| description | User groups can be used to structure users and assign permissions. You can create your own groups or use predefined system groups. They can be assigned to users manually or automatically. |
|---|
Each FYLR installation comes with some predefined system groups that cannot be deleted but can be used to assign system rights and permissions to. You can add your own groups by clicking on the plus button on the lower left. To delete a group, select it and click the minus button. You can copy a group by selecting it and click on "Copy" on the lower right of the group settings. Use the search filter to search for the name, internal name, internal comment and reference of groups. You can also filter for the group types "easydb" and "system".
Typical groups are:
- Administrators
- Editors / Power User
- Reader / Staff
As users can be assigned to multiple groups, you can also have a group called "Authorized to download" for example that only grants the users the permission to download files. User can then be added to the group "Reader" (which gives them access to records without being able to download them) and the group "Authorized to download" (which additionally gives them download permissions).
If you are working with different departments / projects that should only work in their own pools, you should create the editor and reader group for each department / project.
Each FYLR installation comes with the following predefined system groups, that will be automatically assigned to users:
| GROUP | DESCRIPTION |
|---|---|
| All Users | This group includes all users. Even system user, anonymous user, LDAP & SSO user and local users. |
| All Users Except System Users | This group includes all users except system users like "root", "deep_link" and "oai_pmh". |
| Anonymous Users | This group includes all users that access the system without a user account. External access needs to be enabled in the base configuration. |
| Anonymous Collection Users (formerly "Pseudo users to see single collections") | This group includes all users that were created when sharing a collection to external users that don't require a log in. |
| Fallback Group | This group does not include any users. When a group is deleted that is the owner of records, this fallback group is set as the owner instead. |
| LDAP Users | This group includes all users that sign in via LDAP. |
| Local Users | This group includes all users that were created locally in FYLR. |
| Self-Registered Users | This group includes all users that signed up. This possibility needs to be enabled in the base configuration. |
| SSO Users | This group includes all users that sign in via SSO. |
| Users Accessing Via External Connection | |
| Users Accessing Via Internal Connection | |
| Users Invited by Email | This group includes all users that were created when sharing a collection or an export to an email address. |
{% hint style="info" %} Group settings can be extended with custom plugins. {% endhint %}
| FIELD | DESCRIPTION |
|---|---|
| ID | Group identifier. Will be assigned automatically. |
| Type | Type of the group. Local groups will be of type "easydb". Groups of type "system" cannot be deleted. |
| Owner | Name of the user who created the group. |
| Name | Name of the group. |
| Internal Comment | Internal comment for the group. Will not be shown anywhere else. |
| Internal Name | Internal name for the group. Will not be shown anywhere else. |
| Reference | Reference of the group. Has to be unique. |
| IP Subnet Filter | Add IP subnet filter if the user should only be assigned to this group if they log in from specific IP subnets. CIDR notation is accepted, example: 192.168.0.0/16, 2001:db8::/32. For more see the documentation https://pkg.go.dev/net#ParseCIDR |
| Preferences for New Users | Shows the default frontend preferences for new users of this group. If none are set, the system defaults are used. Includes: - search result settings - pools for the search - object types for the search - data languages - search languages - filter on/off, pinned filters If a user is in several groups with preferences, they will receive the preferences of the first group. |
| Use Preferences of User | Choose an existing user which frontend preferences should be used as a default for new users of this group. |
| Created | Date and time the group was created. |
| Last Updated | Date and time of the last update of the group. |
Define which parts the users of the user group should be allowed to access and which features they should be allowed to use. Please refer to the general overview of system rights for more details.
Define which other users or user groups should be able to access (read, write, delete) this group and/or the users of this group. Please refer to the general overview of the permissions for more details.
{% hint style="info" %} If Group A should be able to see users of Group B, you must edit Group B and add Group A in the permission. This ensures that users of Group A can find and for example share collections with users of Group B. See also "Setting Up Collection Sharing". {% endhint %}
Define which data of a user of this group should be kept, deleted or pseudonymized when archiving it.
{% hint style="info" %} If a user is part of multiple groups with clashing pseudonymization strategies, the stricter one will be applied: Clear beats Randomize beats Keep {% endhint %}
| OPTION | DESCRIPTION | AVAILABLE FOR FIELD |
|---|---|---|
| Keep | When the user is archived, the content of the field is kept. |
|
| Randomize | When the user is archived, the content of the field is replaced by a random string. |
|
| Clear | When the user is archived, the content of the field is deleted. |
|
"Additional Information" includes:
- Company
- Department
- Phone
- Profile Picture
- Internal Comment
- Extra Address Line
- Street
- No. / App.
- ZIP Code
- City
- State
- Country
If you're using a third party user management like LDAP or SSO, you can define a group mapping here and automatically map groups used in SSO or LDAP to groups in FYLR whenever a user signs in.
| METHOD | DESCRIPTION |
|---|---|
| Group Name (eq) | Group name from LDAP/SSO needs to match this string exactly. |
| Regular Expression (regexp) | Group names from LDAP/SSO need to match with the regular expression. Example: students.* will match the LDAP/SSO group students and the group students-alumni but not a group named student. For more see the documentation https://pkg.go.dev/regexp#Match |
View all users that are in this group.