Evergreen

Secondary Permissions do not respect Application Permission Field

Bug #2024482 reported by Elizabeth Davis on 2023-06-20

30

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	Confirmed	Wishlist	Unassigned

Bug Description

When a staff account has a secondary permission group, the application permission fields are not respected when editing a staff account.

To replicate:
1. Have a staff permission group that only system admins can edit. For example, for PaILS, we have an Original Cataloger permission group that only Support staff can edit.
2. Apply that permission group as a Secondary Permission Group.
3. Have a local administrator account, a permission group who can create staff accounts, edit the test staff account. They should not have the ability to edit this account.

We are experiencing this in 3.9.2.

See original description

Tags:

Elizabeth Davis (elidavis) on 2023-06-20

description:

updated

Revision history for this message

Susan Morrison (smorrison425) wrote on 2023-06-20:

#1

Tested in 3.10 and experienced the same behavior.

tags:	added: permissions
Changed in evergreen:
status:	New → Confirmed

Terran McCanna (tmccanna) on 2023-06-20

Changed in evergreen:
importance:	Undecided → Medium

Revision history for this message

Britta Dorsey (bdorsey-isl) wrote on 2024-05-24:

#2

We are experiencing this in 3.11.2 as well.

Mike Rylander (mrylander) on 2024-05-24

Changed in evergreen:
importance:	Medium → Wishlist

Revision history for this message

Mike Rylander (mrylander) wrote on 2024-05-24:

#3

Changing to wishlist because, while I understand the desire, the Group Application Permissions mechanism is specifically intended to restrict creation and modification of a user based on their Profile Group field.

I think either a secondary-group focused mechanism, or a separately permission-protected library setting (or, more realistically to reduce the complexity of the logic for the user, a global flag) that tells the system to treat secondary groups the same as the Profile Group, will be needed.

Revision history for this message

Terran McCanna (tmccanna) wrote on 2024-05-24:

#4

So currently, if the highest level permission group is the primary, the editing will be restricted appropriately?

Revision history for this message

Elizabeth Davis (elidavis) wrote on 2024-05-24:

#5

I think a global flag will work for us. We have separate permission groups for job duties, so we use the Secondary Permissions often. The higher permission groups that require support intervention are often paired with lower permission groups that don't require support intervention.

Revision history for this message

Elizabeth Davis (elidavis) wrote on 2024-05-24:

#6

Terran- correct. Say a staff member has a circclerk permission group (support is not required to assign) and original cataloger (support has to assign once they take the certification quiz). If the original cataloger is in the primary it will block, but if the circclerk is in the primary, non-support staff can edit. We see it happen most often in the user buckets.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.