Rights to people are the most complex part of the advanced security model and at the same time the most powerful.
In advanced security mode, rights can be defined on the basis of the person's primary group, groups, primary type, types, statuses, volunteer type, banned flag, deceased flag, archived flag and "user is supervisor". Rights are acquired to a person via a series of rules which are checked one by one to determine the user's overall rights. Beyond just the rights to create, view, edit, delete and report on people, a user can be assigned Profile editor restrictions. These restrictions limit what the user can see and change if they're allowed to open the Profile editor for that person.
In order to determine what rights and restrictions a user has to an individual person, VSys starts at the default user, works through each security role and then the explicit rights assigned to that user. Along the way it checks each rule and if that rule matches the person in question it updates the rights and/or restrictions with those in the rule.
In this example, a person whose primary group is "Young members" will meet the filters for this rule. This will give the user "Create", "Edit", "View", "Delete" and "Report" rights to this person. Note that Rights is set to "Replace rights": that means that any rights acquired via previous rules (explicitly assigned to this user, his roles or the default user) are thrown away and replaced with the ones set here. If we'd selected "Edit rights" then we could add and subtract from the rights derived so far. Choosing "No rights changes" would do nothing at all.
We set Profile editor restrictions to "Edit profile editor restrictions", this means that we'll be adding and subtracting from the Profile editor restrictions already derived via the user's other rules, roles and the default user. In this case we're removing the "(disabled)" and "(read-only)" restrictions; if the user had those restrictions they're removed and other restrictions remain unchanged.
For the second rule (above) we're using the filter "User is supervisor" so that only people who are supervised by the current user will qualify. For people who meet this filter, the rule will give the user all rights to that person and remove any Profile editor restrictions.
Rights can also be assigned based on job associations and job assignments. Below, the user's rights will depend on the person having a job assignment for "Coffee shop" anywhere between 30 days in the past and 180 days in the future.
Here the user's rights will depend on the person having a job association for "Drivers" with a status of "Active" or "Preference" and that job association's Start date cannot be after the current date nor its End date before the current date.
Filter notes
Primary group vs. Groups |
Primary group must match the person's Group. Groups can match the person's Group or Additional groups. If more than one value is selected for either field, e.g. two Groups are selected, only one of them needs to match against the person. If values for both of these fields are set, i.e. one or more groups are checked for both Primary group and Groups, then both fields must match the given person. |
Primary types vs. Types |
Primary type must match the person's Type. Types can match the person's Type or Additional types. If more than one value is selected for either field, e.g. two Types are selected, only one of them needs to match against the person. If values for both of these fields are set, i.e. one or more types are checked for both Primary type and Types, then both fields must match the given person. |
User is supervisor |
This filter is special: it checks to see if the user has a supervisory relationship to the person within VSys. That supervisory relationship may exist via a relationship, being a supervisor in a job association ("Active", "Substitute", "Other", "Pending", "Waitlisted", "Preference") or being a supervisor for one or more assignments in the past thirty days or up to 180 days in the future. It's a powerful filter in that it can be used to give a user rights to the people he supervises without having to use complex filters based on Type, Group, etc. to "back into" that relationship. |
Clicking on the link Test effective rights for a specific person prompts you to select an existing person in VSys and shows you, based on the current user's rights and the selected person's attributes, what the user's rights would be for the selected person.