Hyland Connect

Nat_Mara · ‎10-27-2014

I have a user which is in multiple groups, but even though I have least restrictive set up in global client settings, I am having a conflict. the first group he is a part of just allows retrieval, print, external mail, view KW. I had to set override privileges so that he is unable to delete documents. He is part of an OnBase scanners group, which allows him to create documents. but it also has the delete privileges, thus the need for override privileges. My issue is now he gets a message that he is not authorized to create a document when attempting to scan or import a document. He should have that right because he is a part of the OnBase scanners group. I can rectify by adding Create to his overriding privileges but why should I have to if he already has that in other group??

Confused ...

John_Anderson4 · ‎10-28-2014

There is no setting in global client settings that changes how override privileges work (I don't think).

In this case you probably need to add overrides to the Scanners group to give them the rights that the scanners need. Then if they're in both groups, it will look at both sets of overrides and give them the least restrictive combination. If they're in one group with override and one group without overrides, it will take all the rights for that doc type from the overrides.

Nat_Mara · ‎10-28-2014

So I tried your suggestion, I think. the main user group Commission on Judicial Conduct is where the docs are assigned. I removed override privileges so that they have retrieve/view, print, external mail, view KW and retrieve dialog. All users have those at a minimum. Users who should be able to add docs are part of the onbase_Scanners group as well. that has Create, modify, save rotation, delete (Uncommitted only), modify KW index scanned docs and Import (client features). Because this grp should not have delete privileges. I have put overrides on their doc types and unchecked Delete & Delete uncommitted only. that would appear to work as they can import, and do not have the Delete option available, however if they try viewing a document they get a message saying they do not have appropriate rights. I guess I can add view/retrieve to the OnBase_scanners or go back and add create to the main CJC grp. Seems like there should be a better way to set this up.

thanks,

Nat

Nat_Mara · ‎10-28-2014

I have re-read the SysAdmin MRG (what a concept .. I know) and have come to the conclusion it is not working as supposed. The Document Type Permission overrides is set to the default (least restrictive) and that states that overrides across multiple groups allows for least restrictive and that is not what is happening here. I could go in to the Document type and select user groups>override Permissions and select both groups. IF I do that then I can select specific settings I want for that doc type. that works by essentially making both user groups the same for that doc type but that seems to mean that least restrictive permissions is not really working. Anyhow, rather than change multiple user groups, I guess I am just going to add the necessary permissions to the main Commission on Judicial Conduct group and just be done. Just seems kind of buggy, unless there is something wrong with our setup .. which is always possible.

John_Anderson4 · ‎10-28-2014

The OVERRIDES are least restrictive. Meaning if a user is in two user groups that both have overrides for the same document type, it will combine those overrides in a least restrictive fashion. If one user group has overrides and the other does not, it will use just the override privileges (since they OVERRIDE the default privileges you get from your user groups).

In the situation you are describing, you need to set overrides on each user group, for the privileges that are needed by THAT group (i.e if a person is in ONLY that group, which rights should they have?). Then if a person is added to both groups, it will properly combine those overrides and give them the access from BOTH groups.

Hyland Connect

Override Priveleges