About Nuxeo user accounts and permissions

Nuxeo currently supports two options for setting user permissions: “group” permissions, and “individual” permissions. Managing user permissions through a “group” model is preferred, as it is easier to individual permissions transitively, via their membership within a group.

However, there may be cases in which you need to grant individual users with permissions to read or edit a specific project folder or object. For these “one-off” cases, you might consider establishing individual user permissions (see the “Individual users permissions” section, below).

Permissions to manage and access folders on Nuxeo are managed through user groups. In order to do so, each campus library's Nuxeo Administrator is responsible for creating user groups, assigning users to groups, and associating groups to campus project folders with the appropriate set of permissions.

Please note that all Nuxeo account holders must be assigned to the "Members group" (in addition to any campus-specific permissions groups).

Creating and Managing Groups

Each campus has a Nuxeo Administrator who can create user groups and manage user group members. First log in to Nuxeo at nuxeo.cdlib.org. From any page, look to the top navigation bar, and find the ‘Admin’ link. This link will only appear for Nuxeo Administrators. From here, select ‘Users & Groups’ from the left navigation list. Next, select the ‘Groups’ tab in the window that appears.

Once you’re on this page, you may select the ‘Create a New Group’ button.

This "New Group" form template will need to be completed.

 Please consider the following guidelines when you create a new group:

  • Group Name: When establishing the “Group Name,” please use the following convention: [campus]-[groupname], e.g., uci-edit. This will make it easier to manage your institution’s groups.

  • Group Label: This is a brief description of the group (e.g., "UCI Edit Group").

  • Group’s Members: You may enter known group members in this field. Members must already have Nuxeo accounts.

As you create user groups, consider the permission types as well as levels of access desired. The following example shows how UCI designates user group permissions.

Group name

Permission rights

Access designation

uci-manage

Manage everything

UCI Campus folder

uci-edit

Edit everything

UCI Campus folder

uci-readonly

Read only

Blocked project folders


Note: all users have read-only access by default, but are restricted from accessing any blocked folders. Assign this group to a project folder to provide readers with access to a blocked folder.

uci-ctsa-manage

Manage everything in CTSA project folders only

CTSA project folder (a sub-folder within UCI campus folder)

uci-ctsa-edit

Edit everything in CTSA project folders only

CTSA project folder (a sub-folder within UCI campus folder)

Once rights are designated to a specific folder (e.g. campus folder), permissions are inherited and trickle through the sub-folders and children that follow. You may block permissions inheritance if you need to restrict access. (More on permissions inheritance and local rights below.)

Assigning Users to Groups

All new user accounts will have read-only permissions by default. Users who need only the basic read-only rights are set and do not need to be tied to a permission group. 

However, you may have users who need a certain set of permissions depending on their role in specific project folders. Some examples include:

  • Manage everything (including permissions) at the campus folder level

  • Edit everything (create, write, remove, delete) at the campus folder level

  • Manage and/or Edit only a specific set of folders within the campus folder

  • Read restricted (or blocked) folders

    • Please note: This provides a layer of access beyond the default read-only rights, which would typically be blocked from viewing restricted folders.

The campus Nuxeo Administrator can designate users to the pre-determined groups. From any page after logging in, look to the top navigation bar, and find the ‘Admin’ link. This link will only appear for Nuxeo Administrators. From here, select ‘Users & Groups’ from the left navigation list. Next, select the ‘Groups’ tab in the window that appears.

Once you’re on this page, type in your institution’s acronym (e.g. ucr) and select ‘Search’ -- this will populate any permission groups that relate to accessing and managing the institution’s items.

Choosing a group will allow you to View the group members. Select the ‘Edit’ tab to add or remove members.

  • To add a member: You must first make sure the user has an active Nuxeo account. You may begin typing in the email address in the “Group’s Members” window, and the field will begin to populate a list of accounts that match. Select the account you’d like to add.

  • To remove a member: You may click the “x” button next to the account to remove them from the permission group.

Select ‘Save’ to set your changes.

Associating Groups with Project Folders (or Objects) and Setting Group Permissions

Once user groups are established, the campus Nuxeo Administrator can associate these groups with a project folder (or alternatively, a campus folder or individual object) and designate the appropriate group permissions. (Please note at the time of initial group setup, only the Nuxeo Administrator has inherited permissions to do so. Once groups are associated with the appropriate permission, anyone with “Manage Everything” permissions in the folder (as well as sub-folders) enables permission to add or remove groups or individual users within the designated folder. Assigning permissions is discussed further below).

To associate user groups with project folders, campus folders, or individual objects: right-click on the project folder (or relevant project folders) in the left-hand navigation of your Workspace, and select ‘Access Rights’. The resulting permissions tab (shown below) enables users with management rights to link groups with permissions to access the project folder.

For any given user group, a user with management rights can grant or deny ‘Read’, ‘Edit’, and ‘Manage everything’ permissions. Users without management rights for a project folder will not see the ‘manage’ tab.

  • Read: user group members can view and download metadata and content files, copy objects to a project folder they own, and add objects to their worklist. You can experiment with what read permissions allow you to do by looking at the contents of any project folder other than your own. For user group members denied read privileges on an object or project folder, it will appear as though that object or project folder does not exist.

  • Edit: user group members have read privileges, and can create, edit, and delete objects and project folders. 

  • Manage everything: user group members have write privileges and have management rights on an object or project folder, including managing access permissions.

To designate a group to this project folder, select ‘New’ beside the “Permissions Defined Locally” section. This will populate a form.

  • User / Group: Begin typing in the group prefix (e.g. ucr) and the form will auto-populate a list of groups -- choose from this list

  • Right: Choose from three options: Read, Write, Manage everything

  • Time Frame: Permanent; Date based

    • Note: Choosing “Date based” will allow you to input a start and end date.

Select ‘Create’ to add the group.

You may have project groups that need to manage or edit a specific project folder, or a reader group that needs to access a folder with restricted materials. Your campus Nuxeo Administrator can create the project or reader group. Navigate to the appropriate project folder -- this will allow you to manage access rights for the selected folder -- and follow the steps outlined above to associate these groups at the appropriate level. Information about permissions inheritance and local permissions are outlined further down this page.

Individual Users

By managing users through groups, you can designate groups to folders. However, there may be cases in which you need to grant individual users with permissions to read or edit a specific project folder or object.

Associating Individual User Permission with Project Folders (or Objects)

To designate individual users to project folders, campus folders, or individual objects: right-click on the campus folder (or relevant project folders) in the left-hand navigation of your Workspace, and select ‘Access Rights’. The resulting permissions tab enables users with management rights to link groups with permissions to access the campus folder.

To add an individual user to a project folder or object, select ‘New’ beside the “Permissions Defined Locally” section. This will populate a form.

  • User / Group: Begin typing in the user’s email and a list of names will auto-populate -- choose from this list. (Note: The user must have an active Nuxeo account.)

  • Right: Choose from three options: Read, Write, Manage everything

  • Time Frame: Permanent; Date based

    • Note: Choosing “Date based” will allow you to input a start and end date.

When adding individual user permissions, please consider choosing “Date based” and indicate a start and end date.

Select ‘Create’ to add the user.

Permissions Inheritance and Local Rights

On the permissions tab, there are two ways permissions are defined: local permissions and inherited permissions. Local permissions have priority over inherited permissions, and granted permissions have priority over denied permissions. 

Inherited permissions

Permissions are inherited down the project folder hierarchy. Anyone with permissions for a given campus folder, project folder, or object will automatically get those same permissions for all child project folders and objects. Unless otherwise specified when the account is requested, all new users of the DAMS are created with read-only permissions. Each campus has a DAMS user group with ‘manage everything’ permissions at the campus folder level that will grant or deny permissions on the campus project folders as necessary.

In the above screenshot you can see that the ‘Manage Everything’ user group has full rights, the ‘Edit’ user group has edit rights, and the ‘Read-only’ group has read-only rights on the UCR project folder. Since these rights are inherited, we know that the ‘Administrator’ user has full rights on the Asset Library level as well, while the ‘Members’ group has read-only permissions on the Asset Library level. Furthermore, all project folders and objects within the UCR project folder will inherit these same rights.

Block Inherited Permissions

You can block inherited permissions on a project folder or object by selecting the ‘Block’ button. The project folder or object, and all child project folders and objects, will cease to inherit permissions specified higher up in the hierarchy. Any local rights you specify, however, will continue to be inherited by child objects and project folders. Since all users have read-only permissions to all objects and project folders in the DAMS, a project folder that contains objects that shouldn't be read by users other than ones specified is a good candidate for blocking permissions inheritance.