Users, groups and permissions

From Group-Office Groupware and CRM Documentation
Jump to: navigation, search

Setting up your Group-Office environment starts with setting up users, groups and permissions. This page will give you an example of what we think is the perfect Group-Office setup for companies that want to take full advantage of all Group-Office features for office use.

The administrator account

It's important that you use this account only for administrative purposes. We strongly advise you not to use this account as a regular user for safety and usability reasons. Basically use the administrator account only for:

  1. Adding and editing user accounts
  2. Adding and editing user groups
  3. Installing/removing modules
  4. Creating items that are commonly used for more users such as a global addressbook, shared calendars or a corporate HTML template for outgoing e-mail messages.
    It's very important that you do this as an administrator so you will avoid the following scenario:
    User 1 creates an addressbook and projects. This user shares these items with everybody. Everybody uses those items. Now User 1 no longer works at your company. Time to remove the user account. Oops! The projects and his addressbook are gone too!

Create user groups

First create user groups for your company. Permissions are much easier to handle with groups then with individual users. When you grant the secretary access to all calendars as a user it will be a painful job to reset all permissions to another user when a new secretary joins the company. If you had done it with a group you could simply add the new employee to the secretary user group. So choose your groups wise with user permissions in mind. For example create:

  1. A secretary group called "Secretary"
  2. A group for the engineers called "Engineering"

Group permissions

On the permissions tab you can control who may use this group for sharing items. By default the group itself is added so that every member may use the group.

Special user groups

A few special groups are created by default:

Admins

Users of this group will have permission to everything. Usually you don't want to add any user to this group. See above.

Everyone

All users are in this group. Use carefully when granting permissions to this group.

Internal

All calendars, addressbooks and tasklists are shared to this group with write access by default. New company users are commonly added to this group. It should contain all company users and not your customers. If you don't want to use this feature you may remove this group.

Create users

Now that we've got the groups set up it's time to add the users. You can do this at:

Start menu -> Users -> Add

Fill in the profile fields. Mandatory are First name, Last name, Username, Password and e-mail. Make sure you setup the right regional settings for the users. The timezone is particularly important because events will shift if you change this setting later on.

Permissions

Also pay attention to the "Permissions" tab. Remember that the default permissions can be set by the system administrator in the main configuration file (config.php).

Module permissions

You can also give user groups access to particular modules. This way you can manage module access easier. You'll just have to add the new user to the right group. When a user has access to a module by a user group, the access checkbox will be greyed out. In most cases you should give users only "Usage" access to modules. The difference between Usage and Manage permissions on module are described in the table below. In general users with manage permissions have access to the administration dialog of this module.

Module Extra privileges with manage permissions
Addressbook Create addressbooks, change ownership of addressbooks
Calendar Create calendars, change ownership of addressbooks, edit all events
Filesystem No difference
Summary Manage announcements on the right side of the screen
E-mail Edit and add account settings
Projects Adding root projects
Time tracking Administrate mode (simple view / multiple entry view) for all users
Notes No difference
Billing Create books
Users only give this permission to admins, as currently both "use" and "manage" allows to change anything on each user
Groups only users who have Admin rights may see the members and add/remove users

User groups

The second column controls the user groups the user is a member of. You can also manage the members of a group at Start menu -> Groups -> Double click the group

User visibility

The last column controls which users groups are allowed to see this user. Users that are not in one of the checked groups will never be able to share items with this user.

New users can be made visible upon creation to a specific group by default. In your config.php file there is the following option: $config['register_visible_user_groups'] = 'Everyone'; You can change this option to make new users visible to a different- or multiple groups. Comma separated for multiple groups (eg. 'Everyone,Internal')

Advanced

If you want to make all users invisible to the group 'Everyone' run this query:

delete from go_acl where acl_id in (select acl_id from go_users) and group_id=2;

If you want to make all users visible to the group 'Everyone' run this query:

insert ignore into go_acl (acl_id, group_id) select acl_id, '2' from go_users;

Sharing calendars, addressbooks etc.

You have to navigate to the item yo share items like calendars and addressbook. Here are a couple of links to help you get started:

There are more items that you can share but that works similar to sharing calendars and addressbooks.

Manage permissions

Many items in Group-Office are protected with permissions. For example addressbooks, tasklists, calendars, Note categories, Billing books and project types have access control. When you setup permissions you can add user groups and users to the access control list. There are four different levels of permission:

  1. Read only
  2. Read and write
  3. Read write and delete
  4. Manage

With manage permission you are also allowed to control access and change the ownership of the item.

When you add a new user or group it has read permission by default. You can change the level by clicking it in the grid. See the screenshot below.

Access control panel