This topic describes how to create a new group with the Group Permissions wizard. The default groups are often sufficient, but if you need to make extensive changes to permissions, you can also create your own groups.
If you're creating multiple groups, start with the group that you think will have the most common permissions. Once you've created the group and set the permissions, you can then copy those permissions to your other groups. For more information, see Copying Group Permissions. |
General group permissions are configured in the General tab of the Group Permissions wizard.
The History tab in the Group Permissions wizard keeps a record of all changes made to the group's permissions. This is an essential feature when using Agiloft for applications that require complete audit histories for compliance, such as in governmental systems. It is also useful when multiple administrators may be editing the system so that other administrators can track any changes that have been made. You can remove all history entries by clicking Truncate History. This is usually not necessary, but it may be helpful if you have completely redesigned a group's permissions and want to start with a new history. |
Table permissions for a group are set individually by clicking the Edit icon next to a table in the Tables tab of the Group Permissions wizard. In a number of cases, you can set the same table permissions in both the Table Permissions wizard and the Table wizard.
Table permissions are saved individually, independent of changes made in the overall wizard. |
General table permissions are set on the General tab of the Table Permissions wizard. You can control the most basic table permissions here: whether the group has access to the table at all, whether the table appears in the navigation menu, and, if applicable, whether these changes apply to subtables
In most cases, you can allow access to the table and use the "Show table on the Toolbar?" option to control whether users can open the table and work with its records. Set the "Show table" option to No to hide the table on the user's navigation menu, even if the navigation menu is configured to include the table. This makes it easy to use a shared navigation menu while still controlling which tables appear for different user groups. |
Security is built into the core of the system and enforced consistently. Users who do not have access to a table cannot see records and data from that table. This seems obvious, but it can have important implications for tables and permissions.
Consider the Assigned Team field in the Service Requests table. This field is displayed as a drop-down list containing each team name, and it's linked to the Team Name field in the Teams table. Users will not be able to choose a team from the drop-down list or even view the list at all unless they belong to a group with access to the Teams table. That is, they must be granted access to the Teams table and have view permission to the table's records and the Team Name field. However, if the Assigned Team field in the Service Requests table already has a value selected, the user will be able to see the value if they have view permission to that field, even if they don't have access to the Teams table. They just won’t be able to interact with the field by choosing a new value. This is also an example of a situation when you might want to give a group access to a table but not show the table on the toolbar. |
Menu permissions for a table are set individually by navigating to the Menu tab in the Table Permissions wizard. This tab allows you to specify group permissions for menu items like views and saved searches
Select whether group members can view and send email templates, and whether they can publish email templates. Note that if your system has a dedicated Email Templates table, group members usually require access to that table as well, in order to use email templates.
Select whether group members can view and send SMS templates, and whether they can publish SMS templates.
In general, if a group can see the toolbar tab and edit other people's records, they should also be able to create, edit, and delete their own saved searches, views, and reports. |
Record-level access permissions control which records in a table group members can view, edit, or delete. Note that record ownership is displayed at the top of the screen. Keep this in mind when you set record- and field-level permissions because it can impact how you set a group's permissions.
For instance, if ownership is based on a match of the Company field, but a group should only have permission to edit their own personal records, you will have to create a filter for the Edit Own permission to find only record's created by the currently logged in user.
Setting record-level permissions with the Table Permissions Wizard is best suited for defining permissions that a particular group has for multiple tables. If you want to set record-level permissions that multiple groups have for a particular table, you can use the Table Wizard to set which groups can view, edit, and delete records in that table. |
Select whether group members can edit records that they own, that other people own, or both. In either case, you can let them edit all records or limit the records to a saved search. For example, you might allow users to edit only Contract records that are assigned to them, or edit only Company records for companies they belong to.
For a user to edit a record, they must first have view permission for that record. Even if the edit permission options are selected, users won't be able to edit records if they can't view them. |
The options selected on the Record Permissions tab are displayed in Record Permissions column on the Tables tab of the Group Permissions wizard. The permissions are grouped into one line each and are separated by commas. For instance, View Own: All means that the All checkbox was selected. View Own: SS means that the Saved Search checkbox was selected.
If the permission has not been selected, it will not appear in the list. This allows you to scan the table view to see what permissions have been granted without having to read through all the permissions.
Field-level access permissions are only relevant for tables that group members are allowed to view or edit. They control which fields the user can view or edit in records the user can access, which are broken down by fields in records that they own and records that other people own. This enables you to set a very granular level of permission for the table for each group.
Setting field-level permissions with the Table Permissions Wizard is best suited for defining permissions that a particular group has for multiple fields. If you want to set field-level permissions that multiple groups have for a particular field, you can use the Table wizard to set how groups can interact with that field. |
Create: set the field value when creating new records.
Never give Create permission for the Communications or History fields. No one should be creating an email or altering the history when creating a record. |
It can often be difficult to determine the best field-level permissions to set for each group. There may be specific fields that you know only certain groups should be able to edit—for instance, the publication fields for FAQs—but otherwise, you'll often have to make your best guess which groups should see which fields based on what you know about the use cases.
If you have to guess, use the following general guideline: anyone who can edit a record as a power user should probably have only View Own and View Other permission for all automatically generated fields, and they should have Create, View Other, Edit Own, and Edit Other permission for all other user-entered fields. The ID field is an exception to this guideline. The field is automatically generated, but it's useful to always give Create permission so that people can see it when creating records.
Make sure to also keep field-level permissions clean, even when it is more work:
If a group doesn't have record-level create and edit permissions for the Contracts table, it actually makes no difference if the Create Own and Edit Own field-level permissions are selected for every field in the table, because group members won't be able to edit any contract records at all. However, leaving the field-level permissions this way imply an ability to edit fields, but the record-level permissions would contradict them. Instead, make permissions consistent. Clear all field-level permissions for the Create, Edit Own, and Edit Other permissions for the Contracts table. Otherwise, someone may accidentally turn on record-level edit permissions, and suddenly users in the group will be able to edit fields for which they shouldn't have permission. |
Field permissions are especially important when using Related Tables. In many cases, you may want to prevent certain groups from adding or removing records from a Related Table. To do so, remove a group's Edit permissions for the fields in the linked set in the source table. This prevents the Lookup icon from working to link new records, and it automatically removes the Unlink button from the Related Table's action bar.
Consider a Related Table of Support Cases contained in a Company record. To prevent a group from adding or removing records from the Related Table, remove the Edit permissions in the Support Cases table for all the fields included in the linked set to the Company table. |
Another way to prevent users from unlinking records in a Related Table is to navigate to the Permissions tab of the Field wizard for the Related Table and deselect the option that allows users to unlink records. |
Related articles |