4.5. Groups
Prev Chapter 4. Admin Web App Next

4.5. Groups

Groups are collections of users. You can Add and Remove groups as present in the external User Source or Internal Group definition.

Note

SavaPage caches group members for performance reasons. Therefore, when group membership changes at the source, it may not be immediately known in SavaPage. The membership cache is updated automatically according to the Import new users overnight option in the User Creation section, but can be also be refreshed manually at any time by a push on a button in the same section.

4.5.1. Built-in Groups

There are three built-in groups:

4.5.2. Group List

After a tap on the Groups button in the main menu this panel is shown. See Section 4.2, “Menu”.

Admin Web App: User Group - List

Figure 4.38. Admin Web App: User Group - List


Built-in groups are depicted in orange. Press the Add & Remove button to add additional groups.

Each item in the list shows the number of members and has buttons to jump to other dialogs. From left to right, these buttons bring you to:

  • The Edit Group dialog.

  • The User List with the group preselected. Note: the button is not visible when number of group members is zero.

  • The Account List with the Group Type and Name preselected. Note: the button is not visible when the (lazy created) Group Account is not present yet.

Note

Due to Admin Privileges certain buttons might not be visible. Also, some buttons are not visible if System Status says Setup is needed.

Admin Web App: Group - Select and Sort

Figure 4.39. Admin Web App: Group - Select and Sort


  • Groups can be selected by entering a part (fragment) of their name.

  • The list can be sorted Ascending or Descending on group name.

  • Tap the Apply button to (re)display the list.

  • A tap on the Default button resets the selection and sort fields to their default values.

  • Use the minus button to collapse the Select and Sort section.

4.5.2.1. Group List Item

Each Group List Item displays the number of enabled and disabled Group Roles, User Privileges and Admin Privileges objects with their respective icon. A green color means that the objects are enabled, a red color means they are disabled. Additionally, the icon is shown with the number of Shared Accounts the User Group has access to. A description of the objects is displayed as a tooltip when pointed to with the mouse. An example item is shown below.

Admin Web App: Group - List Item

Figure 4.40. Admin Web App: Group - List Item


Note

Roles and Privileges that are resolved by User Group membership are shown in the User List Item of a member.

4.5.3. Add & Remove Groups

Admin Web App: User Groups - Add & Remove

Figure 4.41. Admin Web App: User Groups - Add & Remove


Select the groups to add and to remove and press the OK button to commit the selection.

Note

The group list is a mix from the ones present in the external User Source and the ones defined as Internal Group. When adding a user group from Microsoft Active Directory, members from nested groups are included.

4.5.4. Edit Group

The Group Edit Dialog has several sections. Press the OK button at the bottom to commit all changes.

4.5.4.1. Group Roles

Admin Web App: User Group - Edit - Roles

Figure 4.42. Admin Web App: User Group - Edit - Roles


In the Roles section you can set the user roles for group members. See Section 4.4.4.2, “User Roles” for an explanation of the roles and how role based user access works.

Note

A summary of enabled/disabled roles is displayed in the Group List Item. Roles that are resolved by User Group membership are shown in the User List Item of a member.

4.5.4.2. User Privileges

Admin Web App: User Group - Edit - User Privileges

Figure 4.43. Admin Web App: User Group - Edit - User Privileges


In the User Privileges section you can set group member access to User Web App domain objects. Privileges are set by means three-state buttons. An unselected grayed out button means indeterminate, plain unselected means non-privileged and selected means privileged. When a privilege on a domain object is selected a role like Reader and Editor might be selected, as well as extra actions like Download, Send and Sign . The type of Roles and Actions offered depend on the type of domain object. This is how choices work out:

  • If SafePages is non-privileged, the PDF and Sort buttons are not displayed in the Main Page. When privileged:

    • Reader role will display the PDF button if Download or Send action is enabled. Reader role will not display the Sort button.

    • Editor role will display both PDF and Sort buttons.

    • If Download and Send actions are both disabled the PDF button will not show.

    • Enabled Download and Send actions display the respective buttons in the PDF dialog. The enabled Sign action displays the same option in the PDF Security section.

  • If User Details is non-privileged the footer button for the User Details dialog is replaced with a simple indicator holding the id of the authenticated user.

  • If Personal Print is non-privileged, use of Personal Account for printing is not allowed. User can use Shared Accounts though, when permitted by Access Control. When printing with Personal and Shared Account is not permitted, role Print Job Creator is assumed, even when this role is explicitly selected.

  • If Queue Journal is privileged a Print-in Job is journalled. Beware, that this function can be disabled for individual queues: see Section 4.7.2, “Edit Queue”. When privileged:

    • Reader role will show the Download and Select privileges.

    • Editor role will additionally show the Delete privilege.

    • Enabled Download, Select and Delete privileges will display the respective buttons in the Document Log.

  • If Print Journal is privileged a Print Job will be silently journalled. When Print Archive is privileged, the Print Job Archive option is active: when Select is privileged, the user is allowed to (de) select the archive, when not, the Print Job will be silently archived. Beware, that these functions can be disabled for individual printers: see Section 4.8.2, “Edit Proxy Printer”.

  • If Financial is non-privileged, the account balance will not show in the footer, the Transactions button will not show in the Log page, and Financial data will not show in the User Details dialog. When selected, the Reader and Editor role will display all. However, only the Editor role is allowed account transactions in the User Details dialog. Editor role is also required to login to the Payment Web App.

  • If Letterhead is non-privileged, the Letterhead button is not displayed. When privileged the Reader and Editor role allows user to choose a Letterhead in the PDF and Print dialog. The Editor role allows users to add letterheads themselves. See Section 3.6, “Letterheads”.

  • The open spots left by buttons that are not displayed are taken by: the Upload button (moved from the footer), a Browse button pointing to the Browser, and an Info button (pointing to the About dialog), in that order. See Section 3.3.2, “Footer”.

This is how a privilege is evaluated on runtime:

  • To be compatible with existing installations the indeterminate state for top level group All Users is interpreted as fully privileged. Of course, privileges can also be set at "lower" group levels. When determining privileges for a domain object, SavaPage looks at the lowest group first, and bubbles up to higher groups till a non-indeterminate privilege for the domain object is found.

  • A denial of access due to a privilege takes precedence over any other configuration property.

Note

A summary of enabled/disabled privileges is displayed in the Group List Item. Privileges that are resolved by User Group membership are shown in the User List Item of a member.

4.5.4.3. Admin Privileges

In the Administrator Privileges section you can set group member access to Admin Web App domain objects. The objects correspond to the choices in the main menu. Any user with Administrator Role is assigned privileges by group membership.

Admin Web App: User Group - Edit - Admin Privileges

Figure 4.44. Admin Web App: User Group - Edit - Admin Privileges


Privileges are set and evaluated by means three-state buttons, just as User Privileges. For most domain objects a Reader and Editor role can be selected. Access to domain objects will be shown or hidden according to the privileges.

Note

A summary of enabled/disabled privileges is displayed in the Group List Item. Privileges that are resolved by User Group membership are shown in the User List Item of a member.

4.5.4.4. New User Settings

Admin Web App: User Group - Edit - New User Settings

Figure 4.45. Admin Web App: User Group - Edit - New User Settings


When New User Settings are enabled they are automatically applied upon User Creation for members of this group. Note that these settings do not affect existing user members. See the Financial section of the Edit User dialog for a description of the Balance and Credit Limit fields.

When a user belongs to multiple groups, the New User Settings of these groups is applied as follows:

  • The user is assigned an initial Balance that is the sum of the Initial Balances of all matching groups (with the exception of the Built-in Groups).

  • If any of the matching groups has Initial Credit Limit None the user is assigned this status.

  • Since the New User Settings are applied in alphabetical group name order, the Initial Credit Limit Default and Individual are assigned from the last group.

When a user does not belong to any group with New User Settings enabled, user is assigned the settings of the External Users or Internal Users Built-in Group (depending on the type of User Source).

Note

New User Settings are not shown for Built-in Group All Users because they are never used.

Prev Up Next
4.4. Users Home 4.6. Accounts

SavaPage Open Print Portal Software © 2024 by Datraverse is OSI Certified Open Source Software licensed under AGPLv3, or any later version, in compliance with Third Party Software Licenses. SavaPage User Manual © 2024 by Rijk Ravestein is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.