Permissions Hierarchy

From LongJump Support Wiki
Revision as of 21:19, 31 August 2010 by imported>Aeric
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

As a matter of security, there are a number of restrictions on the ability to assign Administrative Permissions. (Object permissions and other permissions are not affected.) Those restrictions affect your ability to modify roles and assign users to teams.

Note: The primary System Administrator role in the Root team is exempt from all of these restrictions.

Role Management Restrictions

  • When editing or creating a role, you cannot assign a privilege that you do not have yourself.

Warn.png

Important: You can delete a privilege you possess from your current role. If you then save the role, you will not be able to add it back as long as you remain in that role. Only a user with the right superset of privileges (yours and the one you deleted) will be able to do so.

  • You cannot manage a role that has a privilege you do not possess:
    • You cannot assign it to another user
    • You cannot edit it or delete it
  • You can manage roles only for members of your team and its subteams.

User Management Restrictions

  • You can manage only those users who are members of your team and its subteams:
    • You can only edit users who are members of your team and its subteams.
    • You can only delete users who are members of your team and its subteams.
    • You can only do a password reset for members of your team and its subteams
  • When creating a new user:
    • You can attach the new user only to your team and its subteams.
    • You can attach the new user only to a role that has your permissions, or fewer.

Notepad.png

Note: The listings of users and teams will always show all users and teams in the system. The restrictions affect your ability to modify settings, not your ability to see them.

Team Management Restrictions

  • You can only manage your team and its subteams.
  • You can assign users only to your own team and its subteams.

Team Data Sharing Restrictions

  • When setting up Team Data Sharing Policies both the record-owning and record-sharing teams must be your team or one of its subteams.
  • Pre-existing roles are not subject to that restriction, so that what worked before will continue to work.

Proxy Login Restrictions

  • When setting up Proxy Login, the user designated as the login ID can only be a member of your team or a subteam.