Table of Contents

...

Name the permission sets appropriately, e.g. avoid inclusion of POST/PUT/DELETE permissions in "*.view" permission sets.

GoodClear:

Code Block

language	js

{
  "permissionName": "ui-erm-usage.view-create-edit",
  "displayName": "eUsage: Can view, create and edit usage data providers and COUNTER reports",
  "id": "ade748af-66b5-4584-a319-3cac20899241",
  "description": "Can view, create and edit usage data providers and COUNTER reports",
  "tags": [],
  "subPermissions": [
    "module.erm-usage.enabled",
    "usagedataproviders.collection.get",
    "usagedataproviders.item.get",
    "usagedataproviders.item.post",
    "usagedataproviders.item.put",
    "counterreports.collection.get",
    "counterreports.item.get",
    "counterreports.item.post",
    "counterreports.item.put",
    "aggregatorsettings.collection.get",
    "aggregatorsettings.item.get"
  ],
  "childOf": [],
  "grantedTo": [
    "fba0106d-e2ad-494e-8958-ce5b447ab2aa"
  ],
  "mutable": false,
  "visible": true,
  "dummy": false
}

BadMisleading:

Code Block

language	js

{
  "permissionName": "ui-receiving.basic.view",
  "displayName": "Receiving: Basic view",
  "id": "5542bb26-9eff-4699-a7c5-6e6a049979d7",
  "tags": [],
  "subPermissions": [
    "module.receiving.enabled",
    "orders.item.get",
    "orders.pieces.item.post",
    "orders.pieces.item.put",
    "orders.po-lines.collection.get",
    "orders.titles.collection.get",
    "orders.titles.item.get",
    "ui-receiving.third-party-services"
  ],
  "childOf": [
    "ui-receiving.view"
  ],
  "grantedTo": [],
  "mutable": false,
  "visible": false,
  "dummy": false
}

Permission sets for modulePermissions should use the "modperms" prefix. These also should not be visible as they aren't intended to be assigned to users.

Example:

Code Block

  "permissionName": "modperms.circulation.loans.anonymize",
  "permissionName": "modperms.circulation.override-renewal-by-barcode.post",
  "permissionName": "modperms.circulation.renew-by-barcode.post",
  "permissionName": "modperms.circulation.requests.item.move.post",
  "permissionName": "modperms.circulation.renew-by-id.post",
  "permissionName": "modperms.circulation.requests.item.post",
  "permissionName": "modperms.circulation.override-check-out-by-barcode.post",
  "permissionName": "modperms.circulation.requests.item.put",
  "permissionName": "modperms.circulation.requests.instances.item.post",
  "permissionName": "modperms.circulation.check-out-by-barcode.post",
  "permissionName": "modperms.orders.item.post",
  "permissionName": "modperms.orders.item.put",

TBD

...

Avoid inclusion of other modules permissions in your permission sets. For example, mod-foo's permission set foo.all shouldn't include mod-bar's bar.item.get permission. Here it's the module that needs the permission, not the user.
- Do: include the other module's permission(s) in your modulePermissions (or non-visible modulePermission sets - see above)
- Don't: include other modules permissions in your visible permission sets that will be assigned to users.

UI Modules

Define separate permission sets for settings if other other module permissions are needed (e.g. configuration.entries.collection.get).
- Example: "ui-users.settings.customfields.edit" probably needs configuration.entries.collection.get, but "ui-users.view" probably doesn't. If needed, additional permission sets should be created with appropriate names.

Using *.all Permissions

Only include *.all permissions when absolutely sure it's necessary/appropriate. Instead use just the permissions actually needed.

Example of a permission set that probably abuses *.all permissions

Code Block

{
  "permissionName": "ui-checkin.all",
  "displayName": "Check in: All permissions",
  "id": "094310c8-cd71-4b76-a10d-2921ccd10654",
  "description": "Entire set of permissions needed to use Checkin",
  "tags": [],
  "subPermissions": [
    "circulation.all",
    "circulation-storage.all",
    "configuration.all",
    "users.collection.get",
    "usergroups.collection.get",
    "module.checkin.enabled",
    "inventory.items.collection.get",
    "inventory-storage.service-points.collection.get"
  ],
  "childOf": [],
  "grantedTo": [
    "fba0106d-e2ad-494e-8958-ce5b447ab2aa"
  ],
  "mutable": false,
  "visible": true,
  "dummy": false
}

...

Versions Compared

Old Version 12

New Version 13

Key

UI Modules

Using *.all Permissions

Page Comparison

Versions Compared

Old Version 12

New Version 13

Key

UI Modules

Using *.all Permissions