- Permissions for User Mgmt

Permissions and Settings for User Management

Required Permissions

Typically, access to the Administration menu is required to add and manage user records on iPassport. The system role, Administration Editor provides all the necessary permissions but also includes high level access to system settings. Therefore, it is possible to create a clerical administration role that allows creating other users on the system but doesn’t provide full access to the Administration menu.

The permissions directly related to user accounts are:

Permission Description
Desktop:Show Users Menu Item Show the Administration > Users menu item
User Accounts:Create User Accounts Allow a user to create user accounts
User Accounts:Edit Roles Allow a user to edit roles
User Accounts:Edit User Accounts Allow a user to edit user accounts
User Accounts:Enable/Disable Allow a user to enable and disable user accounts
User Accounts:Link to Records Allow a user to create links to and from user accounts
User Accounts:Log Users Out Allow a user to log other users out
User Accounts:Preference Report Allow a user to report on all user preferences
User Accounts:Remove Links Allow a user to remove links attached to user accounts
User Accounts:Reset Passwords Allow a user to reset passwords
User Accounts:Set Minimum Password Length Allow a user to change the minimum password length
User Accounts:Set View Only Allow a user to set another user as view only
User Accounts:View History Allow a user to view the change history for user accounts
User Accounts:View Roles Allow a user to view roles
User Accounts:View User Accounts Allow a user to view user accounts

These permissions are only included in the system role, Administration Editor.

Access to Users Created

When assigning a ‘Home OU’ to new users, an administrator will only be able to choose OUs in which they have the permission, “User Accounts:Create User Accounts”. On the new user creation page, the field, Home OU, will only show the OUs where the administrator has this permission. If the administrator has the permission in their own home OU, the field will default to that OU.
As a special condition, the permission, “User Accounts:Create User Accounts” automatically grants (user account) viewing and editing rights in the OUs where it is applied. This is to ensure administrators can always access the user records they have created.

INFO: The 'Home OU' of a user is the OU where their personal records are kept.
Having a 'Home OU' doesn't grant any permissions in that OU.
The 'Home OU' defines the location of the user's records so they are only accessible to the appropriate managers.

Global Settings

There are some system preferences which influence the way user accounts behave. A description of relevant options which appear in the Miscellaneous Settings section of the System Preferences tab is offered here and further detail is available in the System Preferences user guide.

To adjust any of the preferences below:

  1. Navigate to Administration > Settings > System Preferences
  2. Click the row, Miscellaneous Settings
  3. Locate the preference to adjust and enable/disable it by ticking/unticking the checkbox next to it
  4. Scroll down and click Save

Can Contact Support

The default setting for the user record field, ‘Can Contact Support?’ is governed by the preference, “Allow new users to contact Genial Compliance iPassport Support by default”. It can be disabled if new users should generally be prevented from contacting iPassport support and be limited to seeking internal assistance. The setting can be toggled in the field, ‘Can Contact Support?’ when a new user account is being created. When a user is allowed to contact iPassport support through this setting, the Contact iPassport Support tab in the Help area becomes visible to them.

Basic users of iPassport most commonly require support when they can't access a given record. As a general policy, the iPassport support team refrains from adjusting users' permissions because they might be overruling someone's authority or inadvertently granting access to restricted areas. It makes more sense for such users to request support internally from those who manage their accounts and in turn, managers will have better control over their staff's level of access to the system.

Default Time Zone

Once a user account is created, the user’s Timezone can be adjusted. If left as ‘Not Set’, the user will be assigned the Default Time Zone declared in the Miscellaneous Settings area.

Accounts with facilities (Enterprise Accounts) have an additional settings tab (Facility Preferences) where local time zones can be assigned to facilities which are geographically separate.

Enable Simple View

The option, Enable Simple View allows specifying whether simple view should be available in the account. Simple view offers a cut back iPassport interface without all the header menus, ideal for users who just need to complete tasks and search for content. By default users can easily switch between simple and detailed views but the user’s account can be edited to restrict them to only access iPassport in simple view.

Require password to upload new signature

Each user record includes a Signature tab where an image of the user’s signature can be uploaded so it can then be displayed, for example, in prints of documents which the user has authorised. The option, ‘Require password to upload new signature’ provides additional security so that not anyone can upload a given user’s signature.


Next Step: Creating User Accounts
Previous Step: User Management Overview