General

Atollon Directory

Access Rights in Atollon server are based on tree-hierarchical structure. See the attached document for the Atollon Directory scheme.

Roles

Role is Access Rights entity that can be assigned to users in connection to Folder (Account) or Project. User must be allowed to fit into specific role. See User Settings to add user into role. By adding user into role, you specify that anyone with R (Rights) permissions can assign the User into the Role. Nothing else. User does not get any rights only by adding the user into the Role (this is different compared to Access Group rights). User gets permission specified by Role rights only after Account Manager, Project Manager or any other authorized User adds the user into Role on Project or Folder (Account).

Role "Creator"

Creator role is specific system-generated Role, which helps assign User into Creator role automatically after creating the Folder (Account) or Project based on Folder / Project Template.

Define Project Role Rights

Project Template (Folder Template) may define specific access rights that any User assigned to Project Role on specific Project may receive. To amend Project Role rights, go to Project Template Settings and change Custom Rights options. These rights are pre-definable only to new projects. If you want to change rights to existing projects, you should check function of mass-project rights change in Reporting (only Win client).

If the Project Role rights are not specified by Project Template, but are allowed by Project Type, system automatically assigns full rights to the user on the project.

Conditions of adding User to Role on Project

Check whether User may be assigned to Role (see User Settings)
Check whether Project Type contains the specific Role
Check whether user assigning other users has R (Rights) permissions on the particular Project.

Please be aware that usually projects are visible (editable / approvable) also by Access Group rights to large number of users (Project Managers, Administrators, Everyone, etc.) depending on Project default access rights settings (based on Project Template).

Access Rights Properties

ACL (Access Control List)

Atollon system access rights utilize per-object access rights. That means each Container or Leaf Node may have it's own Access Rights definition.

Access Rights Definition

Users, Groups and Roles may be assigned to have authorization to List, View, Create, Edit, Authorize or amend Rights of each individual object that is associated to the ACL. Special rights include Admin (this right can be editable by root user only and disallows changing this permission to any other users) and Finalize (this right means that the permission is set for the current object only and can not be inherited).

Access Rights Inheritance

Access Rights to one object (ACL) may be automatically taken from another ACL (or multiple ACLs). This is used when setting-up rights for more records (messages, documents, etc.) at the same time. It is enought to set rights in parent node / folder / container and the objects linking to this container will get the same rights as the container itself.

Example: Set that the group Everyone will see the project "Company Party". Any message or document created/uploaded under project "Company Party" gets the same rights as the "Company Party" project, because the new message/document has ACL that links to it's parent (the project folder).

How is the inheritance ensured?

Rights are automatically inherited, because they are (ussually) created based on Template ACL. The Template ACL is the object's property that holds the definition of new (child object) ACL to be created. This Template ACL, by default has set that the newly created (child) objects will link to it's parent (current object).

Multi-link ACL

Some records, such as Folders, Projects, Activities or Invoices are multi-linked. That means their ACL is inherited from several parent nodes, incl. for example Folder Type and Parent Folder (in case of Folder). When linking rights, filters are applied. That means that in order to get L, V rights to the Folder, you have to have L rights to it's parent, etc.

Are there any exceptions?

Yes, in Project or Folder Templates, administrators may set-up different behavior for creating new ACLs for newly created Folders & Projects. They may change the Template ACL to link to different container and in that way change default rights of various Folders & Projects, based on selected Folder or Project Template.

How to check what righs are inherited?

You just open the ACL detail and click on "Show linked rights". The condition is that the ACL links to other ACL.

How do I avoid inheritance

You can either change this in Template ACL (remove the linking) or you can change it on already created object (again, remove the linking). You can not remove rights that were set as Admin. Those can be removed only by super user.

Proxy Rights

Proxy Rights are used to temporarily or permanently give rights of one user to another. To set-up Proxy Rights, you must open User's details (the one that give the Power of Attorney) and add the other user (the one who will get those rights).

Example: Person leaves for vacation and you want other user to take over the responsibility in the time of absence. Go to the absent user's details and add full Power of Attorney to another user. Please note that this change is global, therefore it affects also the user's personal messages and documents.

Enable:

Edit events in other users calendar: Need access on other users timesheets

Conflict: If enabled editing callendars also editing timesheets is enabled and vice versa

Disable:

Found proxy connection

there is script what found you all proxy use on virtual server instances: listProxtThroughDatabases.sh

move him to /tmp/, su postgress and run:

sh /tmp/listProxtThroughDatabases.sh

Output looks like:

 database  |     id     |  username  |  proxyid  |  proxyname
-----------+------------+------------+-----------+--------------
  harfonie |  190086000 | snadova    |  67385000 | rytova
  harfonie |  190099000 | marsala    |  67385000 | rytova
  harfonie | 1099228000 | hamalova   | 190099000 | marsala

Context Settings Overview

Folder Type Settings

Project Type Settings

Activity Type Settings

Layout Customization

Context Categories

Multi-organization folder view

Users

General

Implementation of Access Rights Best Practices

Removing Users Accounts

Events Access Rights

Invoice Access Rights

Options & Tools Access

Groups & Roles

User Profiles

User Templates

Manual Uninstall

Adobe Air error message - macOSX Catalina

Contacts Configuration

Custom Forms Scripting

Finance Settings

Invoice Administration

Document Library Configuration

Mail Set-Up

Mass Mail

Redirect existing mail address

Set-Up Domain MX Records

Set-Up Mailbox

Message Configuration

Generic Reports

Generic Report Scenarios

Working with Generic Reports

Setup Weekly Reporting

Starting with Workflow

Sending messages

Interactive Workflow Actions

Workflow Objects Overview

Workflow Actions

Workflow Filters

New Workflow

Custom Forms Designer

Custom Forms Configuration

List Cross-form Values

Applications and Toolbar Settings

Configure Application Forms

System Registers

Print and document generation

General

Atollon Directory

Roles

Role "Creator"

Define Project Role Rights

Conditions of adding User to Role on Project

Access Rights Properties

ACL (Access Control List)

Access Rights Definition

Access Rights Inheritance

How is the inheritance ensured?

Multi-link ACL

Are there any exceptions?

How to check what righs are inherited?

How do I avoid inheritance

Proxy Rights

Found proxy connection