Path to function: Resources > Permission sets
Permission sets can be used for several things:
- As sets of accounts for reporting at the organisation level.
- As a way of assigning attributes such as 'role' to sets of users - e.g. member, staff, walk-in user. You must, in fact, allocate at least one permission set to everyone because of this and your initial setup will have included a default permission set for this purpose.
- With restrictive mode to limit which resources are available to sets of users. When used this way any changes you make to the resources allocated to a permission set instantly changes what the related accounts can access, although the users won't see it in MyAthens Plus lists until the next time they sign in.
Permission sets can only apply to user accounts under the same organisation - any sub-organisations you have will need at least one permission set of their own.
The first thing you will see is a list of any existing permission sets.
Each line will display a description of the set and some other information such as the number of accounts it is assigned to and the number of resources assigned to it - clicking on either will take you to a list of those accounts or resources. Clicking on the permission set description will allow you to edit the sets details (see below).
Adding a permission set
After clicking on the add button you will be prompted for a description and name for your new permission set:
The name is automatically generated based on the description, but you can change it if you wish. The name is used in data downloads and bulk uploads, but you are unlikely to see it anywhere else. Permission set names, like account username, cannot be modified once created.
Selecting default will mean that it's automatically assigned to any new OpenAthens accounts you create. If you're using a local connector, it's used by one of the possible permission set assignment rules.
Once you click the create button you are taken to the modify page for your new permission set. This is the same page you would see if you clicked on the description of an existing permission set.
Modifying a permission set
If you click the description of a permission set, you can modify it.
The sidebar shows you the description, name, creation time and modification time of the permission set
The Settings tab allows you to modify the description and expiry date for a permission set. Permission sets do not have to have an expiry date and default to a never expire (blank) setting.
The Attributes tab gives you control over the roles and entitlements that can be passed to federated resources. Unless you specifically want to not pass a role for a user you will need to have a value here. The default of 'member' is usually correct.
At the top right there is a display of the number of connected accounts and resources. Buttons beside the numbers let you view which accounts and resources are associated with that permission set.
Modifying a permission set's allocation to accounts
From the allocated to accounts button on either the permission set in the list or on the modify page you will be taken to a preset search for accounts that have that permission set. From here you have access to all the same actions as any other search including allocate and revoke permission sets. Allocating this permission set to accounts though is done from any other search or list view that identifies the accounts that should have this set.
If you are using permission sets to restrict access you will want to be able to view and allocate resources.
Viewing the resource allocation
From the allocated to accounts button on either the permission set in the list or on the modify page you will be taken to a filtered view of the allocated tab in the resource catalogue. This view will let you easily remove resources from the permission set. You can also add others from the 'All' tab, but you will find it easier to use the Add button (see below).
This view usefully also allows you to allocate resources to other permission sets which can help with the management of resources - you might even create some permission sets that you never allocated to accounts for this reason.
Adding resources to a permission set
On the permission set details page there is an add button beside the list resources button.
This will bring up a list of all the resources that are not already allocated to this permission set - add them to the set by clicking on the add buttons on the relevant resources.
You can also allocate resources to a permission set directly from the catalogue.
Anything to watch out for?
Whilst all accounts will need at least one permission set so that they can access resources, restricting access to the resources specified in a permission set requires restrictive mode be set to on.
Permission set descriptions do not have to be unique, but it helps.
Resource statistics are aggregated against all permission sets that a user has, even the ones that don't contain that resource. This may affect your strategy.