Before you start assigning rights to users and groups, check the default (or global) server policies first.
The server guidelines can be accessed in the Server Manager via MANAGE/SERVER POLICIES.
The rights in the server policies can have three states:
- Not defined
Please note the following:
- If an access right has been granted in the server policies, i.e. it is in the Enabled state, it is available to all users. However, it can still be deactivated for individual users and groups in the individual settings.
- If an access right has not been granted in the server policies, i.e. has the status Deactivated, it is NOT available for all users and can no longer be activated for individual users and groups in the individual settings.
- If a right has not been defined, it must be set as desired for individual users and groups in the individual settings.
Usually, you should leave the rights undefined in the server policies and define them in the individual access rights in the individual databases.
Examples of server policy usage:
If you do not want to allow passwords to be printed throughout your organization, disable "Print records," so set this option to "Disabled.
If you want to allow all users in the company to use the browser add-ons without restrictions, activate "Auto-complete via browser add-ons" and "Transfer new entries from browser add-ons".
Assign rights at database level
After you have checked the settings in the server policies and set them as desired, you can assign rights for users and groups to the individual databases.
To do this, right-click on a database in the DATABASES area and select PROPERTIES. In this dialog box, you can make the desired settings in the SECURITY tab.
Here you add new users or groups to a database via ADD. You then set the rights by selecting Allow or Deny for the respective access right.
Shared access rights for the entire database can be assigned in the RIGHTS FOR THE DATABASE tab.
If "Allow" is enabled in the Access to the database option, the user can see the database in the list of existing databases. If READ INTRASES is enabled, it can read all entries and folders in them (unless you restrict access to individual folders and entries separately). When you enable READING ENTRIES, ACCESS TO THE DATABASE is also enabled automatically because it is not possible to allow reading without accessing the database.
If you enable ACCESS TO DATABASE and disable READ ENTRIES, the user can see the database and receive it from the server, but cannot see any entries in the database. In this case, however, you can allow the user or group to access individual entries or folders within the database (see below).
Access to database: User can see the database in the list of available databases.
Read entries: User can see entries in the database.
Modify entries: The user may edit existing entries or folders and create new folders.
Add entries: The user may add new entries.
Delete entries: The user can delete existing entries.
Use the function "Auto-Complete": The user may use the function of the same name to fill out programs and web forms.
Auto-fill web forms using browser add-ons: The user may have web forms filled out automatically by the add-ons.
Accept new entries from browser add-ons: The user can create new entries using the add-ons.
Print entries: The user may print the entries in readable form (paper and/or PDF).
Export entries: The user can export the entries to XML or other formats.
Save database locally: The user creates local database copies or backup copies on his computer.
Synchronize database: The user is allowed to synchronize the database with another database.
Grant admin rights for database: The user can log on to the server via the Control Panel and assign rights to the database to other users.
In the second tab "Permissions on entries and folders" you can assign rights for special folders or entries to users or groups.
Example of practical use
You want to grant the Support group access to the company database, but the members of this group should only see the IT folder within the database and have full rights there, that is, in this folder.
In the first step, you allow the Support group access to the database, but deactivate all other rights:
Since the Support group cannot read, change, etc. entries, it is sufficient if you grant the rights for one folder in the next step (the rights for the other folders were defined and inherited in the previous step - so you no longer have to revoke any rights for the other folders):