-
Title
How to set-up Read-Only access for Employees -
Description
What are the steps required to allow an Employee to have "read only" access to other Employee accounts?
For example, there is a requirement for specific Employees or external consultants to view properties for Employee accounts using Manager.
How can a custom application role, giving read-only access to Employee objects, be created?
-
Resolution
Please note that there is more than one method to accomplish this. Knowledge Article 121994, How to setup read only access to IT Shop, outlines how to accomplish the same result by making a copy of an existing permissions group. The following steps outline how to accomplish this by creating a new permissions group.
1. Begin by creating a permissions group that has "View" permission on the Person table. The group must also have "View" for each column in the table or the Employee accounts will not be visible.
- Create the permissions group in Designer: Click "Permissions" then under "Tasks" click "Show / edit permissions group". Click the blue plus on the menu bar to Insert a new permissions group:
- Give the new group a meaningful name and commit the change to the database.
Important: ensure the option "Only use for role based authentication" is selected for the new group:
2. Assign "View" permission to the Person table. This can be done by editing the permissions for the group or by editing the permissions for the table. Choosing either option will take you to the same place (using the latter requires that you select the group from the "Permissions group" dropdown menu item. The former automatically selects it.). For this article we'll use the former method:
- Select the new permissions group in the "Permissions groups" list and then under "Tasks" click "Edit permissions for permissions group <group name>'', e.g.:
- The "Permissions Editor" window opens. Select and expand the Person table in the available list.
- Right-click on the Person table and select "New". This will create a new entry for the new group, and "View" permissions will be granted automatically:
- Then select all the columns in the table, right-click and choose "New" to allow "View" for all the columns:
- Click "Commit to database" to save the changes.
3. Assign permissions to the User Interface.
- In Designer select the "User Interface" tab, expand "User interface navigation", select "Manager" and then click "Edit navigation for application 'Manager'" under "Tasks".
- In the menu item list select "Person" and in the bottom pane, "Permissions group", right-click the new permissions group created in step 1 and choose "Assign permissions group recursively". This will assign permissions to the menu item and its sub (child) items:
- "Commit to database" to save the changes.
4. Create a new Application Role and assign the new permissions group to the role.
- In Manager click on the "Identity Manager Administration" tab, expand "Identity Management" | "Employees" | "Administrators" and create a new role under "Administrators".
- Assign the permissions group to the new role:
- Save the new role and then in Manager assign the role to the desired Employee(s):
When the Employee logs in to Manager they will see the "Employees" tab and be able to view all Employee accounts.