user and will now be able to see.

our collection level read only permission policy

view here

So now we can see this is the culmination of our institution level

policies our collection-specific policies and the


we can see all of

the read create update and delete policies

for these tables as well as the access to all the different tools within


So if I’d like to know why this user is the ability to execute reports we

can click on that checkbox here.

And you’ll see this menu expanded they’ll show you which role granted

the permission.

And what the resource is?

If there was an individual policy it would appear in this list here.

If this user has multiple roles or policies granted

a permission, you’ll be able to see all of them in one print out.

We can see that this user has read access to the

appraisal table due to the read-only Legacy role

and the print reports role.

The bottom here we can even expand and see the advanced tables.

This is especially helpful. When you’re looking at things like these workbench permissions to

see whether the user has the ability to view or edit or modify

things in the workbench.

It is important to understand that this is a read-only view of the amalgamation of

the permissions signed by every policy enroll.

If you wish to remove a specific permission, you will need to modify the

rules applied or create a new role that has your desired policies removed.

Keep in mind that modifying a role will affect all users assigned

to it. Now that we’ve created a new user. Let’s look

at some roll templates.

Under the institution. We can view create and Export

these for use in all collections.

Here we have the institution library of rural templates.

These the temples that you can use to create your own roles within each individual


Roles are a group of policies that can be applied to a user. They are unique

to each collection.

We’ve created a variety of templates for use in your collection

these create a subset of policies that allow you to easily Grant

abilities to users within the database.

These can be used to create new roles of the collection level so

they can be assigned to users.

When defining a new role it can be based on an existing role a

role template from the institution level or created from scratch.

These roles can be imported and exported between any specified

seven installation.

If you wish to make temporary modifications to an existing role,

you can reimport your exported roles and over at your

changes. This makes it extremely easy to back up your configuration.

So let’s open up a role and see what they contain.

First you’ll notice that each roll has a name description and

a role permissions policy view when establishing a role

the best practices to give it a name that best describes what policies will grant

the user.

The description is meant to be used as usage notes that describe what this

group of policies is meant to do and/or who it is for.

You can see the name create data sets.

The description allowing creating new data sets in

the workbench without the ability to upload them.

And then some notes about who the user is and what they be

able to do.

Now we can see this roll, which is the edit forms in global preferences one.

which grants full access to the resource editor which

allows editing form definitions and Global security preferences as

well as all the app resources and specify

the tool is the app resources tool then it has

the ability to read create update and delete.

Then this roll template the edit tax on tree would give

full access to the tax on tree.

And even a warning to say that it will be shared between collections.

And you can see the permission policies here. So we have the

tree policy and grants the ability to edit the

taxone tree.

Which includes the merging moving synonymizing

decentonymizing repairing?

As well as access to read create and update delete on

the taxon and all of its adjacent tables the attribute citation

tree definition tree definition item and


You can see that this role does not Grant the ability to create or delete tree

definitions or tree definition items.

Now we have the inspect audit log roll template.

Which allows you to run the query Builder and

query on the audit log table?

So it only gives the ability to execute a

query and read the output of the audit

log table.

Security admin roll template allows you to create a role that

grants full access to security settings within a collection.

This includes all permissions to reading updating creating deleting

and copying.

As well as all the updates to read create update and delete specify users

in a collection.

Now I’d like to show the collections view here.

I’m going to select the KU Phish voucher collection.

I’m going to create a new user role.

From here, you can see that I could select one from our institution level here

from the roll template Library.

I could select an existing role under the observation teaching tissue

or current collection the voucher collection.

Which let’s say I click on export data. You’ll see

that it populates it here. We’re now under the

voucher collection. I could save this.

And then now we’d have the export data collection user role available

to be assigned to users here.

But first I’d like to create a new role so I could show you

how the process works and show you all the options inside of it.

Such as create a new one.

I’d like to build a role that grants the ability to

run queries and create record sets.

So we’re going to call this specify queries.

description is

users assign this role

Will have the ability to create queries.

run them

and create and view record sets.

First I’d like to just run through all the different abilities that you

can add through policies here and then we’ll create this role.

So we can do all which is not recommended because

this actually gives access for all of these options to

everything within specify.

We have table which allows you to select a table

from it within specify and this can be any table in

the entire database or you can select all tables and

then Grant access to read create updater. Delete all of


This is quite commonly used as the read-only role

where you can create a user who can read data from every table,

but can’t edit Creator update.

Then we have the tool here.

Which then will allow you to configure access to all


Give the ability to access the schema configurator.

the query Builder

record sets

app resources

pick lists

and the specify audit log

since we’re here, we’re going to configure access to the query Builder and

Grant this user the ability to read create update

and delete.

items within this query Builder here

So far, our role has granted Whoever has this assigned to

it the ability to read from all tables and

read create update and delete all items in

the query Builder.

Now we’ll go to system here. And this just allows

you to have collection access. So any

user that has this role assigned will have collection access.

This is most often redundant since the user that’s

going to be present in this collection is already had this granted to the checkbox when

creating the user account or when modifying the user


Now if we go to report here, this will

grant the ability to execute your reports and labels.

Now we can go to export which then would allow

you to export your Darwin core.

If you add an Institutional policy to the user, you can also allow

it to push an update to your RSS feed. So aggregators can

pick it up.

Then we have permissions here.

This allows a user to read update create

delete or copy from library and if the permissions

the ability to read the list of admins

the ability to read the user policies or update them.

To configure read or update the user roles.

And read create update delete or copy from library all of

the roles at this security level here.

This configures all the permissions to the panel. We’re currently in.

And then we have tree here. You can get the ability to edit any

of the trees within specify.

Which that includes merging moving synonymizing decent anonymizing

and repairing them.

Keep in mind you’ll have to have one of these checkboxes checked to be

able to save the role. So if you’d like them not to have permissions to

any of these options, you’ll just have to remove it from here and

ensure that the desired permissions are going to be

aligned with the output of all of the individual user

policies and roles.

Now we can select the query Builder here and this

will give you the ability to execute export or create

record sets from queries.

So because this is going to be our specified queries role. I’m going

to want to Grant the ability to execute export and create

record sets.

Now we can go to workbench.

This will allow you to create update delete upload rollback validate

or transfer data sets from the workbench.

And then finally preferences where you can enable any user

assign this role the ability to edit protected preferences.

Now the only thing I’m missing from this role here is the

ability to read create and update.

record sets

So let’s go back here.

And select record sets from our tool options.

Now I’d like whoever users assign this role to have the ability to

read create update and delete record sets.

So now we’ve created our own role.

This role allows the user’s assigned

to it to read all tables.

Read create update or delete items in the query Builder.

Execute export and create record sets from the queries.

And read create update and delete record sets in this collection.

So now we’ll say

now we can see that the specified queries user role is available

under the voucher collection.

And now we can go to our demo user account. We’ve created.

Assign the specify queries role.

and click save

after we’ve saved the user permissions profile view will

be updated.

And we can see that.

Our role has granted read access to all tables here with

our specified queries role.

And then we can find the ability to execute reports.

You can see that was from the user roles.

We can find our query Builder permissions here.

Which show that we have the abilities execute queries based on

both the inspect audit log.

And the specify queries role.

And the ability to create a record set can be derived from

the read-only Legacy and the specify queries role.

and even the ability to

Create a record set is all from

our new role. We’ve created.

Now, let’s log into our demo user account. We just created.

Now we’ve made it to the specify homepage.

If we try to go to data entry to create something we can because we

only have read access to all the tables and specify.

If we go to the tree viewer here and view the taxonomy.

We can see that we can view the tree since we have permission to.

but if we’d like to

edit the ranks.

We will be unable to save any changes. We

make due to our permissions.

We can’t edit merge or do any actions on the tree items. We can create

a queries since we do have permission to create queries.

And we can view the records as we have read-only access to all


So you’ll be able to see a read-only form for this user?

If we click on the eye here when there’s a query gumbo box.

It’ll pull up the parent record. It’s being referenced.

Now if we go to record sets, you can see that we can still create


But if it comes to the workbench, we are unable

to make one since we don’t have permission or any access to create

workbench data sets.

We are however able to create queries.

From any of the tables that are approved here.

So if we go to collection objects

We can structure a query.

You can even put the day edited.

the catalogger

And the determinations, let’s see.

Now we have access to read all of this data.

If we click on one of these items to view it.

You’ll get to see the read-only form that will only allow us to see exactly what

we were allowed to.

And since we do have permission to run a report.

We’re able to still.

Run our reports here.

And I can even export create a CSV.

Create a record set.

And now I’ll still be able to view.

Create edit and update this record set, but I

can’t modify the data that’s on the underlying collection object table.

So that’s just one example of what you can do with this permission system.

It’s extremely granular and you can create the most concise specific

kinds of user roles or user

permissions for everyone in your database. Now, we can see on our

new specify user account that we have several role selected.

Only one individual collection policy which is access to

the collection.

And at the moment no institution level policies applied to this user.

If we were to apply any of these permissions these would

apply to the entire Institution.

We believed as best practiced at a variety of roles that can be easily applied

to users instead of Monolithic ones.

This grants for institution a greater degree of control.

Changes to a role will affect all users who have been assigned

to it.

You would like to give a user privileges to only view your database and

execute queries that can be a single role.

If that user is trusted, you can give them an additional role that

permits creating the modifying queries.

These options allow you to Grant and remove specific batches of permissions quickly

and easily.

So that is our new security and accounts panel. Thank you so much

for watching.

If you have any questions members can always send us an email at support specify

software.org or post on our specify Community form.

I’d like to show today some of our documentation here on our discourse.

We’ve got introducing the rural-based access system, which

you can read through which will go more into the

conceptual levels of why we structure it the way we have

as well as more verbose details about how the system

works and operates.

Then we have our single sign-on support documentation.

Which will walk you through some of the basics of how to configure your open Authentication?

a basics of how the user interface appears

and a link so you can reach out to us. If you’re part of the specified cloud service so

we can help you set up your SSO.

Then we have full written documentation on a security

and accounts panel explaining every feature.

how to set them up how to import export and configure your

roles as well as every option

This will be very helpful if you’re building roles in your new to it.

And it’s a great jumping off point after you’ve watched this video.

We even have the specify 6 specify 7 feature

comparison for those who are looking to move from specify 6 to 7.

And documentation on how to navigate and access all

the different tools and new features and specify seven.

If you have any more questions or need some help just send us an email to support@software.org.

1 Like