Roles and Access - Most Restrictive?
I have run up against an issue wrt roles and access that I just don't understand.
I have an individual, say Joe, who is has both the Advisor and the Teacher role. [he does both].
He was recently not able to see the grades in a transcript for one of his advisees. I checked and access had in fact been granted to advisors for that year and term.
So I opened a case and asked why he couldn't see the grades. The analyst told me that he is being restricted from seeing the grades because he has the Teacher role and teachers had not been given access.
Moreover, the analyst told me, "..it's a little tricky, but the way security works is when a user has multiple roles it gives them the most restrictive of all the roles."
I simply cannot see any rationale for this!
It's as if, in the real world, I were both the librarian and a teacher at a school and had keys for both. But, because teachers are not allowed in the library after hours, I'd be prohibited. Makes no sense to me. Seems like I should be able to use whatever keys [rights] I have regardless of how I got them and regardless of any other keys I have.
Can anyone explain how this is helpful? As far as I can tell, the only way to deal with this is to have a teacher role, an advisor role, a teacher_advisor role, a teacher_coach_advisor role an teacher_coach role, etc.
I have an individual, say Joe, who is has both the Advisor and the Teacher role. [he does both].
He was recently not able to see the grades in a transcript for one of his advisees. I checked and access had in fact been granted to advisors for that year and term.
So I opened a case and asked why he couldn't see the grades. The analyst told me that he is being restricted from seeing the grades because he has the Teacher role and teachers had not been given access.
Moreover, the analyst told me, "..it's a little tricky, but the way security works is when a user has multiple roles it gives them the most restrictive of all the roles."
I simply cannot see any rationale for this!
It's as if, in the real world, I were both the librarian and a teacher at a school and had keys for both. But, because teachers are not allowed in the library after hours, I'd be prohibited. Makes no sense to me. Seems like I should be able to use whatever keys [rights] I have regardless of how I got them and regardless of any other keys I have.
Can anyone explain how this is helpful? As far as I can tell, the only way to deal with this is to have a teacher role, an advisor role, a teacher_advisor role, a teacher_coach_advisor role an teacher_coach role, etc.
1
Comments
-
I've been told the opposite - that the role with the most access is what is granted. That's why it's been suggested to give the advisor role. You're right, that makes no sense and apparently something changed recently.2
-
Yes, I think Susan is correct. Permissions are additive, So if you add a role to a user, you add all the permissions for the new role in addition to the permissions they had with the prior role. We are a small school, and nearly all our employees straddle roles. I've seen this feature in action many times, and it does add to the proverbial "keyring" like you describe.
Have you tried to impersonate the employee? Maybe it's an issue of how he's trying to access the grades. Or have you had any similar feedback from other advisors? Maybe it's an issue with permissions set for the advisor role.
But the good news is that I think you can keep your roles to a minimum.
Hope this helps.1 -
All,
Thanks for your input!
And...good news:
I just got off the phone with one of the techies from BB [in response to this posting, I think]:
It turns out that the support analyst who told me the following was *wrong*:
"..it's a little tricky, but the way security works is when a user has multiple roles it gives them the most restrictive of all the roles."
My issues was with something else.
So the good news is that it works as one might expect: adding keys to the keyring does *not* invalidate an existing key.1
Categories
- All Categories
- 6 Blackbaud Community Help
- 211 bbcon®
- 1.4K Blackbaud Altru®
- 402 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 1.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- 15 donorCentrics®
- 360 Blackbaud eTapestry®
- 2.6K Blackbaud Financial Edge NXT®
- 655 Blackbaud Grantmaking™
- 576 Blackbaud Education Management Solutions for Higher Education
- 3.2K Blackbaud Education Management Solutions for K-12 Schools
- 940 Blackbaud Luminate Online® and Blackbaud TeamRaiser®
- 84 JustGiving® from Blackbaud®
- 6.7K Blackbaud Raiser's Edge NXT®
- 3.7K SKY Developer
- 248 ResearchPoint™
- 120 Blackbaud Tuition Management™
- 165 Organizational Best Practices
- 240 Member Lounge (Just for Fun)
- 34 Blackbaud Community Challenges
- 37 PowerUp Challenges
- 3 (Open) PowerUp Challenge: Grid View Batch
- 3 (Closed) PowerUp Challenge: Chat for Blackbaud AI
- 3 (Closed) PowerUp Challenge: Data Health
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Product Update Briefing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports+
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Email Marketing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Gift Management
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Event Management
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Home Page
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Query
- 796 Community News
- 3K Jobs Board
- 54 Blackbaud SKY® Reporting Announcements
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)