Permissions management in Able+
Accessing permissions management
To access the permissions management area, click the Admin option in the left-hand menu and then select Able+ settings in the main admin menu along the top of the page.
Please note, the place management: create and manage roles action is required in a user’s permissions for them to access this feature.
Permission sets and actions
In Able+ you can control what users have permission to do once logged in by assigning particular permission sets to users and groups.
Each permission set is made up of a set of actions that control exactly what the user can do. Examples include:
- reset passwords
- view groups
- configure settings
Users can be given more than one permission set and can also have other/additional permissions because they are a member of a group that has been given a permission set.
The permission sets are cumulative: a user will have all the actions from all the permission sets they have been assigned.
Actions in child places
If your organisation has a hierarchical structure then an action that includes the words ‘in child places’ refers to performing that action in any child establishments under the organisation where you are a user.
Child place actions are only applicable to users who have their permission set in the top level Able+ place.
Therefore, if a permission set contains child place actions and is assigned to a user in the top-level place, they will be able to perform those actions in all the child establishments within the organisation. However, if the same permission set is assigned to a user in a child establishment then they will not be able to perform those actions as there are no child places below their establishment.
A list of all the actions available in Able+ and a summary of what these allow a user to do can be found in the Able+ actions directory.
Standard permission sets
Standard permission sets can be defined as a collection of actions that can be assigned to a user or group to control their permissions within Able+.
By default you will have the following standard permission sets available to you:
-
Core - This permission set will allow the user to log in, access their My apps and dashboards and edit their personal settings.
-
Admin - This permission set has the core user functionality together with the ability to perform all administrative actions within the organisation (and any child establishments within the organisation where these exist).
You are not able to edit or delete these permission sets.
Creating a new standard permission set
In most cases, the standard permission sets that you have available will meet all your user requirements. However, particularly where you want to delegate certain administrative functions to other users, you may wish to create your own standard permission sets where you can control the actions available to the users or groups you assign that permission set to.
To create a new standard permission set, click on the new permission set option from the top of the Able+ settings page. 
and choose 'Standard set'.
You can either create your permission set from scratch or you can select an existing permission set to use as the basis of the new permission set.
You must give your permission set a name. You can add a description and a specific icon to be displayed with the permission set if you wish.
You can then expand the permission set action categories by clicking on the arrow 
to select the specific actions that you want the users to have within that category. The actions in each category can be selected/ deselected both individually and in bulk.
Once you are sure that the permission set contains only the actions required then click the Create button at the bottom of the page.
The Able+ settings page will then refresh and show you the standard permission set you have created. It will be available to be assigned to users and groups within your organisation. See User Management in Able+ and Group Management in Able+ for further information on assigning permission sets.
Interaction permission sets
Interaction permission sets are a set of actions which can only be assigned to a user who is a group admin. The interaction permission set assigned to that group admin will then enable that user to carry out certain actions on the group itself, or on the users within the group.
Interaction permission sets are not available to be assigned directly to a user but are instead used to define that user’s permission set on one or more users or groups.
Managing interaction permission sets
When creating a new permission set (at platform, template or place level), a user will be able to choose whether it is a standard permission set or an interaction permission set. Only interaction actions (referred to as ‘interactions’) will appear when creating an interaction permission set and only standard actions will appear when creating a standard permission set.
Interaction permission sets will not display by default on the Able+ settings permissions page. To display them please change the filter dropdown from ‘Standard permissions’ to ‘Interaction permissions’.
Interaction actions
User management interactions
- View user’s basic details
- View user’s full details
- Edit user’s details this will not include identity type, role or username
- Manually reset user’s password
- Approve user’s detail change request
- Approve redirected user’s detail change request
- Manage user’s credentials force password reset, send account details, forgotten password email
- Suspend/reactivate user
- Manage user’s applications
- Edit user’s identity type
- Edit user’s role
- Granular data view and edit actions
- View all user's system-optional data
- Edit all user's system-optional data
Group management interactions
- View group information
- View group members
- Edit group name
- Edit group description
- Add members
- Remove members
- Add admins
- Change admin role
- Remove admins
- Manage applications
- Edit role
- Add sub group
- Create group member
Where user management interactions are included in a permission set and a user is given that permission set on a group then that will allow the user to perform those actions on any member of that group.
‘Create group member’ interaction
The group interaction 'create group member' will allow a user to create a new user in the place but only within the group that the user has the 'create group member' interaction on.
Where the user also has a general Able+ admin permission set that allows them to create users then this interaction will have no affect. The user will be able to create new users as is currently the case.
Where the user has the 'create group member' interaction on just one group then that only that will appear in the list of groups that the new user will be added to and it will not be possible to deselect the group. The user will automatically be added to that group on creation.
Where the user has the 'create group member' interaction on more than one group then only those groups will appear in the list of groups that the new user can be added to. The user must select one of those groups before being able to save the user.
Viewing and editing permission sets
Viewing a permission set
When viewing the permission sets on the Able+ settings page, each permission set has a view in the bottom right corner of the permission set card. Clicking on the view option will take you to the permission set details page.
Click the arrow next to any of the permission set actions categories to view the actions that are included in that permission set.
To return to the permission sets management page to view all permission sets, click Permissions in the menu bar or All permissions in the navigation breadcrumb trail.
Editing a permission set
Where the permission set is created specifically for your organisation then you will see that instead of just the word View on the permission set card you will have the View / Edit option. Clicking on this behaves in the same way as when viewing a permission set but you are then able to edit the permission set information and actions.
To edit the name or description of the permission set, click on the pencil icon 
next to the permission set name.
You can add a new icon for the permission set or restore it to the default icon.
To change the actions associated with the permission set, expand the relevant permission set action category by clicking on the arrow . The actions in the category available within the permission set can then be selected/ deselected both individually and in bulk.
When you have finished making changes, click the Save button at the bottom of the page.
Deleting a permission set
Permission sets that are created specifically for your organisation can be deleted if the permission set is no longer required by clicking the Delete option on the permission set card.
If the permission set is currently assigned to any users or groups then before you delete it you will be prompted to choose a permission set that should be assigned in the place of the permission set that you are deleting.
You can view all deleted permission sets by choosing Deleted permissions from the permissions view filter.
If required a deleted permission set can be restored for use by clicking the Restore option.
Comparing permission sets
When you are not sure which permission set to assign, you can compare the actions available to several permission sets.
On the Able+ settings page, use the check boxes to select the permission sets you wish to compare. You can select up to 5 different permission sets.
Then click the compare permission sets option from the top of the Able+ settings page. 
You will see a list of which core actions the permission set includes. Change the permission set action category from the dropdown list to compare the actions for a different category.
To return to the permission sets management page to view all permission sets, click Permissions in the menu bar or All permissions in the navigation breadcrumb trail.
| Glossary | |
|---|---|
| Action | Something that a user can do in Able+. |
| Child establishment / place | A separately managed part of an organisation such as a college within a university, an office in a different country or an academy within a multi academy trust. |
| Standard permission set | A collection of actions that can be assigned to a user or group to control their permissions within Able+. |
| Permission set card | The display of a permission set's basic information on the Able+ settings page together with any tasks that can be performed on that permission set. |
| Top level place | An Able+ place for the top level within a hierarchical organisation, under which there are one or more child places. |
| Interaction permission set | A collection of actions that can be assigned to a user who is a group admin to control their permissions on a group or users within a group. |