Permissions
The areas that specific users in your TAO instance have access to, and what they can do in those areas, is controlled by setting access control and permissions.
It is important to ensure that each user is doing the right thing in the right place in your TAO instance. The way to do this is to set the access permissions accordingly. There are three different levels of access permission: grant, write and read.
Grant: a user with grant permission can grant other users access to the workspace (folders/classes) in question.
Write: a user with write permission can write in the specified workspace.
Read: a user with read permission can read everything in the specified workspace, but nothing else.
The Global manager or System Administrator is the user who sets the permissions for different workspaces.
You will need to install the Access Control extension (TAO extension: taoDacSimple) to set access permissions. If the Access Control extension isn’t installed, access to your TAO libraries may be open to all users in your TAO instance.
Follow the steps below to grant or restrict access to specific libraries, or folders in libraries:
1. Establish “Ground Zero”.
Because your libraries – in other words the “root folders” (top level folders) of each library – may be automatically open to users authoring tests in TAO, first of all the Global Manager needs to adjust the permissions for these. This can be done by first giving grant permission to the Global Manager and then taking it away from Back Office.
To set the permissions for a given library or section of a library (in this case, the root folder), select the folder in question in that library, then click on the Access Control button in the button bank below it. An information page containing the access permissions for that particular folder will open on the screen.
Permissions can be granted in two ways: either to individual users, or according to role. You will need both of these when setting up access rights for different users, but in order to set up Ground Zero, the Global manager (or System adminstrator) just needs to add the role of Global Manager using the Add role(s) box shown in the image, and then remove the role Back Office from the list of roles with access permissions with the yellow Remove button.
Now the correct permissions can be granted to the relevant users for each folder in the libraries.
2. Set write permissions for a given library for one user.
The above image showed the Item library. Let’s presume that one item author is creating items for the subject of Math, and another for English. Each one should be given access to the relevant (and only the relevant) folder. The item author for Math items needs to be able to write in the Math folder.
In the image above, the user Ian Archer (an item author developing Math tests) has been granted write permission (which automatically grants read permission too) for the Math folder.
The global manager retains grant permission over the folder.
You can see on the image that these permissions have been granted recursively – by ticking the Recursive box near the bottom of the permissions screen. If this is ticked, the permissions apply not just to items or tests in that folder, but to any sub-folders (and sub-folders of sub-folders, etc) in it.
3. Set write permissions for a given library for one item author, and read permissions for all other item authors.
You may want to give each item author their own folder in which to create draft items. In this case, you may want to allow other users (in this case all other item authors) to view these items (read them), but not be able to change them in any way.
In the image above, Ian Archer is listed explicitly as a user and has been granted write permission (which automatically grants read permission too). All users with the role of item author have been granted read permission only – so apart from Ian Archer, all other item authors will only be able to read the content of Ian’s folder. In other words, the rights granted to Ian Archer as a user override those which have been granted according to his role.
Again, the global manager retains grant permission over the folder.
Wherever possible, it is a good idea to manage permissions on the basis of role (rather than user). Managing individual users will quickly become unmanageable across all folders if there is a high number of users.