English

Manage Permissions

This page is currently under review. Stay tuned!

Crystal Projects often carry highly sensitive and confidential data that needs to be handled with care.

For this reason, Crystal Console offers a Permissions Management System that enables you, as an Admin User, to manage and customize Member Users' Permissions in order to control which data they can see and ask for on the Crystal Advisor.

Impacts of Permissions on the Advisor's Capabilities

Permission settings affect all the Advisor's capabilities where there is a Topic (with Filters) to visualize.

Whenever permissions are not granted, the User’s experience will be limited.

Viewing permissions are crucial for the Member Users to be able to fully experience the following capabilities:

The current version of the capability has been developed to help Admins ensure the highest level of privacy and security of your Crystal Project with an easier, faster, and more granular system.

Let's see how to tailor permissions to your needs!

Remember

Permissions can also be set during the Topic Configuration process, in the "Set Permissions" phase.

Underlying Rules

The Permission Management System is designed to support a range of automatic rules that quick-start the permissions' settings and act as a baseline framework for you to start from.

Therefore, before diving into action, it is important for you to keep in mind the main principles for the Permission Management System.

Permission Levels

Permissions apply to Topics and Filters.

Please Note

You need to set permissions on your Crystal Project independently of the permissions set in the Data Sources underlying Topics.

In other words, Crystal doesn't inherit the permissions set at the Database level.

Permission Targets

Permissions target Users and / or Groups of Users (added either manually or through an Identity Provider).

Default Permissions

Some permissions are set by default:

  • By default, Users have no permissions ("Revoke All")

As soon as you invite new Users to a Crystal Project, they have no permissions for Topics and Filters.

Remember

If you don't grant permission to a User soon after inviting them to your Crystal Project, they won't be able to see and ask for a Topics when accessing the Advisor for the first time!

  • By default, Groups have permissions to everything ("Allow All")

As soon as you create a Group, it automatically assigns it permissions for all available Topics and Filters.

Inherited Permissions

Some permissions are inherited automatically:

  • Users inherit permissions from Groups

As soon as you assign Users to a Group, they can visualize all the Topics and Filters enabled for that Group.

  • Filters inherit permissions from Topics

As soon as you grant a User permissions to a Topic, they can also visualize all the Filters for that Topic.

Remember

You can leverage the Inheritance Rules in your favor to quickly enable Users to visualize Topics and Filters.

Based on the first rule, Creating Groups strategically with a careful selection of its members could be a good way to manage Users' permissions in a few clicks.

Moreover, adding a new User to a Group right after an invitation is the quickest way to enable them to talk to Crystal!

You can find out more about creating and managing a Group here.

Manage Permissions Selectively

Along with the Default Permissions and Inherited Permissions, the Permission Management capability grants you, as an Admin User, the full power to operate granular customizations to the permission settings and therefore bypass - or surpass - the baseline settings that automatically come from the main rules.

Go to the "Users" Tab of the Crystal Console and find the "Manage permissions" Section:

From there, you can manually allow or revoke permissions, choosing to operate selectively:

  • On the desired target (Users and / or Groups) - see the dedicated area on the Left

  • At the desired level (Topics and / or Filters) - see the dedicated area on the Right.

Remarks on Targets

You can choose to operate by selecting different kinds of targets:

  • just one User ("Single User")

  • just one Group of Users ("Single Group")

  • more than one User at a time ("Multiple Users")

  • more than one Group at a time ("Multiple Group")

  • Users and Groups, both at the same time ("Mixed Targets")

Remarks on Topics

Permission Management is available only for Topics that are in the status "Ready" for at least one Language.

If a Topic is "Ready" in any language, permissions can be assigned to it and will affect all the languages available for that Topic.

General Remarks

All the actions that you make on the permission settings always have immediate effect.

Now you are ready to deep-dive into the possible scenarios:

  1. Allow or Revoke Permissions to a Single User

  2. Allow or Revoke Permissions to a Single Group

  3. Allow or Revoke Permissions to Multiple or Mixed Targets

Allow or Revoke Permissions to a Single User

Select your target

  1. from the "Users" Tab, navigate to the "Manage Permissions" Section

  2. in the dedicated "Target" area on the Left, select the option "People" - here are listed all the active Users along with the following details:

    • name and surname

    • email

    • number of Groups affiliations

  3. select a unique User - there are several ways to achieve this goal:

    • scroll normally

    • order (A-Z, Z-A, selected first, unselected first)

    • use Search Bar

Check permissions

Once you select the target, the "Permissions" area opens up on the Right - here are listed all the Topics and Filters with the respective permissions settings.

Please Note

In this case, you may see that the User has:

  • some, or most, Topics/Filters set to "Revoke" - as this is the default setting for Users

  • some Topics/Filters set to "Allow" - as this reflects permissions manually given in time

Attention

Topics inherited from a Group are not visible as "Allowed" from here, but can be seen in the Group section only.

Therefore, it is possible that some of the Topics / Filters set as "Revoked" are actually allowed as inherited from a Group.

Manage permissions

Manage the User's permissions by allowing and / or revoking Topics and / or Filters permissions in the respective Tabs ("Topics" and "Filters").

Remember

For the second Inheritance Rule, Filters permissions will follow the actions done on Topics.

However, you can manage Filters' permissions separately in the correspondent Tab.

  1. to search for a Topic / Filter, the following methods are possible:

    • order (A-Z, Z-A, Allowed first, Revoked first) - for Topics

    • order (A-Z, Z-A) - for Filters

    • use Search Bar

    • bulk or single select

  2. to allow or revoke permissions, simply click on the desired checkboxes, then click on "Save"

Attention

In the "Topics" Tab, two different columns are present: one for the "Allow" action and one for the "Revoke" action.

In the "Filters" Tab, instead, just the "Allow" column is present: therefore, in this case, you need to deselect the checkbox to revoke permissions.

Please Note

For Filters and Values, keep in mind that:

  • when selecting a Filter, it automatically selects all the Values inside it

  • when opening a Filter, it’s possible to find the complete list of Values inside and it is possible to choose them one by one

  • however, the opposite is not possible: you can't remove just one Filter when all of them have been enabled together

See full video!

Allow or Revoke Permissions to a Single Group

Select your target

  1. from the "Users" Tab, navigate to the "Manage Permissions" Section

  2. in the dedicated "Target" area on the Left, select the option "Group" - here are listed all the existing Groups along with the following details:

    • Group name

    • number of included Users

    • list of included Users

  3. select a unique Group - there are several ways to achieve this goal:

    • scroll normally

    • order (A-Z, Z-A, Selected first, Unselected first)

    • use Search Bar

Check permissions

Once you select the target, the "Permissions" area opens up on the Right - here are listed all the Topics and Filters with the respective permissions settings.

Please Note

In this case, you will see that the Group has:

  • some Topics/Filters set to "Allow" - as this is the default setting for Groups

  • some Topics/Filters set to "Revoke" - as this reflects permissions manually given in time

Manage permissions

Manage the Group's permissions by allowing and / or revoking Topics and Filters permissions in the respective Tabs ("Topics" and "Filters").

Remember

For the second Inheritance Rule, Filters permissions will follow the actions done on Topics.

However, you can manage Filters' permissions separately in the correspondent Tab.

  1. to search for a Topic / Filter, the following methods are possible:

    • order (A-Z, Z-A, Allowed first, Revoked first) - for Topics

    • order (A-Z, Z-A) - for Filters

    • use Search Bar

    • bulk or single select

  2. to allow or revoke permissions, simply click on the desired checkboxes, then click on "Save"

Attention

In the "Topics" Tab, two different columns are present: one for the "Allow" action and one for the "Revoke" action.

In the "Filters" Tab, instead, just the "Allow" column is present: therefore, in this case, you need to deselect the checkbox to revoke permissions.

Please Note

For Filters and Values, keep in mind that:

  • when selecting a Filter, it automatically selects all the Values inside it

  • when opening a Filter, it’s possible to find the complete list of Values inside and it is possible to choose them one by one

  • however, the opposite is not possible: you can't remove just one Filter when all of them have been enabled together

Remember

All the changes saved for a Group will be reflected on all Users inside the Group.

See full video!

Allow or Revoke Permissions to Multiple or Mixed Targets

In these scenarios, you will be able to make changes to multiple sets of permissions in one go!

Select your target

  1. from the "Users" Tab, navigate to the "Manage Permissions" Section

  2. in the "Target" section on the Left, select one of these options:

    • "Multiple Users": more than one User from Tab "People"

    • "Multiple Groups": more than one Group from Tab "Groups"

    • "Mixed Targets": both Users and Groups from both Tabs (e.g. one User and one Group, two Users and one Group, etc.)

Attention

In all these three cases, it’s not possible to check the permissions given to Topics / Filters for all the selected targets, as are permissions different for each sub-target selected.

By the way, it is known already that:

  • Users have "Revoke All" default settings

  • Groups have "Allow All" default settings

Choose a modality

Once you select the target, the "Permissions" area opens up on the Right - here are listed all the Topics and Filters with the respective permissions settings.

In these cases, it is also possible to choose between two modalities to operate with:

  • "Append Permissions"

This option entails that the chosen changes - i.e. the allowed or revoked Topics/Filters - will be just added to the permissions already in place, without modifying them.

This means that other Topics/Filters - i.e. the ones not selected - will maintain the current permissions.

  • "Unlink Target's Permissions"

This option entails that the applied changes will be causing an overwrite on the permissions already in place, modifying them.

The overwriting will happen on the other Topics/Filters - i.e. the ones not selected - which will change by being all revoked.

In summary...

This is what will happen when saving a change to permissions using the two different modalities.

"Append Permissions":

  • Topic/Filters checked as "Allow" will be allowed

  • Topic/Filters checked as "Revoke" will be revoked

  • not selected Topics/Filters will remain unchanged

"Unlink Target's Permissions":

  • Topic/Filters checked as "Allow" will be allowed

  • Topic/Filters checked as "Revoke" will be revoked

  • not selected Topics/Filters will be revoked

Remember

The first modality is the safest one to use!

Manage permissions

Regardless of the modality chosen, you can allow and / or revoke Topics and Filters permissions in the respective Tabs ("Topics" and "Filters").

Remember

For the second Inheritance Rule, Filters permissions will follow the actions done on Topics.

However, you can manage Filters' permissions separately in the correspondent Tab.

  1. to search for a Topic / Filter, the following methods are possible:

    • order (A-Z, Z-A, Allowed first, Revoked first) - for Topics

    • order (A-Z, Z-A) - for Filters

    • use Search Bar

    • bulk or single select

  2. to allow or revoke permissions, simply click on the desired checkboxes, then click on "Save"

Attention

In the "Topics" Tab, two different columns are present: one for the "Allow" action and one for the "Revoke" action.

In the "Filters" Tab, instead, just the "Allow" column is present: therefore, in this case, you need to deselect the checkbox to revoke permissions.

Please Note

For Filters and Values, keep in mind that:

  • when selecting a Filter, it automatically selects all the Values inside it

  • when opening a Filter, it’s possible to find the complete list of Values inside and it is possible to choose them one by one

  • however, the opposite is not possible: you can't remove just one Filter when all of them have been enabled together

Remember

Changes will be applied to all the selected Targets.

See full video!

Limitations Recap

Here is a recap of the main limitations seen in the "Allow or Revoke Permissions" scenarios.

Limit on Filters Allowed per User

While all the existent Filters are present in the list, a maximum of 1000 Filters can be allowed per User.

Different logics for "Allow" and "Revoke" actions in Topics and Filters Tab

In the "Topics" Tab, two different columns are present: one for the "Allow" action and one for the "Revoke" action.

In the "Filters" Tab, instead, just the "Allow" column is present: therefore, in this case, you need to deselect the checkbox to revoke permissions.

Missing visibility of permissions for inherited Topics / Filters

In the dedicated "Permissions" area on the Right, the list of Topics' and Filters' permissions that is visualized mainly reflects the default and manual permissions, whereas inherited permissions are not reflected there (e.g. Topics inherited from Groups, Filters inherited from Topics).

The best way to know about the inherited Topics and Filters is to check the specific Groups' sections.

Missing visibility of permissions in Multiple or Mixed Targets selection

In the dedicated "Permissions" area on the Right, when "Multiple or Mixed Targets" are selected (Multiple Users, Multiple Groups, Mixed Targets), it is not possible to visualise the current permission settings for the specific sub-targets selected.

To visualise the permissions of each sub-target, you need to come back to the single User visualizations or to visualize the Groups section.

Missing "Revoke" option for Filters in Multiple or Mixed Targets selection

As of now, when "Multiple or Mixed Targets" are selected (Multiple Users, Multiple Groups, Mixed Targets), it is not possible to revoke Filters permissions, but only allow them.

To revoke them, you need to manage targets one by one.

Edge Cases

Please consider the following edge cases that require a careful permissions management.

Users That Outgrow Group's Permissions Settings

With time, you will need to accomodate for specific permissions needs that arise case by case.

Therefore, based on the choices that you make, there will be different types of permission scenarios for Member Users:

  • Users that only have Group-inherited permissions

    • if you have assigned them to Groups but never customised permissions further

  • Users that only have manually granted permissions

    • if you have not assigned them to any Group but have exclusively customised permissions manually

  • Users that have a mix of Group-inherited and manually granted permissions

    • if you have done both actions

In these cases, it is highly probable that some Users end up with less permissions or more permissions compared to the ones granted to the Groups they are in, if you have respectively revoked or allowed many permissions to them after adding them to Groups.

Don't worry: this is actually the most probable scenario, as well as the one where you have actually created totally custom and tailored permissions settings!

Permissions on New Topics

When a new Topic is added to the Console, its permission settings are the ones previously decided during the Configure Topic process, during the "Set Permissions" phase, on a Group level.

Two scenarios are possible:

  • you have already granted permissions to some Groups

  • you have decided to skip permission setting for later: in this case, no Group has permissions to that Topic

At a Users' level, this implies that only the Users who were already in the enabled Groups inherit the Topic immediately, whereas all other Users need to be enabled manually later, either individually or by enabling their Groups as well.

When a new Topic is created, remember to double check which Groups or Users need to be enabled to it!

Permissions on New Filters

When a new Filter is added in Console, it is automatically allowed on all Groups: therefore, to all Users in those Groups (because Groups have all permissions by default).

When a new Filter is created, you should double check if the correct Groups/Users have been enabled and manually revoke the permission of some Groups/Users, if needed!

PreviousCreate and Manage GroupsNextLimitations on Crystal Advisor

Last updated