Path to function: Resources > Permission sets

Permission sets are collections of resources that can be assigned to accounts so that you can control which users have access to which content. Modifying the resources in a permission set instantly changes the resources that any accounts that use that set can access whether it be one account or a million. Permission sets can only apply to user accounts under the same administrator - sub-administrators will need their own permission sets.

The first thing you will see is a list of any existing permission sets.

Each line will display the name of the set and some other information such as the number of accounts it is assigned to and the number of resources assigned to it - clicking on either will take you to a list of those accounts or resources. Clicking on the permission set name will allow you to edit the sets details (see below).

Adding a permission set

After clicking on the add button you will be prompted for a description and name for your new permission set:

The name is automatically generated based on the description, but you can change it if you wish. The name appears in data downloads and the audit report. It is also used in bulk uploads. Permission set names, like account username, cannot be modified once created.

Once you click the create button you are taken to the modify page for your new permission set. This is the same page you would see if you clicked on the name of an existing permission set.

Modifying a permission set

If you click the name of a permission set, you can modify it.

The sidebar shows you the description, name, creation time and modification time of the permission set

The Settings tab allows you to modify the description and expiry date for a permission set. Permission sets do not have to have an expiry date and default to a never expires setting. To change an expiry date to never expire: delete the expiry date.

The Attributes tab gives you control over the roles and entitlements that can be passed to federated resources. If you access federated resources, you will need to set a value for this, usually 'member'.

At the top right there is a display of the number of connected accounts and resources. Buttons beside the numbers let you view which accounts and resources are associated with that permission set.

Modifying a permission set's allocation to accounts

From the allocated to accounts button on either the permission set in the list or on the modify page you will be taken to a preset search for accounts that have that permission set. From here you have access to all the same actions as any other search including allocate and revoke permission sets. Allocating this permission set to accounts though is done from any other search or list view that identifies the accounts that should have this set.

If you have connected a local authentication source, permission sets will be assigned there instead.

Viewing the resource allocation

From the allocated to accounts button on either the permission set in the list or on the modify page you will be taken to a filtered view of the allocated tab in the resource catalogue. This view will let you easily remove resources from the permission set. You can also add others from the 'All' tab, but you will find it easier to use the Add button (see below).

This view usefully also allows you to allocate resources to other permission sets which can help with the management of resources - you might even create some permission sets that you never allocated to accounts for this reason.

Adding resources to a permission set

On the permission set details page there is an add button beside the list resources button.

This will bring up a list of all the resources that are not already allocated to this permission set - add them to the set by clicking on the add buttons on the relevant resources.

You can also allocate resources to a permission set directly from the catalogue.

Anything to watch out for?

Whilst all accounts will need at least one permission set so that they can access resources, restricting access to the resources specified in a permission set requires restrictive mode be set to on.

Permission set descriptions do not have to be unique, but it helps.