Secondary Permissions do not respect Application Permission Field

Bug #2024482 reported by Elizabeth Davis
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Evergreen
Confirmed
Wishlist
Unassigned

Bug Description

When a staff account has a secondary permission group, the application permission fields are not respected when editing a staff account.

To replicate:
1. Have a staff permission group that only system admins can edit. For example, for PaILS, we have an Original Cataloger permission group that only Support staff can edit.
2. Apply that permission group as a Secondary Permission Group.
3. Have a local administrator account, a permission group who can create staff accounts, edit the test staff account. They should not have the ability to edit this account.

We are experiencing this in 3.9.2.

Tags: permissions
description: updated
Revision history for this message
Susan Morrison (smorrison425) wrote :

Tested in 3.10 and experienced the same behavior.

tags: added: permissions
Changed in evergreen:
status: New → Confirmed
Changed in evergreen:
importance: Undecided → Medium
Revision history for this message
Britta Dorsey (bdorsey-isl) wrote :

We are experiencing this in 3.11.2 as well.

Changed in evergreen:
importance: Medium → Wishlist
Revision history for this message
Mike Rylander (mrylander) wrote :

Changing to wishlist because, while I understand the desire, the Group Application Permissions mechanism is specifically intended to restrict creation and modification of a user based on their Profile Group field.

I think either a secondary-group focused mechanism, or a separately permission-protected library setting (or, more realistically to reduce the complexity of the logic for the user, a global flag) that tells the system to treat secondary groups the same as the Profile Group, will be needed.

Revision history for this message
Terran McCanna (tmccanna) wrote :

So currently, if the highest level permission group is the primary, the editing will be restricted appropriately?

Revision history for this message
Elizabeth Davis (elidavis) wrote :

I think a global flag will work for us. We have separate permission groups for job duties, so we use the Secondary Permissions often. The higher permission groups that require support intervention are often paired with lower permission groups that don't require support intervention.

Revision history for this message
Elizabeth Davis (elidavis) wrote :

Terran- correct. Say a staff member has a circclerk permission group (support is not required to assign) and original cataloger (support has to assign once they take the certification quiz). If the original cataloger is in the primary it will block, but if the circclerk is in the primary, non-support staff can edit. We see it happen most often in the user buckets.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.