Understanding User Rights

In a multi-user environment controlling what a user can do is crucial. If you are a using OpenGoo as a client extranet you probably don't want that one client can see documents of another client. If you are using OpenGoo as an intranet you may have certain workspaces where certain employees are not allowed to edit information, and some other workspaces which are visible to the management exclusively.

Setting the user rights is one of the more complex tasks in OpenGoo. There are properties at serveral places, and you have to know where to find them and how they relate to each other. This page tries to summarize all the different settings that control user rights.

Basically there are to types of permissions: Some apply to your OpenGoo installation as a whole - we call them system permissions. Others can be set per workspace - we refer to them as workspace permissions.

On the level of each single user you can set system permissions as well as workspace permissions.

The system permissions define whether a user is allowed to:

• edit company data
• manage security
• manage workspaces
• manage configuration
• manage contacts

(I need more information about how these system permissions work.)

Workspace permissions can be set by checking the checkboxes for the respective workspaces, which gives the user full access to that workspace.

¹⁾

If you want to control workspace permissions in more detail, click on the name of that workspace to bring up the workspace permission details. There you can define for each object type if a user is able to read & write it, to read it only, or not see it at all.

There are two more checkboxes to control how a user can assign tasks to other users. If you activate the first one, this user can assign tasks to users of the owner company; if you activate the second one, this user can assign tasks to users of other client companies. If you don't check any of the two, this user can assign tasks only to users of his own company.

Groups (or roles) are a common concept for dealing with user rights. The idea is that you do not set permissions for every single user but that you can define groups (or roles) with specific rights and add the users to a certain group (or role). This makes controlling and updating permissions much easier.

Unfortunatly groups in OpenGoo are not very powerful. As of OpenGoo 0.9.1 you can only define groups based on the system permissions.

There is also a screen where you can set workspace permission for each company.

PLEASE NOTE: Whether a user can access a workspace or not is defined by the workspace permissions from the user profile (see above), not by the workspace permissions of the company the user belongs to. If you add the permission to access a certain workspace to the company, this permission is not automatically given to all users of that company; you have to add this permission manually for each user (that's what the yellow box says). This is a good thing, because it prevents you from giving permission to a user accidentially.

Nevertheless this can be a bit confusing, and you may be asking yourself what workspace permissions on the company level are good for then. Setting or removing a workspace permission on the company level has the following impacts:

• If you remove a workspace permission, this permission is taken from all users of that company. This gives you a powerful tool to hide and lock a workspace from all users of a company very quickly, and this is the main advantage of this feature.
• If a company has no workspace permission at all, then you can't set workspace permissions for users of that company. (But as soon as you have set at least one permission, users can be given permission to any workspace, as stated above.)
• If you edit workspace permissions as part of the workspace properties (see Working with workspaces), then all users of companies that have permission for that workspace are displayed automatically. (But you can display users of other companies as well simply by checking a checkbox, so this is simple usability feature.)

If you see the following screen with workspace names striked, then… ²⁾

PLEASE NOTE: Regarding permissions contacts do not act the same way as all other content objects. If a user has permissions to manage contacts, he can access all contacts if he clicks “All” in the workspace selector - not only the contacts of the workspaces he has permissions for. In other words: Assigning contacts to a workspace does not affect it's visibility for other users but is only a way to organise contacts.

There are plans to change this in a later version of OpenGoo (see here), but for the moment you must know that there is no privacy for you contacts.