理解用户权限

In a multi-user environment controlling what a user can do is crucial. If you are a using Feng Office as a client extranet you probably don't want that one client can see documents of another client. If you are using Feng Office as an intranet you may have certain workspaces where certain employees are not allowed to edit information, and some other workspaces which are visible to the management exclusively.

Setting the user rights is one of the more complex tasks in Feng Office. There are properties at several places, and you have to know where to find them and how they relate to each other. This page tries to summarize all the different settings that control user rights.

Basically there are two types of permissions: Some apply to your Feng Office installation as a whole - we call them system permissions. Others can be set per workspace - we refer to them as workspace permissions.

On the other hand there are separate levels for setting permissions: You may grant (or deny) certain permissions per user (user level permissions) or per user group (group level permissions). In older versions there have been company level permissions as well, but they are ignored since Feng Office 1.5.

On the level of each single user you can set system permissions as well as workspace permissions.

The system permissions define whether a user:

  • Can edit company data: If this permission is set the user will be able to edit the Owner Company's data in the Administration panel. This option is available for administrators only.
  • Can manage security: If this permission is set the user will be able to edit other users' permissions in the Administration panel. This option is available for administrators only.
  • Can manage workspaces: If this permission is set the user will be able to add, edit and delete Workspaces.
  • Can manage configuration If this permission is set the user will be able to edit system configuration in the Administration panel. This option is available for administrators only.
  • Can manage all contacts: If this permission is set the user will be able to edit all Contacts in the system. If it is not set, the user will only be able to see the contacts of the workspaces over which he has per-workspace permissions.
  • Can manage templates: If this permission is set the user will be able to add, edit and delete Templates in the Administration panel. This option is available for administrators only.
  • Can manage reports: If this permission is set the user will be able to add, edit and delete Reports in the Reporting tab.
  • Can manage time: If this permission is set the user will be able to work in the Time module and add time slots to tasks.

Workspace permissions can be set by checking the checkboxes for the respective workspaces, which gives the user full access to that workspace.

You can also edit permissions for a workspace from the Workspace's edit view. Here you can select which users will have access to the workspace. This permissions are the same as the ones defined on the user's view.

If you want to control workspace permissions in more detail, click on the name of that workspace to bring up the workspace permission details. There you can define for each object type if a user is able to read and write it, to read it only, or not see it at all.

There are two more checkboxes to control how a user can assign tasks to other users. If you activate the first one, this user can assign tasks to users of the owner company; if you activate the second one, this user can assign tasks to users of other client companies. If you don't check any of the two, this user can assign tasks only to users of his own company.

Groups (or roles) are a common concept for dealing with user rights. The idea is that you do not set permissions for every single user but that you can define groups (or roles) with specific rights and add the users to a certain group (or role). This makes controlling and updating permissions much easier.

Since version 1.5 you can define workspace permissions as well as system permissions for a group. A group's permissions will apply to all of its users. Permissions are cumulative, meaning that a user will have all permissions defined in all of his groups plus his own permissions, or put in other words, if it has a permission set in at least one of his groups or his own permissions, he will have that permission.

Company permissions are ignored in Feng Office 1.5.x, so you can skip this section if you are using that version.

There is also a screen where you can set workspace permission for each company.

PLEASE NOTE: Whether a user can access a workspace or not is defined by the workspace permissions from the user profile (see above), not by the workspace permissions of the company the user belongs to. If you add the permission to access a certain workspace to the company, this permission is not automatically given to all users of that company; you have to add this permission manually for each user (that's what the yellow box says). This is a good thing, because it prevents you from giving permission to a user accidentally.

Nevertheless this can be a bit confusing, and you may be asking yourself what workspace permissions on the company level are good for then. Setting or removing a workspace permission on the company level has the following impacts:

  • If you remove a workspace permission, this permission is taken from all users of that company. This gives you a powerful tool to hide and lock a workspace from all users of a company very quickly, and this is the main advantage of this feature.
  • If a company has no workspace permission at all, then you can't set workspace permissions for users of that company. (But as soon as you have set at least one permission, users can be given permission to any workspace, as stated above.)
  • If you edit workspace permissions as part of the workspace properties (see Working with workspaces), then all users of companies that have permission for that workspace are displayed automatically. (But you can display users of other companies as well simply by checking a checkbox, so this is simple usability feature.)
This section is only important if you are using an Feng Office version older than 1.5.

In Feng Office 1.5 the “Can manage contacts” permission has been renamed to “Can manage all contacts”. This permission gives you rights on all Contacts in the system, disregarding on which Workspace they lie. If a user doesn't have the “Can manage all contacts” permission set, Contacts will behave like any other Content Object for him, so he will only be able to see Contacts assigned to Workspaces on which he can “read” Contacts.

On older versions however, contacts do not act the same way as all other content objects regarding permissions. If a user has permissions to manage contacts, he can access all contacts if he clicks All in the workspace selector - not only the contacts of the workspaces he has permissions for. In other words: Assigning contacts to a workspace does not affect its visibility for other users but is only a way to organise contacts.