I have a new system admin, and want to assign them Process Admin on ALL forms. Currently 96. Is there a way to mass add Process admin to forms?
Hi Laura,
I would recommend putting this new sysadmin in a group with the Product-level System Administrator role unless there's a specific reason they should have Process Admin process-level rights on everything but not any other rights System Administrators have. That role can create, modify, import, export, and delete ALL Forms business processes without needing explicit process-level permissions.
If you don't already have an "Administrators" or "Forms Administrators" group in Laserfiche Directory Server (LFDS), I'd recommend making one there, granting the group the System Administrator role in Forms, and then adding the new sysadmin and other appropriate users to that group so they inherit the role.
Cheers,
Sam
Hi Sam,
Now that you mention it, I can envision use cases for a mid-tier admin role with access to all business processes without access to alter system settings.
For example, we have some IT support staff that should be able to see the instance details for every process, and Developers who may need to support processes when someone is out unexpectedly.
However, we definitely wouldn't want them all to be able to change system security, data sources, or anything else along those lines, so a mid-tier role would be helpful.
This would be very similar to how the Business Process Manager role provided a middle ground between Process Admin and Submitter.
Perhaps a good solution would be "global" versions of Process Admin and Business Process Manager so we can grant broader access more easily without providing System Administrator rights.
Thanks Jason, this is good feedback. I agree with you on a "mid-tier" admin role scoped to all BPs being useful.
@████████ This is worth filing as a story.
Hey, sorry to drag up an old thread but is there any progress on this? Or any way to modify the access rights on multiple forms at once?
If not, I'm sure there's a way to do it in SQL, I'd like to add a group to all the processes as process admin. Do you have a query I can run for that? I have about 200 HR forms to modify so one by one really isn't a good option.
Hi Shaun,
I haven't heard any updates on this yet, and I avoid messing with the db most of the time so I wouldn't know how to update the security that way.
However, in the long-term, I'd recommend setting up group-based access to address this more easily in the future.
For example, in LFDS you could create a group, add that group to your Forms group so it gets synchronized, then inside of Forms set it as a Process Admin or Business Process Manager on all the forms you want.
That way, all you have to do is add/remove people from the group and they'll inherit the other access.
This is how we handle Submitter access for all our staff HR forms. We have a "Staff" group in LFDS that is synchronized to Forms, and that group is set as a Submitter on all the relevant processes.
The Staff group in LFDS is in turn connected to AD security groups, so access to all that stuff is fully automated and we never have to add/remove users for those forms.
I'd like to second everything Jason said as our current recommendation. Group/Role-based Access Control (RBAC) is the way to go.
Please don't modify any application databases directly for this (or in general, unless directed to do so by Laserfiche Support).
Hey guys, thanks for the feedback. Yeah we're aware of this now but it's left a large mess to clean up lol.
Is there a way when a user creates a form to have the default access be a group? I think that's where a lot of this came from, people copying and cloning processes to make their own (we use it for job postings, so there are a lot of them).
Also - when I go into LFDS I don't see AD groups, just AD users. Am I missing something? I can create LF groups (with AD members) but they don't sync up with AD's security groups, which means I have to manually manage group members.
As for your first question, no that's not currently an option; this is one of the reasons we use a change control process. We have a few admins who can see/access everything, but most users can only create/change in our dev/test environment.
That way, when things get moved into production the person handling the move can make sure it has all the necessary configuration like access rights.
For your second question, AD groups are not synchronized into the list in the same way as users.
What you do is:
You may get prompted for credentials to connect to your identity provider, but yours should work if you have access to read/view AD objects.
Once an AD group is added to an LFDS group, that group, and the users in it, will inherit from the LFDS group.
Just make sure your LFDS group is a member of, or inherits membership in, the main group you sync with Forms and it'll show up.
You can set it up in a way that lets the AD groups show up in Forms, but I generally try to stick to using the LFDS groups so I can change the associated AD group(s) without having to worry about changing anything else.
Oh man, thanks Jason. I'm not sure why that didn't occur to me but yes, adding the AD group to it worked fine.
Appreciate your expertise!