Administration Rules
There are certain logical rules that apply to users with administrative permissions; in particularly to those with permissions to grant administrative permissions to other users.
Assuming the following:
- Joe is a user in groups A, B, and D, and has user administration permissions in group A.
- Alice is a user in groups A and D.
- Tony is a user in groups C and D.
- Mike is a user in group C.
Joe is:
- able to administer user Alice, because they are both in group A together and Joe has user administrative permissions for that group.
- unable to administer Tony, even though they are both in group D, because Joe does not have user administrative permissions for that group.
- unable to administer Mike because they share no groups whatsoever.
Because Joe has user administrative permissions for group A, he can grant Alice administrative permissions for that group as well. He does not have to grant Alice all his permissions for that group, although he may if he chooses to. However, one thing he cannot do is grant Alice any permissions that he himself does not already have (nor can he grant them to himself), and he cannot grant Alice administrative permissions in any group in which he himself does not have user administrative permissions. For example, while Joe, Alice, and Tony are all in group D together, Joe does not have user administrative permissions in that group, and so cannot give them any administrative permissions in that group (note that the exact same rules apply to symbol access and symbol access roles).
If the group in which a user has user administration permissions is the AllUsers group, that user then can administer all users in the system. However, that user with administrative permissions must still operate within the limits of the permissions he himself has been granted: he cannot grant to other users’ permissions or symbol access that he himself does not possess.
Understanding the AllUsers group
The AllUsers group is a system-created group related specifically to administrative permissions.
The following rules apply to the AllUsers group:
- Users are automatically assigned to the AllUsers group when they are created and cannot be removed from it.
- The AllUsers group cannot be deleted, and the group name and description cannot be modified.
- The AllUsers group is not displayed in the Group list when you sign on to a Longview system.
- In Longview Client, the AllUsers group is a valid user group in only the User Administration and Reset Passwords fields in the Users editor, and the Authorization Group field in the User_Authorization.csv import file.