SSP v2.X Main Tool Permissions Adjustment

Owned by Jason Elwood
Aug 19, 2014
2 min read

Instructions to Adjust the Permissions for Main Tool

Updated: 8/19/2014

Applicable Versions: 2.5.2 and later
 

Purpose:  By default, all SSP roles have access to the Main Tool.  In some cases, implementers do not want certain roles to have access to the Main Tool.  A new permission was added to v2.5.2 that allows the application to function without the Main Tool.  The new permissions are PERSON_FILTERED_READ and PERSON_FILTERED_WRITE.  The permissions are similar to PERSON_READ and PERSON_WRITE, but roles/groups with the new PERSON_FILTERED_READ/WRITE permissions will not see the Main Tool and Coaching History Report in the user interface.  A standard installation or upgrade does not implement the new permissions.  If this functionality is desired, implementers must make changes to the permissions manually in one of two ways.  

 

Adjust Permissions via Manage Users


It is important to first import the new permission definitions as described in the v2.5.2 Release Notes

 

  1. Sign in as an Administrator
  2. Go to 'Manage Users -> Manage Access -> Manage permissions'
  3. Click 'PERSON_READ'
  4. Find the group/user to whom that permission should be denied, click "Edit" that row
  5. Select 'Deny' in the combo box next to that group's entry in the resulting tree view. The change will be saved immediately.
  6. Back up and repeat for 'PERSON_WRITE' and 'PERSON_DELETE'
  7. Back up and select 'PERSON_FILTERED_READ'
  8. Click 'Add Assignment'
  9. Enter 'All permissions' in the 'Target' input field (should auto-populate as you type)
  10. Click 'Submit'
  11. If the group you denied the other permissions to is already in the resulting tree view, change its combo box to 'Grant', otherwise click 'Choose Principals'
    1. Find the group/user to be granted 'PERSON_FILTERED_READ' on the left and click the green 'plus' icon. Click 'Submit'
    2. You should be sent back to the tree view. Find the selected person/group and switch its combo box to 'Grant'
  12. Back up and repeat for 'PERSON_FILTERED_WRITE'
  13. To make sure changes are picked up immediately, expand the fly-out widget in the top nav and go to Platform Administration -> Manage Cache instances -> Empty All Caches -> Empty All Caches (confirmation screen)


Adjust Permissions via Entity Import

This can also be done with Platform XML "entity files", which, when checked in to source control, can help ensure that new environments (e.g. a first-time PROD deploy, or local developer environments) get the correct security configuration by default.

  1.  To deny PERSON_READ to a group, create a file at <platform-src>/uportal-war/src/main/data/ssp_entities/permission_set/<role-name>__PERSON_READ__SSP.permission-set.xml or edit that file if it already exists such that it contains the following (for this example we assume we want to deny PERSON_READ to the SSP_FACULTY group):
<permission-set script="classpath://org/jasig/portal/io/import-permission_set_v3-1.crn">
  <owner>SSP</owner>
  <principal-type>org.jasig.portal.groups.IEntityGroup</principal-type>
  <principal> 
    <group>SSP_FACULTY</group> 
  </principal>
  <activity>PERSON_READ</activity>
  <target permission-type="DENY"> 
    <literal>ALL</literal> 
  </target>
</permission-set>

 

2.  A new installation will execute that file automatically. To run it against an existing install:

$ SSP_CONFIGDIR=/path/to/your/config/dir ant -Dmaven.test.skip=true -Ddir=uportal-war/src/main/data/ssp_entities/permission_set/SSP_FACULTY__PERSON_READ__SSP.permission-set.xml data-import

 

3.  Granting PERSON_READ_FILTERED or any other permission is very similar. The file format is the same, just change the name of the permission and the group you're targeting. E.g. to grant it to SSP_FACULTY create or edit <platform-src>/uportal-war/src/main/data/ssp_entities/permission_set/<role-name>__PERSON_FILTERED_READ__SSP.permission-set.xml with:

<permission-set script="classpath://org/jasig/portal/io/import-permission_set_v3-1.crn">
  <owner>SSP</owner>
  <principal-type>org.jasig.portal.groups.IEntityGroup</principal-type>
  <principal> 
    <group>SSP_FACULTY</group> 
  </principal>
  <activity>PERSON_FILTERED_READ</activity>
  <target permission-type="GRANT"> 
    <literal>ALL</literal> 
  </target>
</permission-set>

 

4.  A new installation will execute that file automatically. To run it against an existing install:

$ SSP_CONFIGDIR=/path/to/your/config/dir ant -Dmaven.test.skip=true -Ddir=uportal-war/src/main/data/ssp_entities/permission_set/SSP_FACULTY__PERSON_FILTERED_READ__SSP.permission-set.xml data-import