Managing CalGroup Privileges

A knowledge base article about Managing CalGroup Privileges provided by the UC Berkeley IT Service Hub - Knowledge Portal

Using Admin Privilege Groups 

Administrative privileges should be given to groups instead directly to individuals. Using Admin Privilege groups allows you to more easily track, grant and revoke privileges in your groups. 

CalGroups has a rule that applies the  permission from an enclosing folder to it's sub folders. This means if you have admin privileges over a folder, you also have admin privileges over it's sub folders.

Best practices:

  • Assign privileges to Admin Privilege groups and not individual people
  • Assign appropriate personnel to your Admin Privilege groups
  • Limit admin rights to users who actually require them

View Privilege Holders for Group or Folder

  1. Navigate to a group or folder
    priv_1

  2. Click on the grey Privileges tab

    1. Privilege holders are listed one per row under Entity name in the lower grey portion of the screen

    2. A black checkmark in a column means the entity holds that privilege directly

    3. A grey checkmark means the entity holds that privilege indirectly

  3. To see an entity's Privileges in more detail, click on the  button and select Edit Membership and Privileges

Direct vs Indirect Privileges

In the example above, Another Test Group and Summer Scanlan have direct Admin privileges over the Sample Admin Group and therefore have black checkmarks in the Admin column and grey checkmarks in the Read, Update, OptIn, etc columns. As a member of Another Test Group, Karl Grose has indirect privileges over the Sample Admin Group, and has grey checkmarks in all columns.

Create Admin Privilege Group

Any group may be assigned admin privileges over another group. CalNet recommends that you create admin groups specifically for that purpose.

  1. First, create a group following the instructions at How to Create a Group
  2. Be sure to be clear when naming your group -- CalNet recommends including the word Admin in any groups that you intend to use to administer other groups
  3. Add users who you want to have admin privileges over other groups
  4. Next, follow the steps below to allow your group to manage another group

Assign Admin Privilege Group to Manage other Group

You can use any group to administer another group, but CalNet recommends that you create groups specifically for that purpose. Follow instructions above to Create Admin Privilege Group before following the steps below.

  1. Navigate to the group what you want to be managedpriv_2
  2. Click on the grey Privileges tab
  3. Click the add_members button
  4. In the search field, enter the name of the Admin Privilege group created above
  5. Select the group name when it appears below
  6. Check the appropriate boxes for the privileges you want the Admin Privilege group to have
    1. CalNet recommends selecting Admin
    2. Do not select Member unless you want the Admins to be members of the group - admins do not need to be members of groups they manage
    3. See below for Privilege Definitions
  7. Click the add button

Add Privilege Holder to Group

  1. Navigate to the group what you want to be managed
  2. Click on the Privileges tab
  3. Click the add_members button
    priv_3
  4. In the search field, enter the name of person you want to manage this group and select it when it appears below
  5. Check the appropriate boxes for the privileges you want to assign
    1. CalNet recommends selecting Admin
    2. Do not select Member unless you want the Admins to be members of the group - admins do not need to be members of groups they manage
    3. See below for Privilege Definitions
  6. Click the add button

View or Edit Privilege Holder Settings

To view or edit a privilege holder's membership and privileges to a group:

  1. Navigate to the group
    priv_4
  2. Click the Privileges tab
  3. Click the actions button to on the right side of the row for the privilege holder
  4. Select Edit Membership and Privileges
  5. Add or remove membership to the group by checking the boxes under the Description section
  6. Add or remove privileges to the group by checking the boxes under the Direct Group Privileges section
  7. Press the save button, or Cancel

Assign Global Privileges

Assigning a group Global Privileges will result in any CalGroups user being able to see the group and the group membership. 

  1. Navigate to the group
  2. Click the more_actions button
  3. Select Edit Group
  4. Click the show advanced properties link
    priv_5
  5. Check the desired privilege boxes in the Assign privileges to everyone section
  6. Read will allow any CalGroups user to see the group membership
  7. See Privilege Definitions for more information
  8. Press the save button

App/Org Owner Group Privileges

Inside your folder will be a App/Org Owner group that has admin privileges to the folder. You will automatically be a member of the App/Org Owner group, to which you can add other members. Members of the App/Org Owner group have the following privileges: 

  • Add other owners

  • Create, update or delete folders

  • Create, update or delete groups

  • Add and delete group members

  • Manage group member privileges

Privilege Definitions

Privileges can be assigned to a person or a group.

ADMIN – you have full access to the group including being able to see the audit log and delete the group

READ – you can see the members of the group

UPDATE – you can update the members of the group

OPTIN – you can add yourself as a member of the group

OPTOUT – you can remove yourself from the membership list of the group

ATTRIBUTE READ – you can see attributes assigned to the group (for the attributes where you have ATTR_READ on the attribute definitions)

ATTRIBUTE UPDATE – you can update attributes of the group (for the attributes where you have ATTR_UPDATE on the attribute definitions)

VIEW – you can see that the group exists

Support 

Request access via a folder space via a Service Request in ServiceNow.

If you have questions about CalGroups, including API questions, contact: calnet-admin@berkeley.edu.