BC works using inherited access – if a user has access to a top-level space, they have access by default to everything below it.
Figure 1 - Inherited access
This can be used to manage users centrally and give access to several different spaces at once, by adding members to a top-level space and then adding the lower-level spaces underneath.
A membership group can be used to give a group of users access to specific folders or spaces without having to add each user individually, to every folder or space (Section 2, Part 2). By editing the membership of a group in one place, the members of this group will automatically be changed anywhere that group is used.
Figure 2 - Access by Membership Group
Similarly, setting the access rights for a group requires less effort, and will result in more consistent results, than setting different access rights for a number individual users (Section 3). We strongly recommend that membership groups are used to manage access to spaces and Access Rights anywhere there could be more than 3 members.
Section 2 - Administering Membership Groups
Part 1 - Creating a membership group
Create a space (or shared folder) and add members in the usual way - by assigning companies, and selecting members from those companies
Figure 3 - Sample Membership Group
- The Members of this space define the membership group
- Optionally, if the type of space or folder you created allows it, you can give the membership group a Space Category metadata value of “HIDDEN”
- Doing so means it won’t show up in the My Spaces section of the Hamburger menu in Quartz or the left-hand panel in Graphite
Figure 4 - Space Category
- Go to the members page of the space defining the Membership Group, and click View/ Change | To AddrBook
- This will put the membership group into your address book, called "Members of [space name]"
- A user’s personal address book can be accessed via the Graphite interface, see Section 7.8 of the Online Help
- This will make the Membership Group available as an option to add to other spaces
Figure 5 - Membership group inside personal address book
- This membership group is now available to use
Please read Section 5.6.5 of the online help for more details on membership groups.
Part 2 - Adding a membership group to a space or folder
Go into the space or folder which will use the members of the membership group
- Click Add | Member
- From the Add Member page, click Add | Membership Groups
- The membership groups listed are the ones stored in your address book:
Figure 6 - Add Membership Groups page
- Tick the box to the left of each membership group(s) you want to add
- The selected membership group(s) will appear in the right-hand Selected column
- Click Save to save the changes
- Click Okay on the next page, which just confirms the group has been added
- Once the group is added to the space, the group members have access to it
Part 3 - Practical managing of members using a membership group
Normally, to add a new member of a space, an administrator or project owner would need to:
- Assign the user’s company to the space
- Add the member by finding them in their assigned company
- Repeat the process if a new user is going to be added to the project, for every project, one at a time
When a membership group is in use, the user only needs to be added to the membership group to automatically get access to all the projects to which the membership group has been added.
Once the membership group is set, it can also be used to manage access rights for any member of the group. This will keep access rights consistent for everyone in the project. Managing access rights for individual users would require a lot of maintaining through a project. See Section 3 for more details on this.
To manage an existing membership group in a project, an administrator or project owner would need to:
- Add the membership group directly to the project
- All members of the group would immediately have access to all the projects to which the membership group has been added
- Any time a new user needed to be added to the project, by adding them to the membership group, they would have the same access as the rest of the group automatically
- Managing many members of projects would require managing one space - the membership group - as opposed to managing each project separately
- This helps avoid manual errors when managing membership to projects and access rights
This is the original membership group, added as a group to a new project.
Figure 7 - Members of the Space
If a new member needs to be added to the project as part of the same group of users, that new user can be added directly to the membership group, and they will automatically be given access to the space.
Please read Section 5.6.2 of the online help for more details on adding members.
Similarly, if an existing user needed to be removed from the group, and from every project to which the group was associated, instead of removing the user from each project, one by one, an administrator or project owner would just need to remove them from the group, and their access to the projects would be limited.
Please read Section 5.6.6 of the online help for more details on removing members.
Section 3 - Using a membership group to control Access Rights on a space/folder
Adding the group to the space also makes it available as an option on the Access Rights table anywhere in the project.
Figure 8 - Membership group appears as a new potential entry to Access Rights table
Section 1 of this FAQ page mentioned that if a user has access to a top-level space, they have access by default to everything below it.
By using the membership group to set specific access rights on containers, everyone in the membership group will have the same access right further down the hierarchy, in a consistent manner. Otherwise, admins will have to maintain users on an individual basis, which would be time consuming on bigger projects, and potentially lead to errors in consistency with the access rights.
To limit access using membership groups:
- Go to the Access Rights table for the space, folder, or collection
- Find the membership group in the list underneath the access rights table and click it to select it
- You can select multiple membership groups or users, if needed, by holding down the Control key on your keyboard, and clicking on each group name on this list
- Add it to the access rights table by clicking on Add selected users/groups
- By default, all members of that location have full access, so first limit the access rights for the “Members of [location]” group
- Set the access rights for the membership group
- Note: the rights of the membership group MUST be higher than the rights of the “Members of [location]” group
- Click Update access rights to save the changes.
The Access Rights table will appear like this, showing how members of each group have differing rights:
Figure 9 - Differing Access Rights set for members of Sample Membership Group
And on the Access details page, this will be reflected for every user with access to the space:
Figure 10 - Access Rights by Membership Group reflected for individual users
When assigning rights on an object, always check in the Access details table on the object’s More Info page to see that all users have been assigned the access rights intended. If not, you may find that you can achieve the rights you wish to by ticking the Override column for the Membership Group.
Please read Section 5.10.5 of the online help for more details on setting Access Rights for a specific user or group.
Section 4 - Things to keep in mind
To maintain membership groups adequately, we recommend that there be more than 1 person administering them, in case one is not available to make the required changes.
There should be a single space (or folder) where the users who are going to administer the groups are added. This simplifies administration for all the Membership Groups being used but does not impact on the access of these Membership Groups to individual spaces. They should have their own row of permissive Access Rights, as well as being members of all the group spaces – and hence all the project spaces. To manage membership groups from one location, it might be beneficial to set up a shared address book - please read Section 18.104.22.168 of the online help.
Figure 11 - Overarching System Administrators group
- If using membership groups to control access rights, all users should be in at least one group – otherwise the people who are not in a particular group may have no access to the folders where membership groups have access rights set
- If using membership groups to control access rights, keep in mind that marking the Override column for the “Members of [location]” group will override users’ inherited access
- It is not possible to use membership groups to restrict access rights so that they are lower than the rights of the “Members of [location]” group
- If users are added to a space as part of a group, they will see the space or folder in their group's home page - i.e. within the space or folder which defines that group
- If users are added individually, they will see the objects in their personal home page
- If a user belongs to more than one membership group which is added to a space, they will have access to the same space by more than one route
- This means they will have multiple routes to – or references to – the same space - these will not be multiple copies of the same object
- Making changes to the space will affect the space, irrespective of the route taken
- The breadcrumb trail will show the shortest route to the space
- If a user belongs to more than one membership group, it may then not be possible to achieve the Access Rights required for the user
- Where possible, users should be added to one, and only one, Membership Group added to a space
- Only space or folder owners (or system administrators) are permitted to add membership groups to a space