Groups
Table of contents |
This area lists all groups that have access to the project. Each project initially includes the default “Administrators” and “Everyone” groups, which cannot be deleted. The group “Everyone” has got the permissions “Visible” and “Read” by default within the clients, the group “Administrators” has got all permissions by default in the clients. For more information about editorial permissions see Editorial permissions (→Documentation FirstSpirit SiteArchitect).
Any number of different groups can be defined for each project. Groups contain a large number of users, but do not contain any groups.
Group name: the column shows the unique group names. Group evaluation is case sensitive.
Group ID: the column shows the unique group ID that is automatically assigned to a group when it is created.
User: number of group members. Number of users added to this group. In the case of internal groups, users can be added or removed. In the case of external groups, the number of users cannot be changed via ServerManager; instead of displaying the number of users, the note “External group” is displayed here.
E-mail distribution list: this field is used to specify e-mail distribution lists for groups to which e-mail messages are to be sent when a workflow activity or transition is carried out. This makes it possible to send e-mail messages that are sent as part of a workflow to all members of external groups.
Groups and access permissions: specifying and managing access permissions can be done much more easily using group definitions. For instance, a new group called “Editors A” can be defined if a certain area should be hidden from a number of editors and the number of editors changes occasionally. All editors who should not see the area are entered in this group. The root of the particular subtree in FirstSpirit SiteArchitect is hidden from the “Editors A” group by revoking the corresponding permissions for the group. If at a later date it is necessary for a particular editor to have access to the area, this user can simply be removed from the “Editors A” group, which does not require modifying the permission definition in FirstSpirit SiteArchitect.
Right-clicking with the mouse on the overview window opens the context menu. Advanced functions, which will be explained in subsequent Chapters, can be used via the context menu:
Delete group
The “Delete group” context menu item is used to delete groups that have been added to a project. A confirmation prompt appears before explicit deletion. Once deletion of a group is confirmed, the group is removed from the project and no longer appears in the Groups area of the project properties. When the group is deleted, all members of the removed group lose their access permissions to the project (exception: users who are members of another internal or external group that is still assigned to the project).
The default “Administrators” and “Everyone” groups control the initial assignment of permissions in a project and can therefore not be deleted. |
Create new group
FirstSpirit makes a distinction between internal and external groups:
Internal groups are used for internal user and permission management and can be created and edited directly in FirstSpirit. For instance, users can be added to or removed from an internal group through the project properties. The properties of the group can be edited through ServerManager. To create an internal group, it is only necessary to fill in the “Group name” field. After saving the group via the “Create new group” dialog box, the new group appears in the group overview. Once the group is created, users can be added to the new internal group.
External groups are also assigned to a project over ServerManager, but unlike internal groups, they cannot be created through FirstSpirit; they come from a different system instead (e.g. LDAP). Membership in an external group is specified through user attributes, which means that no users can be added to an external group via the context menu (see Add / Remove user). Users who are authenticated on the system via LDAP, for instance, receive as an attribute the membership to a group (that is not mandatorily assigned to a project) and can be added to the project via this group. The members of an external group first receive access to a project once the external group has been assigned to the project.
To add an external group to the project, the “Group name” field must be filled in first. This is the internal group name by which the group will be known and used in the FirstSpirit project. The external group name, which is the name of the group in the external system, is entered in the “External name” field. In the case of LDAP, the “external name” is LDAP-DN, e.g. cn=Mitarbeiter,cn=Users,dc=e-spirit,dc=de. Before the field can be edited, the “External group” checkbox must be selected.
When checking the group membership, the system checks internally whether the complete string specified for “External name” is contained in an LDAP-DN of the logged in user's groups. If, for instance, only cn=Mitarbeiter is entered for “External name”, the group membership is adapted to the LDAP groups
cn=Mitarbeiter,ou=Entwicklung,ou=dc=domain,dc=com
and
cn=Mitarbeiter,ou=Vertrieb,dc=domain,dc=com. To ensure the assignment is unique, the complete LDAP-DN of the group must be entered in “External name”. As is generally the case with LDAP, use of upper and lowercase is ignored.
When defining external groups it is possible to use a placeholder in the form
${name of the placeholder}
can be defined. This placeholder is replaced accordingly during the project import. The placeholders can be defined as -D parameters in fs-wrapper.isolated.conf, as variables of the operating system, in fs-server-aux.conf or fs-server.conf (with decreasing priority). Variables that are passed to the FirstSpirit Java process as -D parameters thus have the highest priority, while variables defined in the fs-server.conf are overwritten by all other places (see Server).
This function is useful in connection with project templates.
Example (with 3 wildcards):
cn=${developer},ou=${department},dc=${company},dc=com
FirstSpirit does not verify whether the external group exists. If the external group name is unknown, the group is still added to the project as an external group, but in this case it has no members (assigned users). |
Edit group
Via the context menu item “Edit group” or a double click on a group, a dialog can be opened which corresponds to the new creation dialog for groups.
The modifiable options of the group can be adjusted in this way.
An internal group can be converted into an external group retrospectively by a server administrator. All users in the group will be automatically marked as “external users”. Conversion takes place after the project is saved.
External groups cannot be converted into internal groups. |
Only external groups can be upgraded to administrator groups. |
Show group
The “Show group” context menu allows users to view a group. All users are shown here who are members of the group and thus have access to the project.
If the group is an external group, the members cannot be viewed. It is also not possible to add users to an external group or remove them from the group. Only the external name of the group can be changed here.
Add / Remove user
Users can also be members of multiple groups. Each group can be assigned access permissions that can be configured separately. Members of the group receive all of the group's access permissions to the project.
add: In the case of internal groups, a list of all users currently being added to the project who are not currently members of the selected group is shown here. The users to be added can be selected in the overview. If you confirm the selection by clicking OK, the selected users are added to the internal group.
remove: A list of all members of the selected group is shown in the case of internal groups. The user to be removed is selected in the overview and then the selection is confirmed by clicking on the OK button. The selected user is then removed from the internal group.
It is possible to select multiple users as follows:
- Select the users from the list while simultaneously pressing the CTRL key.
- CTRL + SHIFT (selects users from a starting point to an end point)
- Ctrl+A (selects all users)
The membership to an external group is assigned in the user attributes of the external system, which means that users cannot be added to an external group using ServerManager. |
Users cannot be added to or removed from the default “Everyone” group. The following applies to this group: all users who have access to the project (via membership to an internal or external group assigned to the project) are automatically members of the “Everyone” group and receive at a minimum the access permissions defined for “Everyone”. |