CMSi User Permissions allow you to make various tabs, forms or fields either hidden, editable or read only for different groups of users. To use this, you create Permission Groups and Permission Sets.
A user will be assigned one Permission Group which defines what they see and what is editable.
A Permission Group may have any number of Permission Sets assigned to it. These are prioritised with the set at the top of the list overwriting those below.
You must keep Permission Sets controlling whether elements are hidden or not in a different set from ones that store whether elements are editable or read only. The “hide sets” must be at the top of the prioritised lists above the “edit sets” (see screenshots in the worked example below).
Example User Permission requirement
The requirement in this example is as follows:
- To create a corporate view of CMSi making sections of the database (e.g. forms/tabs/fields) invisible if they are not corporately required.
- To set up different user groups with the following roles:
- System Administrator. They are the only ones who can set up User permissions, create users etc.
- Site Managers. They can edit all the sites in their region except for certain site level data fields which are maintained by a Headquarter Reserve admin section, e.g. Site Code and Site Name. Once their annual bids have been sent into HQ, they cannot edit planned or allocated budget figures.
- Estate workers who work on all sites within a region but who would only be allowed to log what work they have done.
- Headquarters staff who are the only group allowed to edit certain site level data fields, e.g. Site Status and Site Name.
To achieve this, the following Permission Sets were set up to cover the Hidden fields:
- Your Organisation All Staff (hide set): This set stores all the fields that are hidden for the organisation and will be used for all staff including your system administrator so everyone is seeing the same view of CMSi.
- Your Organisation Non Admin (hide set): This set hides a further set of elements that need to be invisible for all non-admin staff (e.g. the Permissions menu and items on the Tools menu like ‘Manage Lookups’) but visible to the system administrator. The combination of these two sets controls hiding fields for all non-admin staff whereas the system administrator only needs the Your Organisation All Staff (hide set) allocated to them.
- UK PAM Customisation (hide set): This set is for users of the Property and Agreements Module (PAM). The set stores all the PAM fields that are hidden for the organisation.
The following Permission Sets were created to control read only/edit rights:
- Read Only (edit set): This set makes nearly all form elements and menu options read only.
- PAM Read Only (edit set): This set makes nearly all PAM form elements and menu options read only.
- Non Legal Agreements Allowed (edit set): This is a PAM edit set which makes the creation and amendment of legal agreements read only. Non-legal agreements can be created and edited.
- Work Recording On (edit set): In this set just the fields on the Annual Report Work Recording tab relating to Staff are made editable.
- Your Organisation Non Admin (edit set): This set makes just the Site Code and Site Name fields read-only so that staff cannot edit the data.
By controlling the combination and order of these Permission sets in Permission Groups, you can achieve the requirement as shown below. Please note the following examples include PAM edit and hide sets. These are not relevant to you if your organisation does not use PAM.
The Permission Groups created are:
- Administrator: All system administrator fields like the Permissions menu or Manage Lookups are visible as the Your Organisation Non Admin set is not assigned. All fields are editable as none of the “edit” permission sets are applied.
- Site Managers: This group has both the Your Organisation All Staff (hide set) switching off non-required fields and Your Organisation Non Admin (hide set) to hide the system administrator functions. UK PAM Customisation (hide set) switches off non-required PAM fields.
- Estate Workers. This group has the three all staff hide sets for non-required fields, but also has the Read Only (edit set), Your Organisation Non Admin (edit set) and PAM Read Only (edit set). By applying the Work Recording On (edit set) above the other edit sets, the work recording fields are made editable by over-riding the read only settings. This means that to create this set is very quick and easy to maintain as only a handful of fields have to be made editable.
- Headquarters Staff: This group just has two edit sets fields making certain fields read only.
How to set up Permission Groups and Permission Sets
The first step is to create Permission Groups and Permission Sets.
Set up Permission Groups
You can do this via the Permission Group lookup under the Manage Lookups menu option under Tools. Click in the new row at the top of the grid and enter a Key and Name for the group. Click OK to save it.
You can also do this on the Permissions form via Permissions on the Permissions Menu. To set up a Permission Group, click the Add button on the bottom left of the form and enter a Key and Name at the top. Click Apply to save the new group.
Create Permission Sets
You need to do this via the Permission Set lookup under the Manage Lookups menu option under Tools.
Setting Permissions on individual form elements.
Once the Permission Sets are created, you can then set permissions on individual fields by opening the appropriate form, e.g. the Site form, then hovering the mouse over the required field or form element and pressing <F11>. This opens the Permission Settings Form. You first choose which Permission Set you are making the setting for.
Then you choose the appropriate radio button relating to Editable / Read only / Hidden.
Setting Permissions on Tabs
Setting a permission on a whole tab unless you are hiding it is not advisable because, if the whole tab is read only, clicking on it will not open the tab.
Setting Permissions on Data Grids
You have to be a bit careful when working with a data grid, e.g. on the Site form, the tabs Status, Compartment, Habitats, Site Manager and Admin Areas all include data grids. As shown below, if the mouse was hovering over a cell in a column as indicated by the red arrow, you would be controlling whether that column was visible or editable.
If however, the mouse was over one of the grey cells to the left of the data grid, you would be controlling whether the whole grid was visible or editable. Note the control name in the two examples. If working with a column as above, the control name is grdSiteCompartments#Compartment Code whereas if working with a grid, the control name is grdSiteCompartments. It is important to keep an eye on this in case you are accidentally making the wrong element editable or hidden.
If you want to make a grid read only for some users and editable for others as in this scenario, you must set the permissions at the grid level. If you set permissions at the column level, users with read only permissions will still be able to undertake actions at the grid level like add a new record or delete a record.
If you have trouble getting the Permission window to appear by < F11>, make sure the active cell on the form is not a dropdown field. If it is, use the tab key or click out of it and then repeat.
Setting Permissions on Menu Options, Map window or the right click context menus on the Site or Project Trees
Setting permissions on Menus, form titles or the mapping toolbar icon tooltips are special cases. The rule is to close all other forms and panes down leaving only the pane in question that you need to work with. For instance, if you want to hide or set permissions on the Options menu on the Site Tree, you will have to close MyCMSi and the Map form (and any other data forms in the central pane of CMSi) before < F11> will work.
If you want to hide or set permissions for a mapping toolbar icon tooltip, you will have to close the CMSi Tree and MyCMSi before <F11> will work.
If you want to hide or set permissions on items on the main CMSi toolbar, you will need to close everything (the CMSi Tree, the Map and MyCMSi ) before you will be able to do this.
