Security Groups is here!

Over the Christmas break, Obzervr has been building a new, quicker way to give users roles and permissions in Obzervr.

Roles and permissions are a pivotal part of Obzervr, showing users only what they need to see and have access to.

If you’re not sure what Roles and Permissions are, read more about Roles and Permissions in Obzervr Manager before continuing with Security Groups.

Previously however, for each user, you needed to switch all the prerequisite roles on, even if there were commonalities for users based on their role: are they a Supervisor, Planner, Worker or Admin?

Introducing Security Groups: a way to group permissions based on your common Obzervr user profiles.

Now, Admins will be able to easily bulk manage user access to the various parts of Obzervr.

Table of Contents

1. What’s Changed
2. How it Works
   1. Security Group roles and permissions
   2. Create Security Groups
   3. Add Users to Security Group
   4. Check the Security Groups a User is added to
3. Future Releases

What’s Changed

The most immediate change you might notice is that there are some changes to the Roles screen for a User - the roles and permissions are the same but we have implemented a new, more tabular checkbox look. We have added a 'Base Roles' new Security Group column and separated the Read and Admin columns a bit more. Take a look at the image below to see the change that has been introduced. 

Left: the updated Roles screen for each User which has a new Security Group column; Right: the previous version of the user Roles screen which only had the ability to toggle individual permissions.

How it works

There are a couple of steps to get Security Groups up and running. It’s pretty simple, but here is a summarised list:

1. Security Group roles and permissions - who is allowed to create, grant and revoke access to a Security Groups? Admins should be given the Security Group Admin or Read access.
2. Create Security Groups - before you can add Users to your Security Group, you need to create the group and define the permissions that you want the Security Group to have access to.
3. Add Users to a Security Group - once you have created a Security Group, you will be able to add Users to the group. You can add more than one at a time.
4. Check the Security Groups a User is added to - wondering what permissions a User has and what Security Groups they’re in?

1. How to check and update Security Group access

To create and add Security Groups as described in the next sections, you will need Security Groups Admin access. However, if you just want to check the Security Groups a user is added to, you will only need Security Groups Reader permission. 

But what does the Security Groups Admin and Read role allow you to do? 

Click through the steps below to understand how to allocate Security Group Admin and Read access. If you are an Organisation Admin or a Tenant Admin, you should automatically be allocated these permissions. 

2. Create a Security Group

Watch the quick video below to see a runthrough of the steps to create a Security Group or walkthrough the steps in more detail below. 

Click through the steps below to learn how to create a Security Group. 

3. How to add Users to Security Group

You can add multiple users at a time to a Security Group. Note that a user can also be in multiple Security Groups. If you have a user in multiple tenants, you will need to add the user to the Security Group in each tenant. 

Click through to see how to add users to a Security Group.

4. How to see what Security Groups a User is in

You should be able to see the Security Groups columns in the Roles page of the User.

Then, you can see the Roles a User has due to their Security Group and to see what Security Groups the user is in, you can hover over the Security Group role. 

Click through the steps below to see what Security Groups a user is in. 

Future Releases

The purpose behind Security Groups is to reduce the administrative work to add permissions to users. At the moment, this release only addresses Security Groups at the Tenant level. 

In a future release, we plan to allow Security Groups at the Organisation level. 

When creating a Security Group, you might notice there is a 'Distinguished Name' field. 

Distinguished Name is going to be important for Organisation-level Security Groups.

The idea is for Organisation-level Security Groups to sync from company directory systems like Azure AD. This will require the Distinguished Name to be unique across the whole company, while the Name can be duplicated. For example, each site for a company might have a 'Planners' group, and its name would be 'Planners' in each Tenant. For the sync from Azure AD, there would only be one Azure AD, so the distinguished name would need to make these duplicated Planner groups unique. 

Security Groups is also the first step in a roadmap of a new 'group' level permissions model. The next step in this Group level permissions model is to allow Admins to control the access to Templates in Obzervr. This permissions model will be called Template Groups. 

Template Groups will allow Administrators to decide who can and can’t edit Work Templates and Fragment Templates in Obzervr Manager. This will prevent users from updating key templates that are utilised for integration or compliance. It will also allow users to see templates for their work group or site, without having to sift through everyone else’s. 

Read more about Template Groups here.