Overview
It is now possible to have User Groups that grant additional permissions to users. The configuration for the permissions that these groups grant is currently managed by the GAN Integrity team, but once configured, you will be able to use these groups to grant permissions to users.
If a User Group has been configured to include permissions, then you will see an Additional Permissions tab when viewing the group.
Configuring a Group to Grant Permissions
Note: Additional Permissions are not configured on a group by default. The configuration can currently only be done by the GAN Integrity team. This is a process that requires analysis of your current governance configuration and your User Group setup. Because of this, we are identifying early candidates for this process to start with and will contact you when we plan to work with you on this.
Permissions are granted by a User Group being linked to an Access Group. This is a governance group that exists in the back-end configuration and would have been set up for you during implementation. When a User Group is linked to an Access Group, the Access Group's membership is then determined by the User Group's membership, which means that you can manage permissions for users without having to raise support tickets.
In addition to user permissions, Access Groups can be configured on Workflow Main Actions. If you have this configuration in place, then you can also define who is capable of performing actions in a workflow by adding or removing users from a User Group that is linked to that Access Group.
Best practices on which types of groups should be linked for optimal self-service is outside the scope of this document, but is available separately.
Changes to the Groups View
As an administrator, you will see an additional column in the Groups view called Additional Permissions. If this is shown as Assigned, then this group is currently configured to grant permissions. If it is shown as Not assigned, the group does not grant additional permissions.
Note: Only administrative users can see this column and they are the only ones permitted to add and remove people from one of these groups.
Additional Permissions View
When you select a group, you will see an Additional Permissions tab at the top to show you what additional permissions are granted by a User Group.
Note: Permissions are additive and only granted permissions are shown in this view. Users generally have a default set of permissions based on roles and these User Groups can be used to add additional permissions. They do not remove or replace existing permissions. Removing a user from the group revokes the additional permissions that came from this group; it does not affect any permissions the user has from other sources.
This view shows permissions that will be granted to the user in addition to permissions that they already have. Each module is listed separately and the view is broken into three columns:
Scope: The scope of the permissions being applied.
View: A list of items the user can view within the module.
Actions: A list of actions that the user can take within the module.
In order to add these permissions for a user, all you need to do is to add them to the User Group. This is achieved by accessing the Members tab.
Please see the Updated Group Membership UI documentation for information on how to add and remove users.