Managing your security groups in TRIRIGA
Managing your security groups in TRIRIGA
There are some things to know about managing your security groups in TRIRIGA. Out of the box, TRIRIGA comes with pre-defined groups based on various roles. You might be able to map one of your roles to an existing security group. But if you have a need to make additions to an existing group, then it would be best to copy the group that it closely resembles. Then you can modify it for your needs. It is best to know what out of the box groups offer and what your needs will be. Then you can determine if you can use an existing one or create a new one. It is a best practice to copy an existing group and make changes to the copy if you need to remove or add access. This way if something is not being granted correctly, you can refer to the out of the box role to see if the problem still occurs.
It should also be noted that you do not have to define one giant security group if you have a user who might have multiple roles. For instance you might have a user who is a Lease Manager but might also have a role with Facilities Maintenance. You would associate the user to 2 different security groups – one for Lease Manager and the other for Facilities Maintenance. This way, if you end up with security issues, the best way to troubleshoot them is to remove groups until there is 1 associated to the user. Test. Then remove that group and add another one.
The exception to coming security groups is the Administrative group. This is a group that should not be copied. This is because it is a special group with special privileges. Copying this group would not copy all the privileges. You can certainly add users to this group. But as mentioned, this is a special group. You might not want to have all users in this group. Instead, you would want to consider putting your Administrative users in the TRIRIGA Application Administration group. This group has most, if not all Administrative privileges that would be needed by an Administrator.
If you do have a need to create your own security group, then it is best to first map out the access that you want it to have. See if there is an existing group that resembles what you are looking for. Then copy it and modify to what you need. Copying an existing group and then modifying is certainly easier than creating a new group scratch.
Another important note regarding managing your security groups is defining if they are specific to a specific organization or geography. Depending on how widespread you use TRIRIGA, you could have your data defined across multiple organizations and geographies. You could have Lease Managers in different organizations and geographies but they would not want to see each other’s data so you would have a Lease Manager role for each organization. But there might be some people in a role who would want to see the data across multiple organizations so then the group would have the same access but the organization and geography level would be one level higher to incorporate children in the hierarchy. Once you have defined System Organization and System Geography, then only records that have those fields defined can be accessed. So you need to be careful with the data and access. It is important to note that your group structure can be difficult to manage if your groups combine System Organization, System Geography and application security in the same group. The best practice is to use multiple groups and layer groups for each user.
For example, Group 1 defines System Organization security as \Organizations\Greenpoint. Group 2 defines System Geography security as \Geography\North America\United States. Group 3 defines a level of application security as Read access to triBudget. You assign a user to Group 1, Group 2, and Group 3, and the user has the combined security of all groups.
For more information regarding System Organization and System Geography please check out the wiki
After creating or modify your security groups, it is a good practice to go into the Admin Console -> Cache Manager and clear the Security Scope cache.