Before you start assigning rights to users and groups, check the default (or global) server policies first.
The server guidelines can be accessed via Manage -> Server Policies in the Server Manager.
The are three options to select for rights in the server policies:
- Not defined
Please note the following:
- If an access right has been granted in the server policies, i.e. it is "Enabled", it is available to all users. However, it can still be deactivated for individual users and groups in the individual settings.
- If an access right has not been granted in the server policies, i.e. it is "Deactivated", it is NOT available for all users and can no longer be activated for individual users and groups in the individual settings.
- If a right has not been defined, it must be set separately for individual users and groups in the individual settings as desired.
Usually, you should leave the rights undefined in the server policies and define them in the individual access rights in individual databases.
Examples for the use of server policies:
If you do not want to allow passwords to be printed out throughout your organization, disable "Print entries" by setting this option to "Disabled".
If you wish to allow all users in your organization to use browser add ons without any restrictions, activate the option "Auto-fill web forms using browser add-ons" and "Accept new entries from browser add-ons".
Assign rights in individual databases
After having checked the settings in the server policies and setting them as desired, you can assign rights to users and groups in individual databases.
To do so, right-click on a database in the Databases area and select Properties. Once the dialog box has opened, you can change settings in the Security tab.
You can add new users or groups to a database via Add. You then set the rights by selecting Allow or Deny for the respective access right.
Shared access rights for an entire database can be assigned in the Permissions on the database tab.
If the Access to database permission is activated by clicking on Allow, the user is able to see the database in the list of existing databases. If the option Read entries is enabled, the user can read all entries and folders of a database (unless you restrict access to individual folders and entries separately). When allowing the option Read entries, Access to database is also activated automatically because it is not possible to allow reading of entries without accessing a database.
If you enable Access to database but disable Read entries, the user can see the database and receive it from the server, but he is not able to see any entries in the database. In this case, however, you can allow the user or group to access individual entries or folders within the database (see below).
Access to database: User can see the database in the list of available databases.
Read entries: User is able to read entries in the database.
Modify entries: The user may edit existing entries or folders and create new folders.
Add entries: The user may add new entries.
Delete entries: The user may delete existing entries.
Use the function "Auto-Complete": The user may use the feature of the same name to fill out programs and web forms.
Auto-fill web forms using browser add-ons: The user may have web forms filled out automatically by add-ons.
Accept new entries from browser add-ons: The user may create new entries using add-ons.
Print entries: The user may print entries in readable form (on paper and/or as PDF).
Export entries: The user may export entries to XML or other formats.
Save database locally: The user may store local or backup copies of databases on the server on his computer.
Synchronize database: The user is allowed to synchronize the database with another database.
Grant admin rights for database: The user is able to log in to the server via Control Panel and assign other users rights to the database.
In the second tab Permissions on entries and folders you can assign users and groups rights for special folders or entries.
You want to grant the Support group access to the company's database, but members of this group should only be able to see the IT folder of this database. However, members should have full rights in the IT folder.
You first allow the Support group to access the database. Next, please define all other permissions as follows:
Since the Support group is not allowed to read, change or modify entries etc. you just need to grant rights for the IT folder in the next step (permissions for the other folders of the database were defined in the previous step - so you don't need to set any rights for the other folders you see in the Permissions on entries and folders tab):
TIP: The different colours show you which permissions are allowed and which permissions are denied. Green does always indicate "Allowed" permissions and red does always indicate "Denied" permissions. Thus you can detect very quickly which permissions are currently allowed and denied.