Administration: Users, Groups, Permissions
Administrate Users
After the installation you are able to log in as the super administrator. The username and password is "admin", "admin" by default. You can (and should) change this in the setup.
To get started, open your browser and go to your Simple Groupware location, e.g. http://myserver/sgs/index.php. You are now automatically logged in as user "anonymous". To change this, click on Login/-out in the top menu. Type in your credentials. After clicking "Login" the window is closed and you get redirected to your last page authenticated as the requested user.
The setup does not create any user accounts by default. To create a new user go to "Workspace / Organization / Users" in the tree on the left side. Click on "New" in the top/middle area. Now let's enter the details for the new user. The username should have at least 3 characters (letters and numbers), the password 5 characters. Please also make sure to provide a valid e-mail address (all the other fields are optional). Next specify the SMTP connection to be used for sending mails (Tab: Account):
Syntax:
username:password:port:tls@hostname
(port, tls, username and password are optional)
If username or password contain the "@" character, replace it with "%%".
Finally choose "Create" and the new user and its profile are saved. For more information about this profile, see Folder templates.
Note: If you forgot the super administrator password, you can delete the file "<sgs-dir>/simple_store/config.php" to start the setup again. The super administrator does not have an entry in the table "simple_sys_users".
Note: After the login, users get redirected to their home directory under "Workspace / Personal folders". To change the redirection, simply set a new folder id under "Workspace / Organization / Users -> Tab: Account -> Field: Home folder id".
Note: When you create a new folder with e-mails as module, all new created mails are automatically sent using this SMTP connection.
Note: To use the credentials of the current user for the SMTP account, you can specify "%username%" and "%password%" as username/password.
Note: To read mails via the IMAP or POP3 protocol, you need to create a new folder and set a mountpoint, for details see Data Handlers.
To assign more than one e-mail address to a user, simply go to "Workspace / Organization / Mail identities" and create a new mail identity for the user. Specify the new e-mail address (e.g. john.doe@doecorp.com), the name (John Doe), the SMTP connection string (if it is different from the one defined in "Workspace / Organisation / Users") and assign the user to the new mail identity. A mail identity can be used for more than one user if you need identities for more than one person.
To send e-mails as super administrator, you'll need to add a mail identity for that user.
To make changes to an existing user, mark the user (by clicking on it) and click edit in the top/middle area.
Note: The username is used as an unique identifier for every user, so it cannot be changed.
To change the password when logged in, click "Main menu / Change settings" in the top menu. (The password for the super administrator can only be changed in the setup settings: To do this, navigate to "/Workspace/System" and click "Change Setup settings").
To change the status when logged in, click "Main menu / Change settings" in the top menu. (The status is displayed in the users list and indicates if the user is online, offline or out of the office.) Also you can configure the day start and end time for your calendar.
To assign different time zones to different users, edit the user and set the desired time zone in the "Account" tab. The default time zone can be set in setup settings.
To log out click Login/-out in the top menu. To destroy your session data (e.g. the last folder / view) click on "Main menu / Close session" in the top menu.
Deleted users will be set to inactive and moved to /Workspace/System/Trash. From there you can delete them forever or restore them using cut/copy/paste. The user profile also gets moved to the trash folder. Lookups to the deleted user will be still active for the super administrator since he has access to the trash folder.
Note: When restoring folders with cut/copy/paste, you'll need to restore the folder permissions manually for these folders.
System monitoring
Every time an (un)successful login occurs, an event is generated and displayed in the events module (inside Simple Groupware, go to "Workspace / System / Events"). If 4 unsuccessful logins occur within 30 minutes, the machine gets blocked for 15 minutes. For more information about system events, see System monitoring.
Administrate Groups
Groups are similar to users. A user can be a member of several groups. But a group can't be a member of other groups. This behavior has been chosen to avoid confusing the system administrators with hierarchical relationships and groups.
To create a new group go to "Workspace / Organization / Groups" in the tree on the left side. Click on "New" in the top/middle area. The rest is the same as for users.
Deleted groups will be set to inactive and moved to /Workspace/System/Trash. From there you can delete them forever or restore them using cut/copy/paste. Lookups to the deleted group will be still active for the super administrator since he has access to the trash folder.
Default groups for projects and departments: When creating a new department, a group with the name "department_<department>" will be created automatically containing the "members" of the department. The folders under "Personal department" also get read and write permission for the group "department_<department>".
When creating a new project, a group with the name "project_<project>" will be created automatically containing the "internal participants" of the project. The folders under "Personal projects" also get read and write permission for the group "project_<project>".
For more information about the automatic creation of folder structures, see Folder templates.
Note: Setting the fields manager, external participants in departments or projects has no effect on folder permissions and group memberships.
Note: Group memberships are only refreshed when a user logs in.
Folder permissions
Giving rights is also quite simple: Rights can be defined for every folder. Creating a new folder, it inherits the rights from its parent. All rights are positive which means if the right is set, the user or the groups gets access. If the right is not set, the access is denied. Possible rights are "read", "write" and "admin".
To set the rights for a special folder, the current user needs to have "admin" rights. The super-administrator (by default username "admin") has automatically all rights on all folders. Just click the top menu "Folder" and choose "Rights: Show" or "Rights: Edit" to view or change the rights on the current folder. Assign the needed rights and click "Save". If you want to apply the rights of the current folder to all its subfolders, just use "Apply rights to subfolders" in the folder menu. Please note that only those folders are affected, the current user has admin privileges on.
There is no automatic inheritance for permissions and there are no positive / negative permissions (as known from NTFS).
When editing rights you can also set a folder quota to restrict users from filling your disks. The folder quota is defined in MB and restricts file uploads in the current folder and all its sub-folders.
Access can be also defined on a per-view basis (Display, Details, Edit, New, etc.). When editing rights for a special folder, you can also set special permissions in the fields "View access (users)" and "View access (groups)". The syntax is:
View access (users)
Syntax: |<view[,view2]>:<right>:<username[,username2]>|
Examples:
|freebusy:read:anonymous|
|freebusy:read:anonymous|details:no_read:anonymous|
Group access (groups)
Syntax: |<view[,view2]>:<right>:<groupname[,groupname2]>|
Examples:
|freebusy:read:internals|
|freebusy:read:internals|details:no_read:guests|
Right: read, no_read, write, no_write
Using view permissions, it is possible to let users create or edit assets without allowing them to rename the folder or create a subfolder.
Note: View access does not influence Cut/Copy/Paste or Delete operations.
Note: To apply the rights of the current folder to all its sub-folders, click "Rights" and "Apply rights to sub-folders" on the options pane below the tree on the left side.
Note: If access is provided for user "anonymous", all users will have access to the folder. If "anonymous" is removed from read or write access and there is no other permission set, then only the super administrator will be able to access the folder. To enable/disable anonymous logins, see setup settings.
Default folder permissions
The default folder structure (with demo folders) has the following permissions set by default:
| Path | Access | User or Group |
| /Workspace/ | read | anonymous |
| /Workspace/Demo | read, write | anonymous |
| /Workspace/Personal folders | read | anonymous |
| /Workspace/Personal folders/user-x | read, write | user-x (created automatically with new user) |
| /Workspace/Personal department/dep-y | read, write | group: department_dep-y (created automatically with new project) |
| /Workspace/Personal projects/proj-z | read, write | group: project_proj-z (created automatically with new project) |
| /Workspace/News | write | group: admin_news |
| /Workspace/Surveys | write | group: admin_surveys |
| /Workspace/Contacts | write | group: admin_contacts |
| /Workspace/Contacts/Contact activities | read, write | group: admin_contacts |
| /Workspace/Calendar | write | group: admin_calendar |
| /Workspace/Forum | read, write | anonymous |
| /Workspace/Files | write | group: admin_files |
| /Workspace/Projects | write | group: admin_projects |
| /Workspace/Booksmarks | write | group: admin_projects |
| /Workspace/Helpdesk | read, write | group: admin_helpdesk |
| /Workspace/Accounting | write | group: admin_payroll |
| /Workspace/Accounting/Expenses | write | anonymous (with asset permissions) |
| /Workspace/Accounting/Time sheets | write | anonymous (with asset permissions) |
| /Workspace/Inventory | read, write | group: admin_inventory |
| /Workspace/Organisation | write | group: admin_organisation |
| /Workspace/System | read, write | super administrator |
| /Workspace/Extensions | read | anonymous |
Also, read access for "anonymous" (everyone) is given to:
- /Workspace/Calendar
- /Workspace/News
- /Workspace/Surveys
- /Workspace/Contacts
- /Workspace/Files
- /Workspace/Projects
- /Workspace/Bookmarks
- /Workspace/Organisation
Note: To get an overview of all folder permissions, you can log in as the super administrator and click "Permissions" in the administration overview page.
Disable modules
In addition to folder permissions, individual modules and mountpoints can be disabled for all users in setup settings. Afterwards, these modules can be re-enabled for certain users under "Workspace / Organization / Users -> Tab: Account -> Field: Allow disabled modules".
Asset permissions
Apart from folder permissions, there can be also asset permissions based on the module assigned to the folder. Using asset permissions, people with access to a folder can be restricted to read or create/edit assets. There can be three different types of asset permissions:
"Full" means read and write permissions for assets, with default set to anonymous.
"Owner write" means write permissions enabled for assets, with default set to the creator.
"Owner read" means read permissions enabled for assets, with default set to the creator.
Some examples for modules using asset permissions:
The files and cms modules use "full", the forum module uses "owner write", the timesheet and expenses modules use "owner read".
In the GUI, asset permissions are presented as a "Permissions" tab in the new/edit view of an asset.
Session handling
Every user has a session where some settings are stored. These settings can be stored for a folder, for a certain view in a folder, for a view in a module or global for every case. Each session is identified by a session_id and bound to the client IP address. The session_id is regenerated every time a login is performed. If a user is already logged in, the session gets copied. A session gets invalidated when a user is inactive for more than 30 minutes.
The settings in detail:
- Global: username, client IP address, current folder, current theme, group memberships, read messages for POP3 / IMAP (max. 100), server id (used for creating unique dataset ids), allowed paths in the filesystem, form data tickets, cut-copy-paste data, folder states (open/closed), calendar day begin/end, tree type (folders, categories), tree page (if tree contains 100+ items), tree visible, data visible (calendar)
- Per folder: calendar view (day, week, month, year, custom, all), calendar week start, calendar today / tomorrow, search string, selected page (datasets), current view, current folders (in categories mode)
- Per folder+view: selected items, dataset filters
- Per module+view: form finished (internal), dataset order/group by, dataset limit
Clicking "[All]" in the views removes session entries for folder+view, search string and folders. Clicking "Reset view" in the top menu removes session entries for folder and module+view and folder.