What are group policies and how to use them? v5.4 and above
If you have version 5.31 or below please see this KB instead.
The super administrator can define ONE member group to manage user’s general permissions (confidentiality).
By default there is only the Full Access group. Additional groups can be added.
Go to: Admin > Users & Staff > Manage group policies.
Group rules can be defined to manage user module access, based on several options:
F: Full Access
V: View only – User access to the module is limited to only view/show data.
B: Block access – Users can’t enter into the respective module. Blocked users will see that the module exists.
You can manage storage visualization (options view only) and the access to the storage browser. If you want to restrict storage browser access, select: Block access to Storage Browser
When you create a group with view only access, you can check the storage box to allow users to see the storage positions and locations for module records. The four options at the bottom work in combination with the selection of F, V, B permissions.
Groups can also be defined in a way to filter data access between groups:
- Group sees ALL
No option checked
- Group sees ALL except storage
By checking Group sees all but storage limited to OWN group, group members will see all records in LabCollector. However, storage information will be limited to group members.
- Group sees ONLY its own data
By checking Group sees ONLY same group member’s records and storage, group members will only see records and storage information from their own group. This applies to record creation and record ownership. Note that records owned by the super-admin will be visible to all users. Data can therefore be secured by group. To take advantage of this you must have at least two groups.
- Group sees ALL orders
By checking Group sees ALL orders from ALL groups, all users can see all orders in the purchase order management. There are no limitations except by user permissions.
Records made by users not affiliated to a group will not be restricted and will remain visible to ALL users in any group. The super-admin does not belong to any group.
From version 5.3, add-ons can also have a restricted access: F: Full Access or B: Block access – Users can’t enter into the respective add-on.
Permissions can be changed at any time through this menu.
Search filters also use these group definitions to help filter data by group.
Super-administrator can assign master administrators to the groups under Admin > Users & Staff > Manage Users. These administrators can create and manage lab members and user accounts for their own group.
Since version 5.3, super-administrator and group master administrators can apply more than one group to a user.
Version 5.4 allows users to choose which of their groups they want to share data with on a record-by-record basis. If a user is in more than one group then their data is shared with all those groups by default. The user can otherwise choose particular groups from the Share Options dropdown while creating or editing a record.
Version 5.4 also allows the administrator to assign a Primary Group to users that are in more than one group. This means that by default their data is shared only with the Primary Group unless they explicitly choose to share individual records with their other group(s) while including/excluding their Primary group.
Once the group is set up, you can also restrict the group to a list of IPs (see KB-restrict access to Labcollector).