Create and manage Privilege Groups to apply Privileges to Workbench users

Overview

In Thentia Cloud, you can set data access permissions to control what data your Workbench users have access to, and what they can do with that data. Instead of applying these permissions to Workbench users individually, you create Privilege Groups and add Workbench users with similar access needs to them. By allowing you to manage the data access permissions for multiple Workbench users as a unit, Privilege Groups streamline access management and help to save you time.

To effectively manage data access in your Thentia Cloud environment, you will need to create Privilege Groups for the various roles that your Workbench users perform, as well as manage Privilege Group membership by adding and removing users.

 Note

To learn more about how data access permissions work in Thentia Cloud, see:

Get started with Privileges & Privilege Groups.

 

To learn more about creating Privileges, see:

Create and configure Privileges to set data access permissions for Workbench users.

In this article, you’ll learn:

  • How to create and configure a new Privilege Group
  • How to optionally organize your Privilege Groups into a hierarchy
  • How to manage the members of a Privilege Group

Before you begin

To follow the instructions in this article, you must have access to:

  • The Workbench for the Thentia environment in which you want to work.
  • The Security module within that environment.
  •  

Create a new Privilege Group

You can create as many Privilege Groups as you need: as a general rule, you would typically create one Privilege Group per job function in your Workbench.

To create a new Privilege Group, follow these steps:

  1. Log in to Workbench and open the Security module (Modules button > Security).
    Security.png

  2. Click on the   Menu button to open the navigation menu.

  3. In the navigation menu, find the RBAC section, then click on Privilege Groups to open the All Privilege Groups Record List in a new tab:

    Security 2.png

     Note

    You can also access this Record List from the Workflow module by opening the Privilege Groups entity (tc_group) and clicking on Open Records.

  4. Click on the  Create a new record button in the menu bar to open the New Privilege Group page in a new tab.

  5. Under the section This Record > Group Details, configure the following settings to set up your new Privilege Group:

    • Name: Enter a descriptive name for the Privilege Group.
    • External Group ID (optional): To reference the Privilege Group externally (e.g. via the API or an integration), enter a unique ID you would like to use to identify this Privilege Group.
      • If you don’t need this feature, leave this field empty.
    • Parent Group (optional): To make this Privilege Group subordinate to another Privilege Group, use the dropdown menu to select the Privilege Group that should be above this Privilege Group in the hierarchy, otherwise leave this field empty.
  6. When you have finished configuring the new Privilege Group’s details, click on the   Save this record button in the menu bar.

  7. The new Privilege Group will be created, and will be displayed in the All Privilege Groups Record List. You can now add Workbench users to this Privilege Group, and select it when configuring a Privilege.

Set up a Privilege Group hierarchy

By default, Privilege Groups use a flat structure, where all Privilege Groups are on the same level. If needed, you can also configure hierarchical relationships between different Privilege Groups, by placing a Privilege Group above or below another.

For example, you might have multiple Staff Privilege Groups that are all below a Manager Privilege Group:

hierarchy.png

Setting up your Privilege Groups in a hierarchical structure is useful if you use a model where one person or department is responsible for supervising and assigning tasks to one or more groups that perform them. In this case, you can:

  • Create Privileges for each of the Staff groups that uses the Group Owner access level:
    • Members of these groups will be able to access records where their own Staff group is set as the Group Owner, but not records where a different Staff group is the Group Owner.
  • Create a Privilege for the The Manager group that uses the Group Owner and Subordinates access level:
    • Members of this group will be able to access records where the Manager group is set as the Group Owner, as well as records where any of the Staff groups are the Group Owner (because all of the Staff groups are subordinate to the Manager group in the Privilege Group hierarchy).

A Privilege Group hierarchy can have as many levels as you need, e.g. you could have additional Privilege Groups in the hierarchy above the Managers group or below each Staff group.

 Note

If you have arranged your Privilege Groups in a hierarchical structure, a higher Privilege Group does not inherit the Privileges that are linked to Privilege Groups below it in the hierarchy. Every Privilege Group receives only the Privileges that are directly linked to it.

To set up a Privilege Group hierarchy, follow these steps:

  1. Log in to Workbench and open the Security module ( Modules button > Security).

  2. Click on the  Menu button to open the navigation menu.

  3. In the navigation menu, find the RBAC section, then click on Privilege Groups to open the All Privilege Groups Record List in a new tab:
    Security 2.png

     Note

    You can also access this Record List from the Workflow module by opening the Privilege Groups entity (tc_group) and clicking on Open Records.

  4. On the All Privilege Groups Record List tab, find the record for a Privilege Group that you want to move below another Privilege Group in the hierarchy. Double-click on the record to open its Record View in a new tab.

  5. In the selected Privilege Group’s Record View, go to This Record > Group Details and find the Parent Group setting:
    Security 5.png

  6. Use the dropdown menu under Parent Group to select the Privilege Group that you want to be above the Privilege Group you are configuring in the hierarchy:
    Security 6.png

  7. To save your changes, click on the  Save this record button in the menu bar.

  8. The change will take effect immediately, and you can now set up Privileges for the affected Privilege Groups that take advantage of the hierarchical structure.

    • If you have already set up Privileges for these Privilege Groups which use the Group Owner and Subordinates access level option, the system will enforce this Privilege with immediate effect (on records where a Group Owner is specified).

 Tip

The only way to see where a Privilege Group is in the hierarchy is to open its record and review the Parent Group setting. To make it easier to keep track of your Privilege Group hierarchy when setting Privilege access permissions, we recommend making a tree diagram that represents the full hierarchy and each Privilege Group’s position within it.

View, add, and remove members in a Privilege Group

For each Privilege Group, you can manage the group’s membership while viewing the Privilege Group’s record: you can view current members, as well as add or remove System Users (Workbench users).

To manage the members of a Privilege Group, follow these steps:

  1. Log in to Workbench and open the Security module ( Modules button > Security).
  2. Click on the  Menu button to open the navigation menu. Find the RBAC section, then click on Privilege Groups to open the All Privilege Groups Record List in a new tab.
  3. On the All Privilege Groups Record List tab, find the record of the Privilege Group whose members you want to manage. Double-click on the record to open its Record View in a new tab.
  4. In the selected Privilege Group’s Record View, click on Connections > Users. You will see a list of System Users who belong to the Privilege Group:
    Security 8.png

  5. From here, you can also manage the members of the Privilege Group:

Add a System User to a Privilege Group

Adding a System User to a Privilege Group will apply the Privileges associated with that Privilege Group to that user.

 Note

If needed, you can add a Workbench user to multiple Privilege Groups. Note that doing this can cause Privilege conflicts: for more information, see the section Reference: Privilege conflicts in the article Create and configure Privileges to set data access permissions for Workbench users.

To add a System User to a Privilege Group, follow these steps:

  1. While viewing Connections > Users on a Privilege Group record’s Record View, click on the  Create a new connected record button.

  2. The New System User Group Record View will open in a new tab, with the Group setting preset to the Privilege Group you were just viewing:
    Security 10.png

  3. Use the dropdown menu under the System User setting to select the user you want to add to the Privilege Group:
    Security 11.png

  4. Click on the  Save this record button in the menu bar to save your changes.

  5. Close the tab (or click on the Close this record button in the menu bar) to return to the tab for the Privilege Group’s Record View, where the newly added user will now appear in the table:
    Security 13.png

 Note

Relationships between System User records and Privilege Group records are created as records in the System User Group entity (tc_systemusergroup).

Remove a System User from a Privilege Group

Removing a System User from a Privilege Group will remove the Privileges associated with that Privilege Group from that user.

 Important

Keep in mind that Privileges are subtractive: this means that the default state is for a Workbench user to have full Read Access, Write Access, and Delete Access to all entities in a Thentia Cloud environment, and any Privilege (applied through membership in Privilege Groups) will reduce access to a specified entity.

Therefore, when you remove a System User from a Privilege Group, the typical result is that the user will have more data access than before. If you remove a System User from all Privilege Groups, that user will no longer be covered by any data access restrictions imposed by Privileges, and will have full access to all data in your environment.

To remove a System User from a Privilege Group, follow these steps:

  1. While viewing Connections > Users on a Privilege Group record’s Record View, click on the row in the table for the System User that you want to remove from the Privilege Group (when selected, it will be highlighted in pink):
    Security 14.png

  2. Click on the  Delete selected record button in the table’s menu bar.

     Note

    This will only remove the System User from the Privilege Group. The System User record itself (and the System User’s ability to log in to the Workbench) will not be affected.

  3. In the Confirm Deletion dialog window that appears, click Confirm.

  4. The System User will be removed from the Privilege Group immediately, and will no longer appear in the table.

What’s next?

After you have set up your Privilege Groups, you can set up Privileges, which define data access permissions. As part of the Privilege setup process you will also select the Privilege Group that the Privilege should be associated with, which will apply the data access permissions to the Privilege Group’s members.

To learn how to set up Privileges, see Create and configure Privileges to set data access permissions for Workbench users.

Was this article helpful?
0 out of 0 found this helpful
  • Submit a request

    Still have questions? Submit a request and our support team will be happy to help!

Comments

0 comments

Please sign in to leave a comment.