Login user rights are straightforward enough for single-site FrameFlow installations. All you need to do is visit the Login and Security section of FrameFlow and create a login security group that gives the permissions you need. But what happens when users have multiple different layers of security clearance on multiple different sites? Security rights for members of a multi-site installation work a bit differently. This article will show you how.
This article covers advanced techniques for scenarios in which a user needs to be a part of more than one security group, all with different levels of permissions. For a more introductory look at login security and user groups, check out our article on login and security.
Let's imagine you have a user in a multi-site installation who is a member of two security groups. The first group has permission to view Site 1 but has low-level permissions as you can see below:
The second security group this user is part of can view only Site 2, but has manager rights there, as seen below.
The question is, how are the user's cumulative rights determined when the user is a part of multiple security groups with different permissions like this?
The first step in calculating your user rights is to consider roles. Roles are groups of permissions assigned to a security group. If a user is part of two or more groups with different roles, the higher-permission role will be applied to every site the user has access to.
For example, the following screenshots show two different security groups assigned to a user. The first one has Dashboards Only permissions for one site.
The second one has manager permissions for another site.
A user that's part of both of these groups will take the higher-permission role for all sites that they're permitted to access. This means that across all sites, this user will have manager-level permissions.
You can either use predetermined security groups like above or create custom permissions using the "Custom" role. What happens in a situation like the one below where a user is part of both custom groups? The following security group does not grant permission to interact with Dashboards:
But the user is also a member of the security group below, which grants full access to Dashboards. So how do we determine what the user gets to do?
The user will always get the rights from the group with the highest level of permissions. In this case, the user will have full Dashboards permissions.
The rights of a user like this are calculated next by looking at the site filter. Users have the rights to view the total combination of sites that each of their security groups grant access to. If a user has permission from one security group to view Site 1 and permissions from the other group to view Site 2, they can view both sites. This is the case even if the first security group does not grant access to Site 2.
Because admins always have the highest level of clearance, users with the Administrator role always have rights to all sites, regardless of the other security groups the user is part of. For all other security roles, site access is decided by the site filter on the security groups. Users in groups without a site filter will also be able to see all sites by default.
Note: If a user has permission to view only Site 1 from one group, but is part of another group with no site filters, the user will still be able to see all sites.
As mentioned above, at first glance, a user with the following permissions appears to have Dashboards Only permissions for the first site.
But if the same user is a part of this second security group below as well, the Manager permissions override the Dashboards Only permissions, and the user is granted Manager permissions for both sites.
But what if you need those permissions to stay separate? To create a situation where one user has Dashboard Only permissions on the first site while retaining their manager permissions for the second site, you'll need to create a second profile for your user and label them "User A Site 1" and "User A Site 2" or similar. This way, your user's low-level permissions for the first site won't be overridden by the higher permissions from the second site.
In this scenario, this user now has more than one account. The rights assigned to them will be dependent on the account they are currently logged into.
At any time, you can view a user's permissions by clicking on the "Actions" menu in the Login and Security settings next to the user. This reveals the following window, helping you determine the user's maximum role at a glance.
You can also tell at a glance what users are assigned to multiple groups as their names will appear in the list with an asterisk next to them: