Creating and editing security roles

Each Meridian vault can have any number of security roles, but the fewer there are, the easier they are to manage and assign.

To create or edit security roles:

1. In Configurator, on the Vault menu, select Roles and Privileges. The Roles and Privileges dialog box appears showing the current security roles that have been configured, if any.
2. To view the privileges for custom objects in the vault such as navigation views, reports, lookup lists, work area templates, document types (if document type security is enabled), and so on, select the Show object privileges check box in the lower-left corner of the dialog. The custom object names appear in blue text.

Note    When the vault’s Use document type security option is enabled, the Document privileges group that would otherwise apply to all document types is removed from the Privileges column. The privileges for each document type can then be found below each document type’s name in the Document Types group.

3. To delete a role:

1. Click the Delete Role button. The Delete Role dialog box appears.
2. Select the role that you want to delete and click OK. The role is deleted.

4. To edit a role, select or clear the check box in that role’s column for each privilege in the Privileges column. For information about each privilege, see Security privilege descriptions.

Tip    Right-click a role’s column heading to click Select All or Remove All.

5. To create a role, click the New Role button. The New Role dialog box appears.

Tip    Create the role with the most privileges first, and then copy the privileges of that role to the next role as described in the next step and revoke the appropriate privileges. Repeat copying the privileges of the role with the least privileges to each subsequent role and delete the appropriate privileges until all roles have been created.

6. Click options or type values using the descriptions in the following table.

7. Click OK. A new column is added to the Roles and Privileges dialog with the copied privileges.
8. Select or clear the check box in the new role’s column for each privilege in the Privileges column. For information about each privilege, see Security privilege descriptions.
   
   Note    Privileges for tables created prior to Meridian 2010 are not available until after they have been created by clicking the Privileges button on the table’s General page in Configurator.
9. When you are finished creating and editing roles, click OK.

Changes to existing roles take effect immediately. New roles must be assigned to vault folders as described in the BlueCielo Meridian Enterprise User’s Guide.

Tip     By default, new vaults have no security roles assigned and the first role that is assigned is granted exclusive access to the vault until other security roles are assigned. Create the role with the highest level of access first (for example, Administrator) and assign the system’s administrators to it at the root of the vault before assigning any other security roles. This will prevent you from accidentally denying system administrators access to the vault and assigning other roles. It will also grant system administrators access to the entire vault unless role inheritance is overridden by assignments at any folders. If you accidentally deny access to all system administrators, see the BlueCielo Meridian Enterprise Administrator’s Guide.

Tip  By default, folders and work areas inherit their security role assignments from their parent folder or area recursively all the way to the root of the vault. This makes setting security for the entire vault as easy as assigning roles just once at the root of the vault. Role assignments for specific folders may then be overridden, if necessary, as described in BlueCielo Meridian Enterprise User’s Guide.

Tip     After configuring and testing the roles in a vault, create a Windows user group for each role. The groups should be domain or local groups, as described in the BlueCielo Meridian Enterprise Administrator’s Guide. Then, assign the Windows user groups to roles in the vault. You may then easily add new users to the system by simply assigning them to the correct Windows user group without the need to change the role assignments in the vault.

Note    If a user is a member of multiple roles assigned to the same folder, their effective rights in that folder are those of the more permissive role. Therefore, avoid assigning users to multiple groups that are assigned to roles applied to the same folders.