Privileges

It is not possible to assign a privilege to a user directly. A privilege must be assigned to a role, which can then be assigned to a user. This mean that all users that are assigned a given role type will have its privilege(s).

Assigning privileges to role types requires the “Privilege administrator” privilege.

Privileges, as well as role types, are managed in the “Role types and privileges” dialogue. Click on the Role types and privileges menu item on the “Administrator” tab to open the dialogue.

image68
Figure 1. The “Role types and privileges” menu item

The organisation’s appointed privilege administrator can distribute privileges to role types and assign them authorities and security groups. It is not possible to create, delete, or edit the names or rights of the privileges.

In the “Role types and privileges” dialogue, new roles can be created and assigned privileges. Read more about assigning roles.

Assign a privilege to a role

In the “Role types and privileges” dialogue, privileges can be assigned to a role. Select a role that needs a privilege assigned in the “Role type” field, e.g. “Access to HR” as shown in the figure below.

image73
Figure 2. The “Role types and privileges” dialogue

Click on New privilege and the “New privilege” dialogue opens. See the figure below.

image75
Figure 3. The “New privilege” dialogue

Select a new privilege to add to the role. Then select an authority to which the privilege applies. A security group can also be attached to the privilege.

Click on OK to finish.

All users with the “Access to HR” role now have archive access to the security group in the chosen authority.

Edit or remove privileges from a role

Privileges can be edited or removed from a role type. To do this, select a privilege in the list of the current role type’s privileges, e.g. “Archive access”, as shown in the figure below.

edit delete privilege
Figure 4. Edit or delete a privilege

Click Edit privilege to open the “Edit privilege” dialogue. See the figure below.

image78
Figure 5. The “Edit privilege” dialogue

Select another privilege, another authority, or another security group.

Click on OK to finish.

To remove an existing privilege from the current role type, click Delete privilege. The action cannot be undone and no warning appears.

Privilege overview

The privilege list is the same for all F2 installations (if using the same version of F2). Some privileges are only available if the relevant add-on module is active.

To see a list of available privileges, click the drop-down arrow in the “Privilege type” field which appears in both the “New privilege” and the “Edit privilege” dialogues. See the figure below.

image79
Figure 6. Assignable privileges

An administrator with the “Privilege administrator” privilege can assign privileges and their associated rights to users via role types. Privileges and associated rights are presented in the table below.

Privilege Description

Administrator read access to all records

Can read all records in F2 despite their access level.

Archive access

Assigns a role to a security group. This lets an administrator add participants to security groups.

Can add/change/remove case guides in existing cases (add-on module)

Can edit case guides for existing cases.

Can change responsible on all cases

Can change the responsible user/unit on a case.

Can change responsible on all records

Can change the responsible user/unit on a record. This privilege is meant for users who allocate many records and may need to reallocate responsibility, e.g. if responsibility on a record has been allocated to the wrong user/unit.

Can delete cases

Can delete cases under certain conditions. The conditions are listed in Cases.

Can delete notes

Can delete record notes.

Can delete shared records for everyone

Can delete a record for everyone, even if the record is shared.

Can edit case templates (add-on module)

Can edit case templates. Case templates can be applied by the organisation’s users in the “New case” dialogue.

Can edit certain user properties

Can edit a range of pre-selected user properties in the participant properties dialogue, e.g. title, address fields, and images. The list of properties is configurable. Configurations are made in cooperation with cBrain.

Can edit ext. participant no.

Can edit an external participant’s synchronisation number.

Can import documents from the server (add-on module)

Can import documents from the server, if this is configured.

The configuration is done in cooperation with cBrain.

Can import participants

Can import external participants.

Can quality assure cases (add-on module)

Can quality assure cases on the case tab.

Can see access information

Can see access information for records, i.e. who can view the records, and how they were granted access.

Can send on behalf of everybody in the authority

Can send records both internally and externally on behalf of all users and units in the authority.

Can take over approval (add-on module)

Can take over an approval without write access to the approval record.

This allows for urgent processing of an approval when the responsible user/unit or an approver is unavailable.

Read more about taking over approvals.

Can use the GDPR module without extra access (add-on module)

Can view existing GDPR searches, but not create, delete or edit them.

The user can open GDPR searches, but can only preview cases, records, and documents which they otherwise would be able to see.

CBrainInstaller

Can edit configurations of the F2 installation.

cBrain recommends that all configurations are performed in cooperation with cBrain.

CBrainSuperSetter

Can edit configurations of the F2 installation.

cBrain recommends that all configurations are performed in cooperation with cBrain.

CBrainSetter

Can edit configurations of the F2 installation.

cBrain recommends that all performed are done in cooperation with cBrain.

Closer cases

Can complete cases.

Creates cases

Can create new cases.

cSearch access (add-on module)

Can perform searches using the add-on module cSearch.

Decentral unit and user administrator

Can create decentral units.

Can assign decentral roles to existing users for selected levels in the organisation.

Distribution list editor

Can create and edit shared distribution lists in F2.

Does not have approvals active in F2 Manager (add-on module)

Cannot see approvals in F2 Manager.

Does not have bookmarks active in F2 Manager (add-on module)

Cannot see bookmarks in F2 Manager.

Does not have meeting planner active in F2 Manager (add-on module)

Cannot see the meeting planner in F2 Manager.

Editor of participants

Can create, edit, and delete external participants as well as edit images for external participants.

The privilege must be attached to a node under external participants.

Extra email administrator

Can create extra emails for units.

F2 Analytics administrator

Provides access to use the F2 Analytics add-on module.

Exports are made across access levels and security groups. They do not show content, only titles and records.

F2Setter

Can edit configurations of the F2 installation.

cBrain recommends that all configurations are performed in cooperation with cBrain.

Flag administrator

Can create, edit, and delete flags.

Keyword administrator

Can create, edit, and delete keywords as well as assign keywords to a unit.

Limited access to data cleanup (add-on module)

Allows the user to clean up and delete cases to which they already have write access using the F2 Data Cleanup add-on module. The user can also access cases to which they have read access in the module, but they cannot delete them.

Read more about Data Cleanup.

Meeting forum administrator (add-on module)

Can create, edit, deactivate, activate, and delete meeting forums.

No case help for saving or sending records

Will not see the case help when sending or saving a record.

For more information, see the section No case help for saving or sending records.

On behalf of administrator

Can create and delete “on behalf of” rights for all users.

Phrase administrator (add-on, available in Danish)

Can edit phrases for merging documents.

Privilege administrator

Can create new roles and assign, remove, and edit privileges for a role.

Progress code administrator

Can create, edit, and delete progress codes.

Reopener case

Can reopen cases.

Result list administrator

Can create standard column layouts for all users.

Search administrator

Can create fixed searches for all users.

If the F2 Search Templates add-on module has been configured, users with this privilege will be able to view search templates. Search templates are configured in cooperation with cBrain.

Security group administrator

Can create, edit and delete security groups.

Settings administrator

Can create, edit, and delete user settings and assign them to individual users, new users, and based on the users’ roles.

SSN Synchronizer (add-on module)

Can access the CPR from the properties dialogue for participants and users and update participant information from there.

System message administrator

Can create, edit and delete system messages.

Team administrator

Can create, edit, and delete teams.

Team creator

Can create teams across the authority.

Template administrator

Can create, edit, and delete document templates and global approval templates (add-on module).

Unit administrator

Can create, edit, move, and deactivate units.

Unit type administrator

Can create and delete unit types.

User administrator

Can create, deactivate, and edit users, including user images. Can also log out a user from all F2 sessions.

Value list administrator

Can create, edit, and delete value lists.

Further explanation of selected privileges

The following sections describe selected privileges in further detail.

Administrator read access to all records

Users with this privilege can search and find all records in their authority except for records in users’ “My private records” lists or records with an access restriction which they aren’t part of. The privilege grants read access to records with the “Involved” and “Unit” access levels which would be otherwise inaccessible to the user.

image80
Figure 7. The “Administrator read access to all records” privilege

This privilege can be used e.g. when an employee leaves the organisation and the records for which they are responsible must be reallocated.

Read access to all records is disabled by default. A user with the privilege can enable it via the “Read access to all records” menu item in the “Misc.” menu group on the “Administrator” tab.

image81
Figure 8. The “Read access to all records” menu item

Archive access

The purpose of this privilege is to attach a group of users to a security group within an authority. It must be decided which role type is to be connected to the security group.

image82
Figure 9. A new privilege type - “Archive access”

A user with a role containing the above privilege becomes a member of the security group. This privilege is attached to a role type and describes an interconnection between a security group and an authority.

Creates cases

Users can create new cases in F2 if they have a role to which the “Create cases” privilege is attached. The privilege depends on a connection between a role type and an authority. In other words, the access to create cases is subject to an authority.

image83
Figure 10. The “Creates cases” privilege

This means that users with this privilege can create new cases in the selected authority only.

Distribution list editor

All users can create personal distribution lists. However, only users with a role to which this privilege is attached can create and manage shared distribution lists in F2.

image84
Figure 11. The “Distribution list editor” privilege

Editor of participants

Users who have a role with this privilege can view and edit external participants. External participants are shared across authorities. It is therefore irrelevant which authority the privilege is granted under.

All users can create private participants, but only users with a role to which this privilege is attached can manage the shared external participants in F2. The role’s placement determines which external participants the privilege has write access to.

image85
Figure 12. The “Editor of participants” privilege

Keyword administrator

All users can add existing keywords to records and cases. However, only users with a role to which this privilege is attached can manage keywords in F2. This means that this privilege lets the user create new keywords as well as deactivate and edit existing keywords.

image86
Figure 13. The “Keyword administrator” privilege
Keywords are shared by all authorities in an F2 installation.

No case help for saving or sending records

A user with this privilege will not see the case help when saving or sending records. This means that any changes to metadata that are otherwise enforced by the case help will not apply to these actions when performed by said user. Other instances of the case help still apply. Depending on their setup, this means new records created by the user will have the case help box ticked and have the user listed as responsible for the record.

Any user with this privilege may save and send records that do not meet the organisation’s guidelines. Use caution when assigning this privilege.